mystic | 248fcc901aff4e4b4c48c91e4d78a939bf681c9a1bc24addc3551b32768f907b

Analysis

max time kernel
136s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14/11/2024, 08:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

malicious.exe
Size

1.8MB
MD5

18cbe55c3b28754916f1cbf4dfc95cf9
SHA1

7ccfb7678c34d6a2bedc040da04e2b5201be453b
SHA256

248fcc901aff4e4b4c48c91e4d78a939bf681c9a1bc24addc3551b32768f907b
SHA512

e1d4a7ab164a7e4176a3e4e915480e5c60efe7680d99f0f0bcbd834a4bec1798b951c49ef5c0cca6bea3c2577b475de3c51b2ef1ae70b525d046eb06591f7110
SSDEEP

49152:Eau0Bnly1l8B6hLa5vMIKHVo5W1v2mS0la98MT:Nfy1Wo+JK19eFE6

Score

10^/10

mystic redline smokeloader frant backdoor discovery evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

frant

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral1/memory/2416-69-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral1/memory/2416-67-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral1/memory/2416-66-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
Mystic family
mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/3560-77-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline

Redline family
redline
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Smokeloader family
smokeloader

Executes dropped EXE 8 IoCs

pid	Process
4224	Yt8ge85.exe
2324	GY4IC43.exe
1920	hE8Zq97.exe
4512	1Zn59od7.exe
3712	2PO9885.exe
548	3FD62NB.exe
1844	4Ii975UD.exe
4992	5uR3lF9.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	malicious.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Yt8ge85.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	GY4IC43.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	hE8Zq97.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4512 set thread context of 4320	4512	1Zn59od7.exe	91
PID 3712 set thread context of 2416	3712	2PO9885.exe	96
PID 548 set thread context of 4240	548	3FD62NB.exe	100
PID 1844 set thread context of 3560	1844	4Ii975UD.exe	104

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
2076	4512	WerFault.exe	88
1984	3712	WerFault.exe	95
3716	548	WerFault.exe	99
520	1844	WerFault.exe	103

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GY4IC43.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hE8Zq97.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2PO9885.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4Ii975UD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	malicious.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Yt8ge85.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1Zn59od7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3FD62NB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5uR3lF9.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133760458353321105"	chrome.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4320	AppLaunch.exe
4320	AppLaunch.exe
4912	msedge.exe
4912	msedge.exe
3672	msedge.exe
3672	msedge.exe
436	msedge.exe
436	msedge.exe
3984	identity_helper.exe
3984	identity_helper.exe
5660	chrome.exe
5660	chrome.exe
5504	msedge.exe
5504	msedge.exe
5504	msedge.exe
5504	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
5660	chrome.exe
5660	chrome.exe
5660	chrome.exe
5660	chrome.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	4320	AppLaunch.exe
Token: SeShutdownPrivilege	5660	chrome.exe
Token: SeCreatePagefilePrivilege	5660	chrome.exe
Token: SeShutdownPrivilege	5660	chrome.exe
Token: SeCreatePagefilePrivilege	5660	chrome.exe
Token: SeShutdownPrivilege	5660	chrome.exe
Token: SeCreatePagefilePrivilege	5660	chrome.exe
Token: SeShutdownPrivilege	5660	chrome.exe
Token: SeCreatePagefilePrivilege	5660	chrome.exe
Token: SeShutdownPrivilege	5660	chrome.exe
Token: SeCreatePagefilePrivilege	5660	chrome.exe
Token: SeShutdownPrivilege	5660	chrome.exe
Token: SeCreatePagefilePrivilege	5660	chrome.exe
Token: SeShutdownPrivilege	5660	chrome.exe
Token: SeCreatePagefilePrivilege	5660	chrome.exe
Token: SeShutdownPrivilege	5660	chrome.exe
Token: SeCreatePagefilePrivilege	5660	chrome.exe

Suspicious use of FindShellTrayWindow 52 IoCs

pid	Process
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
5660	chrome.exe
5660	chrome.exe
5660	chrome.exe
5660	chrome.exe
5660	chrome.exe
5660	chrome.exe
5660	chrome.exe
5660	chrome.exe
5660	chrome.exe
5660	chrome.exe
5660	chrome.exe
5660	chrome.exe
5660	chrome.exe
5660	chrome.exe
5660	chrome.exe
5660	chrome.exe
5660	chrome.exe
5660	chrome.exe
5660	chrome.exe
5660	chrome.exe
5660	chrome.exe
5660	chrome.exe
5660	chrome.exe
5660	chrome.exe
5660	chrome.exe
5660	chrome.exe
5660	chrome.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
5660	chrome.exe
5660	chrome.exe
5660	chrome.exe
5660	chrome.exe
5660	chrome.exe
5660	chrome.exe
5660	chrome.exe
5660	chrome.exe
5660	chrome.exe
5660	chrome.exe
5660	chrome.exe
5660	chrome.exe
5660	chrome.exe
5660	chrome.exe
5660	chrome.exe
5660	chrome.exe
5660	chrome.exe
5660	chrome.exe
5660	chrome.exe
5660	chrome.exe
5660	chrome.exe
5660	chrome.exe
5660	chrome.exe
5660	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5000 wrote to memory of 4224	5000	malicious.exe	83
PID 5000 wrote to memory of 4224	5000	malicious.exe	83
PID 5000 wrote to memory of 4224	5000	malicious.exe	83
PID 4224 wrote to memory of 2324	4224	Yt8ge85.exe	85
PID 4224 wrote to memory of 2324	4224	Yt8ge85.exe	85
PID 4224 wrote to memory of 2324	4224	Yt8ge85.exe	85
PID 2324 wrote to memory of 1920	2324	GY4IC43.exe	87
PID 2324 wrote to memory of 1920	2324	GY4IC43.exe	87
PID 2324 wrote to memory of 1920	2324	GY4IC43.exe	87
PID 1920 wrote to memory of 4512	1920	hE8Zq97.exe	88
PID 1920 wrote to memory of 4512	1920	hE8Zq97.exe	88
PID 1920 wrote to memory of 4512	1920	hE8Zq97.exe	88
PID 4512 wrote to memory of 1064	4512	1Zn59od7.exe	90
PID 4512 wrote to memory of 1064	4512	1Zn59od7.exe	90
PID 4512 wrote to memory of 1064	4512	1Zn59od7.exe	90
PID 4512 wrote to memory of 4320	4512	1Zn59od7.exe	91
PID 4512 wrote to memory of 4320	4512	1Zn59od7.exe	91
PID 4512 wrote to memory of 4320	4512	1Zn59od7.exe	91
PID 4512 wrote to memory of 4320	4512	1Zn59od7.exe	91
PID 4512 wrote to memory of 4320	4512	1Zn59od7.exe	91
PID 4512 wrote to memory of 4320	4512	1Zn59od7.exe	91
PID 4512 wrote to memory of 4320	4512	1Zn59od7.exe	91
PID 4512 wrote to memory of 4320	4512	1Zn59od7.exe	91
PID 4512 wrote to memory of 4320	4512	1Zn59od7.exe	91
PID 1920 wrote to memory of 3712	1920	hE8Zq97.exe	95
PID 1920 wrote to memory of 3712	1920	hE8Zq97.exe	95
PID 1920 wrote to memory of 3712	1920	hE8Zq97.exe	95
PID 3712 wrote to memory of 2416	3712	2PO9885.exe	96
PID 3712 wrote to memory of 2416	3712	2PO9885.exe	96
PID 3712 wrote to memory of 2416	3712	2PO9885.exe	96
PID 3712 wrote to memory of 2416	3712	2PO9885.exe	96
PID 3712 wrote to memory of 2416	3712	2PO9885.exe	96
PID 3712 wrote to memory of 2416	3712	2PO9885.exe	96
PID 3712 wrote to memory of 2416	3712	2PO9885.exe	96
PID 3712 wrote to memory of 2416	3712	2PO9885.exe	96
PID 3712 wrote to memory of 2416	3712	2PO9885.exe	96
PID 3712 wrote to memory of 2416	3712	2PO9885.exe	96
PID 2324 wrote to memory of 548	2324	GY4IC43.exe	99
PID 2324 wrote to memory of 548	2324	GY4IC43.exe	99
PID 2324 wrote to memory of 548	2324	GY4IC43.exe	99
PID 548 wrote to memory of 4240	548	3FD62NB.exe	100
PID 548 wrote to memory of 4240	548	3FD62NB.exe	100
PID 548 wrote to memory of 4240	548	3FD62NB.exe	100
PID 548 wrote to memory of 4240	548	3FD62NB.exe	100
PID 548 wrote to memory of 4240	548	3FD62NB.exe	100
PID 548 wrote to memory of 4240	548	3FD62NB.exe	100
PID 4224 wrote to memory of 1844	4224	Yt8ge85.exe	103
PID 4224 wrote to memory of 1844	4224	Yt8ge85.exe	103
PID 4224 wrote to memory of 1844	4224	Yt8ge85.exe	103
PID 1844 wrote to memory of 3560	1844	4Ii975UD.exe	104
PID 1844 wrote to memory of 3560	1844	4Ii975UD.exe	104
PID 1844 wrote to memory of 3560	1844	4Ii975UD.exe	104
PID 1844 wrote to memory of 3560	1844	4Ii975UD.exe	104
PID 1844 wrote to memory of 3560	1844	4Ii975UD.exe	104
PID 1844 wrote to memory of 3560	1844	4Ii975UD.exe	104
PID 1844 wrote to memory of 3560	1844	4Ii975UD.exe	104
PID 1844 wrote to memory of 3560	1844	4Ii975UD.exe	104
PID 5000 wrote to memory of 4992	5000	malicious.exe	107
PID 5000 wrote to memory of 4992	5000	malicious.exe	107
PID 5000 wrote to memory of 4992	5000	malicious.exe	107
PID 4992 wrote to memory of 4348	4992	5uR3lF9.exe	109
PID 4992 wrote to memory of 4348	4992	5uR3lF9.exe	109
PID 4348 wrote to memory of 436	4348	cmd.exe	110
PID 4348 wrote to memory of 436	4348	cmd.exe	110

C:\Users\Admin\AppData\Local\Temp\malicious.exe
"C:\Users\Admin\AppData\Local\Temp\malicious.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5000
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Yt8ge85.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Yt8ge85.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4224
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\GY4IC43.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\GY4IC43.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2324
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hE8Zq97.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hE8Zq97.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1920
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Zn59od7.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Zn59od7.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4512
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:1064
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        Modifies Windows Defender Real-time Protection settings
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4320
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 608
        6⤵
        Program crash
        
        PID:2076
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2PO9885.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2PO9885.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3712
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2416
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 572
        6⤵
        Program crash
        
        PID:1984
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3FD62NB.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3FD62NB.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:548
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Checks SCSI registry key(s)
        
        PID:4240
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 592
        5⤵
        Program crash
        
        PID:3716
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Ii975UD.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Ii975UD.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1844
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3560
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1844 -s 572
      4⤵
      Program crash
      PID:520
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5uR3lF9.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5uR3lF9.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4992
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\A3A2.tmp\A3A3.tmp\A3A4.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5uR3lF9.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4348
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:436
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ff9de5646f8,0x7ff9de564708,0x7ff9de564718
        5⤵
        
        PID:4708
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,6363639643267134447,17062903358352611173,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:2
        5⤵
        
        PID:4376
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,6363639643267134447,17062903358352611173,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3672
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2064,6363639643267134447,17062903358352611173,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2120 /prefetch:8
        5⤵
        
        PID:3256
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,6363639643267134447,17062903358352611173,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
        5⤵
        
        PID:3744
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,6363639643267134447,17062903358352611173,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
        5⤵
        
        PID:5020
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,6363639643267134447,17062903358352611173,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3856 /prefetch:1
        5⤵
        
        PID:4572
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,6363639643267134447,17062903358352611173,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:1
        5⤵
        
        PID:424
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,6363639643267134447,17062903358352611173,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3272 /prefetch:8
        5⤵
        
        PID:4968
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,6363639643267134447,17062903358352611173,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3272 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3984
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,6363639643267134447,17062903358352611173,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
        5⤵
        
        PID:1360
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,6363639643267134447,17062903358352611173,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:1
        5⤵
        
        PID:4388
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,6363639643267134447,17062903358352611173,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:1
        5⤵
        
        PID:228
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,6363639643267134447,17062903358352611173,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:1
        5⤵
        
        PID:4736
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,6363639643267134447,17062903358352611173,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3668 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5504
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
      4⤵
      PID:2704
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff9de5646f8,0x7ff9de564708,0x7ff9de564718
        5⤵
        
        PID:4632
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,3015592202231660434,1262175061733719862,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2064 /prefetch:2
        5⤵
        
        PID:4356
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2044,3015592202231660434,1262175061733719862,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4512 -ip 4512
1⤵
PID:3884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3712 -ip 3712
1⤵
PID:3168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 548 -ip 548
1⤵
PID:1700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1844 -ip 1844
1⤵
PID:3636

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2404

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff9db11cc40,0x7ff9db11cc4c,0x7ff9db11cc58
  2⤵
  PID:5684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1948,i,13443047189926133486,818490233659948458,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1940 /prefetch:2
  2⤵
  PID:5844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2072,i,13443047189926133486,818490233659948458,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2152 /prefetch:3
  2⤵
  PID:5856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2288,i,13443047189926133486,818490233659948458,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2492 /prefetch:8
  2⤵
  PID:5908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3172,i,13443047189926133486,818490233659948458,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:6120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3308,i,13443047189926133486,818490233659948458,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3208 /prefetch:1
  2⤵
  PID:6128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3724,i,13443047189926133486,818490233659948458,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4580 /prefetch:1
  2⤵
  PID:4988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4768,i,13443047189926133486,818490233659948458,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4792 /prefetch:8
  2⤵
  PID:2956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5036,i,13443047189926133486,818490233659948458,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5044 /prefetch:8
  2⤵
  PID:2272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4852,i,13443047189926133486,818490233659948458,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5060 /prefetch:8
  2⤵
  PID:220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4868,i,13443047189926133486,818490233659948458,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4792 /prefetch:8
  2⤵
  PID:5484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4904,i,13443047189926133486,818490233659948458,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5144 /prefetch:8
  2⤵
  PID:5508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4992,i,13443047189926133486,818490233659948458,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5080 /prefetch:8
  2⤵
  PID:1916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4820,i,13443047189926133486,818490233659948458,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5136 /prefetch:2
  2⤵
  PID:6080

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5244

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
eadc7be877a73fd89526d27e950c7a26

SHA1
d8e21f89bb62cb7f06cf315d171e9aa0bc6270b5

SHA256
f711d8fc2ab6980718b2449e9089cd1026b453d5a8b350827b3f01ec93eb32c9

SHA512
9dbe841e37c17924601ab9c69235c53c73db3586e1334994386f51db3450b3143a58839e427877d66b086cb7fa439a0a5979532f05270acd8a81dc34c2961d73

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
499d57c47819114a450061e6c0269aab

SHA1
031ba6ba61c489a65df46e04c750d0765d412db1

SHA256
de53710789d0efa3eb4fbb8e1080999eb5971a45b9d0ed4a5a7f09be4c551115

SHA512
ffeefe70239de7175d6bf8f331c92fad8e01b22a98ce6c1cd82faaad5e353d79ab665130091e70477035d16a83d91cbc4ad1f931181b8bb6d47ddeaed0e74368

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
7b5c3c468faf6af5aae68365329d2a6f

SHA1
3e6d5aa268f52774d9ac25764b0892ffe1977906

SHA256
b17850d5c2a2309772d9ea87e5945b71c615f954d50feb1d4efc964143d8ae1c

SHA512
40e84d1702f455b00e262108287d80b2f9e8277dabc9d1d5e44d6c35146a8b2f0c4fc39fbf447e4f9d29dfee9885671d2f82bf2bea042b118fbd31c69721be38

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Platform Notifications\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7370adbd2f50ffdd754594555f140609

SHA1
8bf92aa261b525440f559116166ed320e88f1ab5

SHA256
cf53a60594e272b4067b828ec7ce42d45fd5794c030a8c64186c0b1c8d6ceb5d

SHA512
9f564d02d3afd57cdc077daf8d15e8e3af79736d33f069afdd5f6972945656ac62370281f8b3bf39bd0e54604fb4e408ca6331080e344e3308d99bfa26ec6475

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
05f01f98707edf8e92b397d1c06a83bb

SHA1
77e080c894a78cefdc1f9d052af907331e714617

SHA256
960784667d129c985df1244723c21c21e8bdc3eb87374d1a443f82ecca71cc53

SHA512
d8c9d539d1a379c09c8fddfd5c9e50b7ed9c55f0371cb8a2c1116e7b7287103bc8dbe29c7539f9c5ab41dd11d36ecd38553b6dd7f8f625d2d4f993712e77b3f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
57c80b86792b6607e791e9603c4f01f2

SHA1
5cebdd6dd56e1e88d1508977d968c46fded91f5e

SHA256
fcca2042e0f6ab7ffa6f0451ea54fc24f3eda5c13178b05936a5721afa38bdd0

SHA512
04d2ec96d73637be5cfa0e5c8d64419081ea25f3c7acd278c2b5245291810f6840403413e97a0939ae9c2335392225b0492a25ddccbea8216bcbb28572a7673a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
1169ceb42c22a46076faad90282cb422

SHA1
380654790ee7fc3600ef8fd6d58aabfef688e9ed

SHA256
1e4e31e3074d43ac410f7a11370f25a6ef67cc28a0abc452d8ee4a9e98116c95

SHA512
28ca12412eef1fd9be5db5853fad1b1c067757c76c979c750761cd4850a33afd7066eae530007de2c1df842eb9b9734168159cd4dd917d96c60e2e7f42d212c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
99afa4934d1e3c56bbce114b356e8a99

SHA1
3f0e7a1a28d9d9c06b6663df5d83a65c84d52581

SHA256
08e098bb97fd91d815469cdfd5568607a3feca61f18b6b5b9c11b531fde206c8

SHA512
76686f30ed68144cf943b80ac10b52c74eee84f197cee3c24ef7845ef44bdb5586b6e530824543deeed59417205ac0e2559808bcb46450504106ac8f4c95b9da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
443a627d539ca4eab732bad0cbe7332b

SHA1
86b18b906a1acd2a22f4b2c78ac3564c394a9569

SHA256
1e1ad9dce141f5f17ea07c7e9c2a65e707c9943f172b9134b0daf9eef25f0dc9

SHA512
923b86d75a565c91250110162ce13dd3ef3f6bdde1a83f7af235ed302d4a96b8c9ed722e2152781e699dfcb26bb98afc73f5adb298f8fd673f14c9f28b5f764d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
506fe5b448972f00e71df8a87a3ddde4

SHA1
b68550eaea72dd65f4b0c4029ad6b2fe75adf79c

SHA256
d0ff0cb8bb9e4e16dc535284dca3f28a8ab27d62c13ac9f883720ad7dcb40285

SHA512
9f500bbe594e9c7bab10cb885da68c2d5660af2fa3113156560eb6b50768770eaf8dc55854be34a5239d55bbb8c1d450e4d4addb8ad4a47f2e8ab654ba0cc301

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
9738524c5ba1c2391e5850e4e4889992

SHA1
e167bd42291ee91f8fd6aefff2b2f225131341ff

SHA256
562824bb3986d90c09d921af14b0f1048ff2a507c2d8b7fb84839aad7584ee90

SHA512
9e196706155c6f77a297fdf68aff42a7c19be3cc2d100ac324b3c4fa4d55b76a000fc05b8d88b5564c882ff94bd1681b9c90b288a98d1c7362160951de7c67a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
69c930f5a78494a122c1cdb3a553ee95

SHA1
d7d6e0696ac486bb4f365702852cc7a4a0098933

SHA256
9594bad69f42812a64d8261f81bb91c151d41cbfb223dce983e6fe82e8cb4f9e

SHA512
a28b5e2fa6a807e272b094e200747553a383b8ed19a885751d98cebaba2512e6ec3b6400e543d4666a020f04562cf1219a3f34a6432524152c5635b31e1fb154

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
af5030c6503d3d6ed6be2b5383f642e2

SHA1
428191d3850f0d72afd12bd315abe29eee38cb01

SHA256
8ad9ca4d81061c08fab69cacccb62f7c01bdbf1199eb2bf684c2d7a3b13407a9

SHA512
c3f8192b350dff2bcbf7e0bf99f688a695258e80f5b90cb6376161c49939e559549d1e36242453c06f4be0eb5177e065cc5d76a93ddc27581bac4d939d49b38b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
820b3e98a6969aa1d5b8e0ca96ab6061

SHA1
26ccab73fe652f57c2305d0e7f8dd566fbf2b859

SHA256
8f7c293f434196bf6afb49ebeb08790f395a8a5e47f7f1e5b5de175733920973

SHA512
224a471e216c041b24c6263e184ebef501c96d0edf76a03cff1e4321a08035affb6f971c88322151b0ec3b15a91aaf27a33bebe1e834049165f67248419fef7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
e4a9f23da615b8311a7437d444174abc

SHA1
498d4111cec2ebcf77ffa1ef6b9059df5006c1ee

SHA256
fe2ee0fca5112f5b196a1b6125b972f1448e91c14929c53c9180bb0bd1258c51

SHA512
e57fbc7b8e4339dd367cb0347d4119fc6aa02a9ddb0d093292f12fc6418d93a1b5e3109bb921e10b8ff9018cdd98654d7e92d370f2a7ef0b3a1c5608bb07d9c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
872B

MD5
8a8f737010cfc026e38b5478292b207f

SHA1
9e79f7111ba96ee2f9b64537325c8cef245c1314

SHA256
0e9b999fc37e710a7761194cd9f2087432722bd7411af73a98b46acb7bf023a3

SHA512
22256edf37fe765b1a83c5b8c6a64093bc4569a6c80a13b7cca7e2f4c64ea79a0260fab983db7a3dce9ae1da7a33406e40e6406e837ea5b35a5e0d5a70e6f0a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5855bc.TMP

Filesize
872B

MD5
3627bdbd3a6b97488198fcbbe519e6da

SHA1
1bab8248a9408477fc15b277eeff11a12bca64ef

SHA256
38278d55513ceecfcea94c0074bfb8665b74ead320a44425e0b2cc2ae300f785

SHA512
d807894f4d39db2294f8669f8527d85786ccdf242a61ba11e8e377a5c04acc1883188acd4232d28df15793c1c8fab0ff7715355f814c66c055dd0c7476fdfad5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c4512d335cbf129888bfdc3454945754

SHA1
2c8216a6662d24f3be7b3af46965b48c8a8c1aff

SHA256
68b3899b06362b14eaf92d25dd99736f0f12cffa3f787775fef725b34264c8ed

SHA512
39013c1a20045980ddabd6036a79d17786289b48801b40c35b89380eb3fea3ca84034de1b4cac6a654bedf9a47f8bdc153d5a356635beb26727a7beb1c30a26e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
e2a09b2f0568206dc1cbe36a4f8ecb9b

SHA1
864766d543cd24b7e40e2ade5990a2026956f43f

SHA256
069cf77c9bab4e0c04aa78acf458ded1ecfb7e77eccfc92877367ec8aceaf277

SHA512
23f1bc62073696c3aa32117f088e5c2a3250e0018539b151c4af8d53ec28bdfe56197347022409fd6ff3844c6209fc5456196d1506d049035b45ff6cac77c1b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f4de2a6d4b819cf51c84261eb72b7e29

SHA1
f873131b1c9faff9bf75b2e9c5ddbb54bd20807d

SHA256
9ad12128600d8f8fcdad9952bf66389d55022eddbe7026803bf406fe6b7f239d

SHA512
d511cf103b0211dee203f7c1d4536ca9664ade6188b669b79debe39b4f3827286734f3e294d4131601d87aa68da4244287cdc8c2b39b0761bd16a87180e2635c

Download Submit
C:\Users\Admin\AppData\Local\Temp\19f29c61-c950-4287-b8c0-35f46309c312.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\A3A2.tmp\A3A3.tmp\A3A4.bat

Filesize
90B

MD5
5a115a88ca30a9f57fdbb545490c2043

SHA1
67e90f37fc4c1ada2745052c612818588a5595f4

SHA256
52c4113e7f308faa933ae6e8ff5d1b955ba62d1edac0eb7c972caa26e1ae4e2d

SHA512
17c399dad7b7343d5b16156e4d83de78ff5755d12add358bd2987ed4216dd13d24cfec9ecdb92d9d6723bb1d20d8874c0bad969dbec69eed95beb7a2817eb4fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5uR3lF9.exe

Filesize
100KB

MD5
e0f8b21b36fee4e7738a6b5a1ab83673

SHA1
e305d55d4d47bfa62eae5f8e6f34e5b133a6f40b

SHA256
c567d825d19e24343647ed36c77033fb1f46f420384745a9734618684cb7d384

SHA512
716e6624ff87c859d08e2bbcda1137a2386d30b5b9ef545daf2c6585bc3366561773b9ad6c719a1ad99f1bacb219544ae4556629b355250e2234a7f87d24e238

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Yt8ge85.exe

Filesize
1.7MB

MD5
847ee3021803e4adaefcc00aa8283017

SHA1
87644df0985b5ef9791c72ce79f423350629659e

SHA256
4611614d9c95b0d0e4bf4aa486cc700db6e49dbef7fa2726b20f165e6798a9f7

SHA512
1aaea476c061160439439d2dadc05e451166faa5614ccf8960b592df6933d07c867ab8813c08026b8b2c35b20b03dc0d26641e228fe06cff8c4938367e515b38

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Ii975UD.exe

Filesize
1.8MB

MD5
cfbb3be155b12d0cc69e3d932fbb81eb

SHA1
fb5ed48a80131043c4dd2e4ac69b4b38578f9753

SHA256
fd37c07f519f522eb717a372299525f667439b8b0d1aaffb670a011dbbcd58f2

SHA512
38aadedee5bd57c7f475e96d74abbb0e671bca462c2c700b7a034e2d1513bd8aebc30b7b75bf1e8cd7b7e3a831e69d5dd0ceaee3d18ed296a2cb3d1b051164cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\GY4IC43.exe

Filesize
1.2MB

MD5
252043d1805587b0e65a07f885d6719e

SHA1
2210de44be60ba496ea5d4068e715c1308066989

SHA256
66839bc22b9c9f717198cf8faa64146fe95dff51dfbb8c0f61982f2e50e89557

SHA512
dbcdb0b6fe37cf2c733b6683c2e245008400c84b59450f34a794e513955aaf392982e20f2eb2fce696eec2574fe15f699841748a21fce6a1e20a4381fd52f950

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3FD62NB.exe

Filesize
1.6MB

MD5
7d377f5e1ba6597ff2cfe4f92639367d

SHA1
188ab803c9926ff3448c458030f418099ea03407

SHA256
c705efd2888dfbede96714b58aede50a28b3da45aba83a909cb104ce34dc735e

SHA512
2adad69f3a358ad955b00c8d7826c396feef9d583407d4c7d53ce3e16ed760f148f553f49df5bbcd6c5c68b87bcf7e1472d3c789946b23dab7ae94b4036540e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hE8Zq97.exe

Filesize
725KB

MD5
403a939a04b4384204d35dbc659bf772

SHA1
a5424bc4b18c00fd261d71861fad75502a963397

SHA256
75d5ae4d95b66cb33ccb1b8c39adda5b287ab6c44b11aa42b8f3351024fce1fc

SHA512
860d17990d95694bd7e799b22e6af6fd93a20276439829e945f9aff079b6c708851e8b3e55200b8ef97d41d91608911a414b4a69c26e5593b9b4ca8a134ddbe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Zn59od7.exe

Filesize
1.8MB

MD5
ca7a5693b5b0e8b54d6dad6a5b1b86b5

SHA1
49da08ec9be5e002b0d22dd630182c3a905c76c7

SHA256
2d66fdf0417c3d3612015ff191a2010f78fffda1b1f2ed7682181ed7c8fa7c12

SHA512
68ac5c2bb689bbfc903cd2a13fe9ecf998b442690ef41d88f611ce40cb8cca1d795099cd40bc7f5325203e6314baf6a537d8369be78ecb1703f8cfc75cf26158

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2PO9885.exe

Filesize
1.7MB

MD5
144dc3c0a5275a93ff86f00b5c61b9ec

SHA1
784168ab3c4711737656ca13dc4cb59ca267fa45

SHA256
179649325e561f83a53c5cba99cd8f1f589064c8d0f2029fb8e06f61ae986787

SHA512
9af6a9870077621eb046d6fed0fac88eba35edd4cd5e60f49c46018ab633d5cc77ddb9a93886178544198099a4e3b20726a32729ec9d1cf89524b4a579afb783

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5660_2137610224\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5660_2137610224\dfc302c8-f2d9-4d0d-ab24-a550cfb337cb.tmp

Filesize
132KB

MD5
da75bb05d10acc967eecaac040d3d733

SHA1
95c08e067df713af8992db113f7e9aec84f17181

SHA256
33ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2

SHA512
56533de53872f023809a20d1ea8532cdc2260d40b05c5a7012c8e61576ff092f006a197f759c92c6b8c429eeec4bb542073b491ddcfd5b22cd4ecbe1a8a7c6ef

Download Submit
memory/2416-69-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2416-67-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2416-66-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3560-88-0x0000000007DF0000-0x0000000007E2C000-memory.dmp

Filesize
240KB

Download
memory/3560-89-0x0000000007E30000-0x0000000007E7C000-memory.dmp

Filesize
304KB

Download
memory/3560-87-0x0000000007D90000-0x0000000007DA2000-memory.dmp

Filesize
72KB

Download
memory/3560-77-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3560-78-0x0000000007A70000-0x0000000007B02000-memory.dmp

Filesize
584KB

Download
memory/3560-79-0x0000000005070000-0x000000000507A000-memory.dmp

Filesize
40KB

Download
memory/3560-84-0x0000000008B10000-0x0000000009128000-memory.dmp

Filesize
6.1MB

Download
memory/3560-86-0x00000000084F0000-0x00000000085FA000-memory.dmp

Filesize
1.0MB

Download
memory/4240-73-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4320-58-0x0000000005560000-0x0000000005576000-memory.dmp

Filesize
88KB

Download
memory/4320-52-0x0000000005560000-0x0000000005576000-memory.dmp

Filesize
88KB

Download
memory/4320-49-0x0000000005560000-0x0000000005576000-memory.dmp

Filesize
88KB

Download
memory/4320-50-0x0000000005560000-0x0000000005576000-memory.dmp

Filesize
88KB

Download
memory/4320-54-0x0000000005560000-0x0000000005576000-memory.dmp

Filesize
88KB

Download
memory/4320-56-0x0000000005560000-0x0000000005576000-memory.dmp

Filesize
88KB

Download
memory/4320-44-0x0000000005560000-0x0000000005576000-memory.dmp

Filesize
88KB

Download
memory/4320-42-0x0000000005560000-0x0000000005576000-memory.dmp

Filesize
88KB

Download
memory/4320-41-0x0000000005560000-0x0000000005576000-memory.dmp

Filesize
88KB

Download
memory/4320-60-0x0000000005560000-0x0000000005576000-memory.dmp

Filesize
88KB

Download
memory/4320-62-0x0000000005560000-0x0000000005576000-memory.dmp

Filesize
88KB

Download
memory/4320-46-0x0000000005560000-0x0000000005576000-memory.dmp

Filesize
88KB

Download
memory/4320-34-0x0000000005560000-0x000000000557C000-memory.dmp

Filesize
112KB

Download
memory/4320-33-0x0000000005CA0000-0x0000000006244000-memory.dmp

Filesize
5.6MB

Download
memory/4320-32-0x0000000003040000-0x000000000305E000-memory.dmp

Filesize
120KB

Download
memory/4320-29-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4320-31-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4320-28-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4320-38-0x0000000005560000-0x0000000005576000-memory.dmp

Filesize
88KB

Download
memory/4320-36-0x0000000005560000-0x0000000005576000-memory.dmp

Filesize
88KB

Download
memory/4320-35-0x0000000005560000-0x0000000005576000-memory.dmp

Filesize
88KB

Download