f422d28bbfd249b233299b1e98706816d23029424646a5f7e8d8ad0e37db76b2

Analysis

max time kernel
1055s
max time network
1060s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
05-03-2022 12:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Signalis/DLC/freebl3.dll
Size

326KB
MD5

ef2834ac4ee7d6724f255beaf527e635
SHA1

5be8c1e73a21b49f353c2ecfa4108e43a883cb7b
SHA256

a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba
SHA512

c6ea0e4347cbd7ef5e80ae8c0afdca20ea23ac2bdd963361dfaf562a9aed58dcbc43f89dd826692a064d76c3f4b3e92361af7b79a6d16a75d9951591ae3544d2

Score

9^/10

evasion spyware stealer

Malware Config

Signatures

Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518
Downloads MZ/PE file

Executes dropped EXE 9 IoCs

Processes:

Signalis.exeGameSetup.exeGameSetup.exeGameSetup.exeGameSetup.exeAnyRunHelper.exeFiddlerInstaller.exeFiddlerSetup.exeSetupHelper

pid	process
4192	Signalis.exe
4556	GameSetup.exe
860	GameSetup.exe
4016	GameSetup.exe
2312	GameSetup.exe
3588	AnyRunHelper.exe
4604	FiddlerInstaller.exe
388	FiddlerSetup.exe
4544	SetupHelper

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AnyRunHelper.exeFiddlerSetup.exeGameSetup.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	AnyRunHelper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	FiddlerSetup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	GameSetup.exe

Loads dropped DLL 12 IoCs

Processes:

Signalis.exeGameSetup.exeGameSetup.exeGameSetup.exeGameSetup.exeFiddlerSetup.exe

pid	process
4192	Signalis.exe
4192	Signalis.exe
4556	GameSetup.exe
860	GameSetup.exe
4016	GameSetup.exe
860	GameSetup.exe
860	GameSetup.exe
2312	GameSetup.exe
860	GameSetup.exe
2312	GameSetup.exe
2312	GameSetup.exe
388	FiddlerSetup.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 10 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\AnyRunHelper.exe	nsis_installer_2
C:\Users\Admin\Downloads\AnyRunHelper.exe	nsis_installer_2
C:\Users\Admin\FiddlerInstaller.exe	nsis_installer_1
C:\Users\Admin\FiddlerInstaller.exe	nsis_installer_2
C:\Users\Admin\FiddlerInstaller.exe	nsis_installer_1
C:\Users\Admin\FiddlerInstaller.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\nstF4F4.tmp\FiddlerSetup.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\nstF4F4.tmp\FiddlerSetup.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\nstF4F4.tmp\FiddlerSetup.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\nstF4F4.tmp\FiddlerSetup.exe	nsis_installer_2

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

FiddlerSetup.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	FiddlerSetup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Fiddler.exe = "0"	FiddlerSetup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Fiddler.exe = "9999"	FiddlerSetup.exe

Modifies registry class 64 IoCs

Processes:

FiddlerSetup.exefirefox.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\.saz\ = "Fiddler.ArchiveZip"	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Fiddler.ArchiveZip\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Programs\\Fiddler\\SAZ.ico"	FiddlerSetup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = ffffffff	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Fiddler.ArchiveZip	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Fiddler.ArchiveZip\Shell\Open\command	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Fiddler.ArchiveZip\PerceivedType = "compressed"	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Fiddler.ArchiveZip\Shell\Open &in Viewer	FiddlerSetup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 14002e8005398e082303024b98265d99428e115f0000	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Fiddler.ArchiveZip\Shell\Open	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Fiddler.ArchiveZip\DefaultIcon	FiddlerSetup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Downloads"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Fiddler.ArchiveZip\Content Type = "application/vnd.telerik-fiddler.SessionArchive"	FiddlerSetup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = ffffffff	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616193"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\NodeSlot = "2"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Fiddler.ArchiveZip\Shell\Open &in Viewer\command	FiddlerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Fiddler.ArchiveZip\Shell\Open &in Viewer\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\Fiddler\\Fiddler.exe\" -viewer \"%1\""	FiddlerSetup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Fiddler.ArchiveZip\ = "Fiddler Session Archive"	FiddlerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Fiddler.ArchiveZip\Shell\Open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\Fiddler\\Fiddler.exe\" -noattach \"%1\""	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0000000001000000ffffffff	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	firefox.exe

NTFS ADS 3 IoCs

Processes:

firefox.exe

description	ioc	process
File created	C:\Users\Admin\Downloads\AnyRunHelper.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\SIGNALIS.rar:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Signalis.exe:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

GameSetup.exeGameSetup.exeAnyRunHelper.exe

pid	process
4016	GameSetup.exe
4016	GameSetup.exe
2312	GameSetup.exe
2312	GameSetup.exe
3588	AnyRunHelper.exe
3588	AnyRunHelper.exe
3588	AnyRunHelper.exe
3588	AnyRunHelper.exe
3588	AnyRunHelper.exe
3588	AnyRunHelper.exe
3588	AnyRunHelper.exe
3588	AnyRunHelper.exe
3588	AnyRunHelper.exe
3588	AnyRunHelper.exe
3588	AnyRunHelper.exe
3588	AnyRunHelper.exe
3588	AnyRunHelper.exe
3588	AnyRunHelper.exe
3588	AnyRunHelper.exe
3588	AnyRunHelper.exe
3588	AnyRunHelper.exe
3588	AnyRunHelper.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

Processes:

firefox.exeAnyRunHelper.exe

description	pid	process
Token: SeDebugPrivilege	4336	firefox.exe
Token: SeDebugPrivilege	4336	firefox.exe
Token: SeDebugPrivilege	4336	firefox.exe
Token: SeDebugPrivilege	4336	firefox.exe
Token: SeDebugPrivilege	4336	firefox.exe
Token: SeDebugPrivilege	4336	firefox.exe
Token: SeDebugPrivilege	4336	firefox.exe
Token: SeDebugPrivilege	4336	firefox.exe
Token: SeDebugPrivilege	4336	firefox.exe
Token: SeDebugPrivilege	4336	firefox.exe
Token: SeDebugPrivilege	4336	firefox.exe
Token: SeDebugPrivilege	4336	firefox.exe
Token: SeDebugPrivilege	4336	firefox.exe
Token: SeDebugPrivilege	4336	firefox.exe
Token: SeDebugPrivilege	4336	firefox.exe
Token: SeDebugPrivilege	4336	firefox.exe
Token: SeDebugPrivilege	4336	firefox.exe
Token: SeDebugPrivilege	4336	firefox.exe
Token: SeDebugPrivilege	4336	firefox.exe
Token: SeDebugPrivilege	4336	firefox.exe
Token: SeDebugPrivilege	4336	firefox.exe
Token: SeDebugPrivilege	4336	firefox.exe
Token: SeDebugPrivilege	4336	firefox.exe
Token: SeDebugPrivilege	4336	firefox.exe
Token: SeDebugPrivilege	4336	firefox.exe
Token: SeDebugPrivilege	4336	firefox.exe
Token: SeDebugPrivilege	4336	firefox.exe
Token: SeDebugPrivilege	4336	firefox.exe
Token: SeDebugPrivilege	4336	firefox.exe
Token: SeDebugPrivilege	4336	firefox.exe
Token: SeDebugPrivilege	4336	firefox.exe
Token: SeDebugPrivilege	3588	AnyRunHelper.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

firefox.exe

pid process

4336 firefox.exe
4336 firefox.exe
4336 firefox.exe
4336 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

4336 firefox.exe
4336 firefox.exe
4336 firefox.exe

Suspicious use of SetWindowsHookEx 53 IoCs

Processes:

firefox.exe

pid	process
4336	firefox.exe
4336	firefox.exe
4336	firefox.exe
4336	firefox.exe
4336	firefox.exe
4336	firefox.exe
4336	firefox.exe
4336	firefox.exe
4336	firefox.exe
4336	firefox.exe
4336	firefox.exe
4336	firefox.exe
4336	firefox.exe
4336	firefox.exe
4336	firefox.exe
4336	firefox.exe
4336	firefox.exe
4336	firefox.exe
4336	firefox.exe
4336	firefox.exe
4336	firefox.exe
4336	firefox.exe
4336	firefox.exe
4336	firefox.exe
4336	firefox.exe
4336	firefox.exe
4336	firefox.exe
4336	firefox.exe
4336	firefox.exe
4336	firefox.exe
4336	firefox.exe
4336	firefox.exe
4336	firefox.exe
4336	firefox.exe
4336	firefox.exe
4336	firefox.exe
4336	firefox.exe
4336	firefox.exe
4336	firefox.exe
4336	firefox.exe
4336	firefox.exe
4336	firefox.exe
4336	firefox.exe
4336	firefox.exe
4336	firefox.exe
4336	firefox.exe
4336	firefox.exe
4336	firefox.exe
4336	firefox.exe
4336	firefox.exe
4336	firefox.exe
4336	firefox.exe
4336	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

rundll32.exefirefox.exefirefox.exe

description	pid	process	target process
PID 2392 wrote to memory of 2532	2392	rundll32.exe	rundll32.exe
PID 2392 wrote to memory of 2532	2392	rundll32.exe	rundll32.exe
PID 2392 wrote to memory of 2532	2392	rundll32.exe	rundll32.exe
PID 4532 wrote to memory of 4336	4532	firefox.exe	firefox.exe
PID 4532 wrote to memory of 4336	4532	firefox.exe	firefox.exe
PID 4532 wrote to memory of 4336	4532	firefox.exe	firefox.exe
PID 4532 wrote to memory of 4336	4532	firefox.exe	firefox.exe
PID 4532 wrote to memory of 4336	4532	firefox.exe	firefox.exe
PID 4532 wrote to memory of 4336	4532	firefox.exe	firefox.exe
PID 4532 wrote to memory of 4336	4532	firefox.exe	firefox.exe
PID 4532 wrote to memory of 4336	4532	firefox.exe	firefox.exe
PID 4532 wrote to memory of 4336	4532	firefox.exe	firefox.exe
PID 4336 wrote to memory of 2936	4336	firefox.exe	firefox.exe
PID 4336 wrote to memory of 2936	4336	firefox.exe	firefox.exe
PID 4336 wrote to memory of 2208	4336	firefox.exe	firefox.exe
PID 4336 wrote to memory of 2208	4336	firefox.exe	firefox.exe
PID 4336 wrote to memory of 2208	4336	firefox.exe	firefox.exe
PID 4336 wrote to memory of 2208	4336	firefox.exe	firefox.exe
PID 4336 wrote to memory of 2208	4336	firefox.exe	firefox.exe
PID 4336 wrote to memory of 2208	4336	firefox.exe	firefox.exe
PID 4336 wrote to memory of 2208	4336	firefox.exe	firefox.exe
PID 4336 wrote to memory of 2208	4336	firefox.exe	firefox.exe
PID 4336 wrote to memory of 2208	4336	firefox.exe	firefox.exe
PID 4336 wrote to memory of 2208	4336	firefox.exe	firefox.exe
PID 4336 wrote to memory of 2208	4336	firefox.exe	firefox.exe
PID 4336 wrote to memory of 2208	4336	firefox.exe	firefox.exe
PID 4336 wrote to memory of 2208	4336	firefox.exe	firefox.exe
PID 4336 wrote to memory of 2208	4336	firefox.exe	firefox.exe
PID 4336 wrote to memory of 2208	4336	firefox.exe	firefox.exe
PID 4336 wrote to memory of 2208	4336	firefox.exe	firefox.exe
PID 4336 wrote to memory of 2208	4336	firefox.exe	firefox.exe
PID 4336 wrote to memory of 2208	4336	firefox.exe	firefox.exe
PID 4336 wrote to memory of 2208	4336	firefox.exe	firefox.exe
PID 4336 wrote to memory of 2208	4336	firefox.exe	firefox.exe
PID 4336 wrote to memory of 2208	4336	firefox.exe	firefox.exe
PID 4336 wrote to memory of 2208	4336	firefox.exe	firefox.exe
PID 4336 wrote to memory of 2208	4336	firefox.exe	firefox.exe
PID 4336 wrote to memory of 2208	4336	firefox.exe	firefox.exe
PID 4336 wrote to memory of 2208	4336	firefox.exe	firefox.exe
PID 4336 wrote to memory of 2208	4336	firefox.exe	firefox.exe
PID 4336 wrote to memory of 2208	4336	firefox.exe	firefox.exe
PID 4336 wrote to memory of 2208	4336	firefox.exe	firefox.exe
PID 4336 wrote to memory of 2208	4336	firefox.exe	firefox.exe
PID 4336 wrote to memory of 2208	4336	firefox.exe	firefox.exe
PID 4336 wrote to memory of 2208	4336	firefox.exe	firefox.exe
PID 4336 wrote to memory of 2208	4336	firefox.exe	firefox.exe
PID 4336 wrote to memory of 2208	4336	firefox.exe	firefox.exe
PID 4336 wrote to memory of 2208	4336	firefox.exe	firefox.exe
PID 4336 wrote to memory of 2208	4336	firefox.exe	firefox.exe
PID 4336 wrote to memory of 2208	4336	firefox.exe	firefox.exe
PID 4336 wrote to memory of 2208	4336	firefox.exe	firefox.exe
PID 4336 wrote to memory of 2208	4336	firefox.exe	firefox.exe
PID 4336 wrote to memory of 2208	4336	firefox.exe	firefox.exe
PID 4336 wrote to memory of 2208	4336	firefox.exe	firefox.exe
PID 4336 wrote to memory of 2208	4336	firefox.exe	firefox.exe
PID 4336 wrote to memory of 2208	4336	firefox.exe	firefox.exe
PID 4336 wrote to memory of 2208	4336	firefox.exe	firefox.exe
PID 4336 wrote to memory of 1292	4336	firefox.exe	firefox.exe
PID 4336 wrote to memory of 1292	4336	firefox.exe	firefox.exe
PID 4336 wrote to memory of 1292	4336	firefox.exe	firefox.exe
PID 4336 wrote to memory of 1292	4336	firefox.exe	firefox.exe
PID 4336 wrote to memory of 1292	4336	firefox.exe	firefox.exe
PID 4336 wrote to memory of 1292	4336	firefox.exe	firefox.exe
PID 4336 wrote to memory of 1292	4336	firefox.exe	firefox.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Signalis\DLC\freebl3.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2392

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Signalis\DLC\freebl3.dll,#1
2⤵
PID:2532

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4532

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4336

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4336.0.498746869\1617766076" -parentBuildID 20200403170909 -prefsHandle 1704 -prefMapHandle 1696 -prefsLen 1 -prefMapSize 219548 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4336 "\\.\pipe\gecko-crash-server-pipe.4336" 1792 gpu
3⤵
PID:2936

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4336.3.370423756\1430607219" -childID 1 -isForBrowser -prefsHandle 2424 -prefMapHandle 2432 -prefsLen 112 -prefMapSize 219548 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4336 "\\.\pipe\gecko-crash-server-pipe.4336" 2488 tab
3⤵
PID:2208

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4336.13.201129017\60319629" -childID 2 -isForBrowser -prefsHandle 3664 -prefMapHandle 3524 -prefsLen 6969 -prefMapSize 219548 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4336 "\\.\pipe\gecko-crash-server-pipe.4336" 3692 tab
3⤵
PID:1292

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4336.20.1905912459\2069914532" -childID 3 -isForBrowser -prefsHandle 4676 -prefMapHandle 4648 -prefsLen 7896 -prefMapSize 219548 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4336 "\\.\pipe\gecko-crash-server-pipe.4336" 4460 tab
3⤵
PID:3204

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4336.27.456295407\668321160" -childID 4 -isForBrowser -prefsHandle 4640 -prefMapHandle 5064 -prefsLen 10973 -prefMapSize 219548 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4336 "\\.\pipe\gecko-crash-server-pipe.4336" 8300 tab
3⤵
PID:2032

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4336.34.377061251\582984473" -childID 5 -isForBrowser -prefsHandle 8168 -prefMapHandle 3292 -prefsLen 10973 -prefMapSize 219548 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4336 "\\.\pipe\gecko-crash-server-pipe.4336" 8108 tab
3⤵
PID:3260

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4336.41.788526892\712578814" -childID 6 -isForBrowser -prefsHandle 5072 -prefMapHandle 5040 -prefsLen 10973 -prefMapSize 219548 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4336 "\\.\pipe\gecko-crash-server-pipe.4336" 6900 tab
3⤵
PID:4476

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4336.48.789670954\12464160" -childID 7 -isForBrowser -prefsHandle 4400 -prefMapHandle 6972 -prefsLen 12551 -prefMapSize 219548 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4336 "\\.\pipe\gecko-crash-server-pipe.4336" 1380 tab
3⤵
PID:848

C:\Users\Admin\Downloads\Signalis.exe
"C:\Users\Admin\Downloads\Signalis.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4192

C:\Users\Admin\AppData\Local\Temp\25w1I2G4GRffZZ6RIz7wZXEzr5r\GameSetup.exe
C:\Users\Admin\AppData\Local\Temp\25w1I2G4GRffZZ6RIz7wZXEzr5r\GameSetup.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4556

C:\Users\Admin\AppData\Local\Temp\25w1I2G4GRffZZ6RIz7wZXEzr5r\GameSetup.exe
"C:\Users\Admin\AppData\Local\Temp\25w1I2G4GRffZZ6RIz7wZXEzr5r\GameSetup.exe" --type=gpu-process --field-trial-handle=1604,8716591239246812489,58654050403814504,131072 --enable-features=WebComponentsV0Enabled --disable-features=SpareRendererForSitePerProcess --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1612 /prefetch:2
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:860

C:\Users\Admin\AppData\Local\Temp\25w1I2G4GRffZZ6RIz7wZXEzr5r\GameSetup.exe
"C:\Users\Admin\AppData\Local\Temp\25w1I2G4GRffZZ6RIz7wZXEzr5r\GameSetup.exe" --type=utility --field-trial-handle=1604,8716591239246812489,58654050403814504,131072 --enable-features=WebComponentsV0Enabled --disable-features=SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2188 /prefetch:8
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4016

C:\Users\Admin\AppData\Local\Temp\25w1I2G4GRffZZ6RIz7wZXEzr5r\GameSetup.exe
"C:\Users\Admin\AppData\Local\Temp\25w1I2G4GRffZZ6RIz7wZXEzr5r\GameSetup.exe" --type=renderer --field-trial-handle=1604,8716591239246812489,58654050403814504,131072 --enable-features=WebComponentsV0Enabled --disable-features=SpareRendererForSitePerProcess --lang=en-US --app-path="C:\Users\Admin\AppData\Local\Temp\25w1I2G4GRffZZ6RIz7wZXEzr5r\resources\app.asar" --node-integration --no-sandbox --no-zygote --enable-remote-module --background-color=#0c0d10 --enable-spellcheck --enable-websql --disable-electron-site-instance-overrides --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2408 /prefetch:1
3⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2312

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1716

C:\Users\Admin\Downloads\AnyRunHelper.exe
"C:\Users\Admin\Downloads\AnyRunHelper.exe"
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3588

C:\Users\Admin\FiddlerInstaller.exe
"C:\Users\Admin\FiddlerInstaller.exe"
2⤵
- Executes dropped EXE
PID:4604

C:\Users\Admin\AppData\Local\Temp\nstF4F4.tmp\FiddlerSetup.exe
"C:\Users\Admin\AppData\Local\Temp\nstF4F4.tmp\FiddlerSetup.exe" /D=
3⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies registry class
PID:388

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name="FiddlerProxy"
4⤵
PID:3584

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="FiddlerProxy" program="C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe" action=allow profile=any dir=in edge=deferuser protocol=tcp description="Permit inbound connections to Fiddler"
4⤵
PID:4456

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe"
4⤵
PID:4468

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 0 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
5⤵
PID:3156

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 0 -NGENProcess 274 -Pipe 27c -Comment "NGen Worker Process"
5⤵
PID:4276

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 0 -NGENProcess 288 -Pipe 1f8 -Comment "NGen Worker Process"
5⤵
PID:832

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 0 -NGENProcess 2c8 -Pipe 270 -Comment "NGen Worker Process"
5⤵
PID:1900

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 0 -NGENProcess 288 -Pipe 2c4 -Comment "NGen Worker Process"
5⤵
PID:4148

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 0 -NGENProcess 2f4 -Pipe 2a0 -Comment "NGen Worker Process"
5⤵
PID:4828

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 0 -NGENProcess 2f4 -Pipe 2d4 -Comment "NGen Worker Process"
5⤵
PID:1336

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 0 -NGENProcess 278 -Pipe 274 -Comment "NGen Worker Process"
5⤵
PID:896

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 0 -NGENProcess 2f8 -Pipe 2d0 -Comment "NGen Worker Process"
5⤵
PID:872

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 0 -NGENProcess 2e4 -Pipe 2f4 -Comment "NGen Worker Process"
5⤵
PID:1516

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 0 -NGENProcess 2dc -Pipe 278 -Comment "NGen Worker Process"
5⤵
PID:4312

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 0 -NGENProcess 300 -Pipe 2cc -Comment "NGen Worker Process"
5⤵
PID:4140

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 0 -NGENProcess 2e0 -Pipe 304 -Comment "NGen Worker Process"
5⤵
PID:804

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 0 -NGENProcess 2ec -Pipe 2f8 -Comment "NGen Worker Process"
5⤵
PID:5020

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 0 -NGENProcess 2d8 -Pipe 28c -Comment "NGen Worker Process"
5⤵
PID:4308

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 0 -NGENProcess 2e4 -Pipe 2e8 -Comment "NGen Worker Process"
5⤵
PID:5064

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 0 -NGENProcess 2dc -Pipe 2d8 -Comment "NGen Worker Process"
5⤵
PID:5124

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 0 -NGENProcess 310 -Pipe 2f0 -Comment "NGen Worker Process"
5⤵
PID:5172

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Users\Admin\AppData\Local\Programs\Fiddler\EnableLoopback.exe"
4⤵
PID:2140

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 0 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
5⤵
PID:768

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 0 -NGENProcess 2dc -Pipe 2d8 -Comment "NGen Worker Process"
5⤵
PID:860

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 0 -NGENProcess 2bc -Pipe 2c4 -Comment "NGen Worker Process"
5⤵
PID:2184

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 0 -NGENProcess 2bc -Pipe 1e8 -Comment "NGen Worker Process"
5⤵
PID:4024

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 0 -NGENProcess 2d4 -Pipe 270 -Comment "NGen Worker Process"
5⤵
PID:1144

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 0 -NGENProcess 270 -Pipe 288 -Comment "NGen Worker Process"
5⤵
PID:2532

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 0 -NGENProcess 278 -Pipe 27c -Comment "NGen Worker Process"
5⤵
PID:3676

C:\Users\Admin\AppData\Local\Programs\Fiddler\SetupHelper
"C:\Users\Admin\AppData\Local\Programs\Fiddler\SetupHelper" /a "C:\Users\Admin\AppData\Local\Programs\Fiddler"
4⤵
- Executes dropped EXE
PID:4544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://fiddler2.com/r/?Fiddler2FirstRun
4⤵
PID:4924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffc37b946f8,0x7ffc37b94708,0x7ffc37b94718
5⤵
PID:392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,8199211006054186006,6242618361123036394,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
5⤵
PID:2428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,8199211006054186006,6242618361123036394,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
5⤵
PID:4304

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,8199211006054186006,6242618361123036394,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2800 /prefetch:8
5⤵
PID:380

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8199211006054186006,6242618361123036394,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
5⤵
PID:2328

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8199211006054186006,6242618361123036394,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
5⤵
PID:2276

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2136,8199211006054186006,6242618361123036394,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4428 /prefetch:8
5⤵
PID:3964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8199211006054186006,6242618361123036394,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1
5⤵
PID:2012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8199211006054186006,6242618361123036394,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4468 /prefetch:1
5⤵
PID:2388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8199211006054186006,6242618361123036394,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4800 /prefetch:1
5⤵
PID:4740

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
5⤵
PID:1460

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x244,0x248,0x24c,0x220,0x250,0x7ff7b7a55460,0x7ff7b7a55470,0x7ff7b7a55480
6⤵
PID:384

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,8199211006054186006,6242618361123036394,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6296 /prefetch:8
5⤵
PID:4876

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,8199211006054186006,6242618361123036394,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6296 /prefetch:8
5⤵
PID:2000

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1708

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:4676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:2596

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Software Discovery

T1518

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Programs\Fiddler\Analytics.dll

MD5
1c2bd080b0e972a3ee1579895ea17b42

SHA1
a09454bc976b4af549a6347618f846d4c93b769b

SHA256
166e1a6cf86b254525a03d1510fe76da574f977c012064df39dd6f4af72a4b29

SHA512
946e56d543a6d00674d8fa17ecd9589cba3211cfa52c978e0c9dab0fa45cdfc7787245d14308f5692bd99d621c0caca3c546259fcfa725fff9171b144514b6e0

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\EnableLoopback.exe

MD5
8ea7eaa03873d0a83052024859709764

SHA1
8c1275719f0f5289abe676ae28e6c4bbe6a160b8

SHA256
084a58e53f15119841f4d885a4a728b553828643fc92de587c4d5cfdee66ca3b

SHA512
f4955ed509fee0ee714ebaf267171849f67a01b519abf18f5171b55dd808fd6fc2033e2eb89d9b89db330f1fe40e9d3fa298307a6122777a60e77ce09faf6ad4

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe

MD5
908ca3fcf82dd062c5c5880845ca3457

SHA1
f588b17d247e7d6c4a25b6487ad5fd4bf34c0f33

SHA256
c44fc144a875be0b93ca720efe2e7509d360f6e7d3e28a55b00625a6c4e84b8d

SHA512
a7535aeb84e7799d67c412b9c5a6cd65ecfcc8cf975bac98b6bde12dd774a266895cff73b116395136c875e47337e76b71e27e7e1d3f93b4b3ca528e68a50f0d

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe.config

MD5
38a7379a4b36fc661c69a3e299373a05

SHA1
1b0de45ad7fe759499c57cc1aa9c1da441d9167a

SHA256
70107440ed3e5ce934b947a85669a963ed0370d1d34c27e8f3bd2a8f5f670342

SHA512
5c91d3ebae7a1d0fc068303632cdd7f789bfc3f5158c338d253ef0ba584bde2346e86287dd56f8dd266494ecf1307fb091e548b5cb795a80e5969f09f7507f02

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\Newtonsoft.Json.dll

MD5
5afda7c7d4f7085e744c2e7599279db3

SHA1
3a833eb7c6be203f16799d7b7ccd8b8c9d439261

SHA256
f58c374ffcaae4e36d740d90fbf7fe70d0abb7328cd9af3a0a7b70803e994ba4

SHA512
7cbbbef742f56af80f1012d7da86fe5375ac05813045756fb45d0691c36ef13c069361457500ba4200157d5ee7922fd118bf4c0635e5192e3f8c6183fd580944

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\SetupHelper

MD5
fc95e43b398d6ac6c61a4d59e769f9fa

SHA1
80a2db2d65c07d0e971fcab2d3b88b3824e410c9

SHA256
f6351598de77147baeb7c0bb678019be8700b8e52f3ef998642457f7fdf8d64d

SHA512
4c384e31e16982c1b81dcf01c3cff104439b5998c60afab0f68769b82071dd34584f8c4129dddc21ddd457b5ea3af6cc8bfa078a5e65aa4519f23dda6d975527

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\SetupHelper

MD5
fc95e43b398d6ac6c61a4d59e769f9fa

SHA1
80a2db2d65c07d0e971fcab2d3b88b3824e410c9

SHA256
f6351598de77147baeb7c0bb678019be8700b8e52f3ef998642457f7fdf8d64d

SHA512
4c384e31e16982c1b81dcf01c3cff104439b5998c60afab0f68769b82071dd34584f8c4129dddc21ddd457b5ea3af6cc8bfa078a5e65aa4519f23dda6d975527

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\Telerik.NetworkConnections.dll

MD5
798d6938ceab9271cdc532c0943e19dc

SHA1
5f86b4cd45d2f1ffae1153683ce50bc1fb0cd2e3

SHA256
fb90b6e76fdc617ec4ebf3544da668b1f6b06c1debdba369641c3950cab73dd2

SHA512
644fde362f032e6e479750696f62e535f3e712540840c4ca27e10bdfb79b2e5277c82a6d8f55f678e223e45f883776e7f39264c234bc6062fc1865af088c0c31

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\Xceed.FileSystem.v5.4.dll

MD5
4f01f4c6ee8703230c636bbed2b68e7e

SHA1
6de4005b18fee954e7f9b8d511b5173f1fd87b06

SHA256
d7f8eb14b7f0de5d65b03bfb1fa39a39e94540642e523f2a3c33aa9b8225ea16

SHA512
bd1371da699f14100dad26bce8027b04e855ae723c3b55ea435a5038751224db5b7050062493dbdbbcdc891956791720792f1cbc4cbd3979f2c6be8eead7a8c3

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\Xceed.Zip.v5.4.dll

MD5
8758599a28ed2de95c7548f0827b8ebb

SHA1
9284399757c8951392c1de27990d660a04497792

SHA256
e7b150637b29f6857fa4f048b80ad7529a09f6c7c7a7e19bfedf1689fb95c601

SHA512
6da0a682ae1d5ae4407e2c8bdbccb5d65b4559c60b0e1f1688a4706f06ee8d4c52956902d6c99d475515f65efb4e402b28e777c9fa025f602d2b20f76c05ff5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\25w1I2G4GRffZZ6RIz7wZXEzr5r\D3DCompiler_47.dll

MD5
6bc4ada9a7cab72f49c564e6c86b4c3e

SHA1
f0fba01542a0fbe585106f7efd884df65e8c89dc

SHA256
7d0d1290382ea0e44a3178446a0c202696237e27dbb5f8f0827691092b8f2228

SHA512
d7ec39514c104b40a42cd3ca956ba84f5a78f237a39f40d85ba54983145bce2dfbc7ec5e0cbc1bf8ab64d1d370371a7cba5e30202d2c1f37782db32486ed7f6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\25w1I2G4GRffZZ6RIz7wZXEzr5r\GameSetup.exe

MD5
f5730ff133bb1267cfd49ec58b371b81

SHA1
3548cc6e793116baed9f1d9843afab7f89bea8c6

SHA256
3be162f34b8109d1b900636a9f05b22e53eca56cfdf1c0f9a6ac6c43ded722af

SHA512
c149f6a6494f66ea6cb7fa3121bcfdf20fc115f90b93d33318216579257d165975922dddb78caf411b06e72d4ebc4da910d15679f291192d0019979f951308c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\25w1I2G4GRffZZ6RIz7wZXEzr5r\GameSetup.exe

MD5
f5730ff133bb1267cfd49ec58b371b81

SHA1
3548cc6e793116baed9f1d9843afab7f89bea8c6

SHA256
3be162f34b8109d1b900636a9f05b22e53eca56cfdf1c0f9a6ac6c43ded722af

SHA512
c149f6a6494f66ea6cb7fa3121bcfdf20fc115f90b93d33318216579257d165975922dddb78caf411b06e72d4ebc4da910d15679f291192d0019979f951308c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\25w1I2G4GRffZZ6RIz7wZXEzr5r\GameSetup.exe

MD5
f5730ff133bb1267cfd49ec58b371b81

SHA1
3548cc6e793116baed9f1d9843afab7f89bea8c6

SHA256
3be162f34b8109d1b900636a9f05b22e53eca56cfdf1c0f9a6ac6c43ded722af

SHA512
c149f6a6494f66ea6cb7fa3121bcfdf20fc115f90b93d33318216579257d165975922dddb78caf411b06e72d4ebc4da910d15679f291192d0019979f951308c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\25w1I2G4GRffZZ6RIz7wZXEzr5r\GameSetup.exe

MD5
f5730ff133bb1267cfd49ec58b371b81

SHA1
3548cc6e793116baed9f1d9843afab7f89bea8c6

SHA256
3be162f34b8109d1b900636a9f05b22e53eca56cfdf1c0f9a6ac6c43ded722af

SHA512
c149f6a6494f66ea6cb7fa3121bcfdf20fc115f90b93d33318216579257d165975922dddb78caf411b06e72d4ebc4da910d15679f291192d0019979f951308c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\25w1I2G4GRffZZ6RIz7wZXEzr5r\GameSetup.exe

MD5
f5730ff133bb1267cfd49ec58b371b81

SHA1
3548cc6e793116baed9f1d9843afab7f89bea8c6

SHA256
3be162f34b8109d1b900636a9f05b22e53eca56cfdf1c0f9a6ac6c43ded722af

SHA512
c149f6a6494f66ea6cb7fa3121bcfdf20fc115f90b93d33318216579257d165975922dddb78caf411b06e72d4ebc4da910d15679f291192d0019979f951308c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\25w1I2G4GRffZZ6RIz7wZXEzr5r\chrome_100_percent.pak

MD5
7c4728b2d58afdd97c4549c96b9561cc

SHA1
1e0d251eedd67e7021fc764b9188184617465c54

SHA256
419cfcc6dc5f38b2e0c970ebd4fad1ef55054579d5c0db2521d7ae494996aac3

SHA512
82d0931e4d1cf38f88050980f518cdacdc981c382771b1732bfbe69f601074a0e7378e27a7470c7dea4e287cb1617a5c038052908ed85134abcd5b6591b4e7df

Download Submit
C:\Users\Admin\AppData\Local\Temp\25w1I2G4GRffZZ6RIz7wZXEzr5r\chrome_200_percent.pak

MD5
6af049ad6fd11ee90ad9db31c4e02082

SHA1
5d2f9a59a74dc584b5dd78aeb6de583e969e3eb7

SHA256
edecf8e1ac353bfdae534e42507e5a59973cb4cab76fbb1ff1a470363e725bc4

SHA512
c7fa6e1a57861e62b9b4d615a988c98d13cde8abc23eaed7c36c2ecb86409da4b65b1f579ca2f307e90eb4d08d14b07f7f41ccb8d8c165d6de67c09c16009715

Download Submit
C:\Users\Admin\AppData\Local\Temp\25w1I2G4GRffZZ6RIz7wZXEzr5r\d3dcompiler_47.dll

MD5
6bc4ada9a7cab72f49c564e6c86b4c3e

SHA1
f0fba01542a0fbe585106f7efd884df65e8c89dc

SHA256
7d0d1290382ea0e44a3178446a0c202696237e27dbb5f8f0827691092b8f2228

SHA512
d7ec39514c104b40a42cd3ca956ba84f5a78f237a39f40d85ba54983145bce2dfbc7ec5e0cbc1bf8ab64d1d370371a7cba5e30202d2c1f37782db32486ed7f6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\25w1I2G4GRffZZ6RIz7wZXEzr5r\ffmpeg.dll

MD5
35ec77b86471ee4430245670075ac475

SHA1
809f227f5a011b3e0e329a0ea808c07591d4beb0

SHA256
973aa70e9542f30d816302bdab9dc400e47e0c6f3356ef75cf423f03e1404b11

SHA512
665c93b460785218a49f1254f73c8ce9a144987b1392888ce4e2af96736068e843910aeff5260b96a839ceb743b9b2f1a20aff363243c72d046b9d1d8366f23a

Download Submit
C:\Users\Admin\AppData\Local\Temp\25w1I2G4GRffZZ6RIz7wZXEzr5r\ffmpeg.dll

MD5
35ec77b86471ee4430245670075ac475

SHA1
809f227f5a011b3e0e329a0ea808c07591d4beb0

SHA256
973aa70e9542f30d816302bdab9dc400e47e0c6f3356ef75cf423f03e1404b11

SHA512
665c93b460785218a49f1254f73c8ce9a144987b1392888ce4e2af96736068e843910aeff5260b96a839ceb743b9b2f1a20aff363243c72d046b9d1d8366f23a

Download Submit
C:\Users\Admin\AppData\Local\Temp\25w1I2G4GRffZZ6RIz7wZXEzr5r\ffmpeg.dll

MD5
35ec77b86471ee4430245670075ac475

SHA1
809f227f5a011b3e0e329a0ea808c07591d4beb0

SHA256
973aa70e9542f30d816302bdab9dc400e47e0c6f3356ef75cf423f03e1404b11

SHA512
665c93b460785218a49f1254f73c8ce9a144987b1392888ce4e2af96736068e843910aeff5260b96a839ceb743b9b2f1a20aff363243c72d046b9d1d8366f23a

Download Submit
C:\Users\Admin\AppData\Local\Temp\25w1I2G4GRffZZ6RIz7wZXEzr5r\ffmpeg.dll

MD5
35ec77b86471ee4430245670075ac475

SHA1
809f227f5a011b3e0e329a0ea808c07591d4beb0

SHA256
973aa70e9542f30d816302bdab9dc400e47e0c6f3356ef75cf423f03e1404b11

SHA512
665c93b460785218a49f1254f73c8ce9a144987b1392888ce4e2af96736068e843910aeff5260b96a839ceb743b9b2f1a20aff363243c72d046b9d1d8366f23a

Download Submit
C:\Users\Admin\AppData\Local\Temp\25w1I2G4GRffZZ6RIz7wZXEzr5r\ffmpeg.dll

MD5
35ec77b86471ee4430245670075ac475

SHA1
809f227f5a011b3e0e329a0ea808c07591d4beb0

SHA256
973aa70e9542f30d816302bdab9dc400e47e0c6f3356ef75cf423f03e1404b11

SHA512
665c93b460785218a49f1254f73c8ce9a144987b1392888ce4e2af96736068e843910aeff5260b96a839ceb743b9b2f1a20aff363243c72d046b9d1d8366f23a

Download Submit
C:\Users\Admin\AppData\Local\Temp\25w1I2G4GRffZZ6RIz7wZXEzr5r\icudtl.dat

MD5
3f019441588332ac8b79a3a3901a5449

SHA1
c8930e95b78deef5b7730102acd39f03965d479a

SHA256
594637e10b8f5c97157413528f0cbf5bc65b4ab9e79f5fa34fe268092655ec57

SHA512
ee083ae5e93e70d5bbebe36ec482aa75c47d908df487a43db2b55ddd6b55c291606649175cf7907d6ab64fc81ead7275ec56e3193b631f8f78b10d2c775fd1a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\25w1I2G4GRffZZ6RIz7wZXEzr5r\locales\en-US.pak

MD5
98c8cfc3cb98ab34e06d4323b8bcb043

SHA1
2c0bda072161530b710fa0a1dfc3c23926184afe

SHA256
35adc5aeeebfe440e295b88d2a4089360ada33c353843b1f5438f4118501878b

SHA512
25edeca13b4a29f63bdc4f135eda1b1b8c72f3a58315f57895950bdc15f56b2af1aca42affe397716f5965437ece836f683265a33ec919b8b26056634612ed3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\25w1I2G4GRffZZ6RIz7wZXEzr5r\resources.pak

MD5
d9022282a7fbf3aa354559ab6a9c7926

SHA1
ff1f2b77d80848bc1a51e48c21a033eb57d8776c

SHA256
ddc85d749b19cbabae11a0b8f7114daf75900179a2147280dd0f9f8faee7d65c

SHA512
6b9ab157cf8e10d8a79ea2ad4e247210fe2a7fd75dab086eb55951d4e028af3060e1f42175be936c6b093abc2c3071c0fd1c45afee3c567a79e1b722fe5f5d97

Download Submit
C:\Users\Admin\AppData\Local\Temp\25w1I2G4GRffZZ6RIz7wZXEzr5r\resources\app.asar

MD5
a3a14e62b8bbb2efb08f4086ffcd667d

SHA1
347c483be84de55cd5484e28742ff6c2dcb1fbfe

SHA256
9f56e4c3025f43cad0c018b6c7a626cd6890a081d27b6075a13446228c172228

SHA512
627f5ca6cc79b198403ca7a95a6cc684b71570a3ed3fe7fb04b89876e8cbcffb252c1e2e953c96bdf894cee10f06947afc0973dd956ee269d0bc428f6a588c25

Download Submit
C:\Users\Admin\AppData\Local\Temp\25w1I2G4GRffZZ6RIz7wZXEzr5r\resources\assets\images\background.png

MD5
32338b60ff8368fd431b32109eae89d2

SHA1
7a3a844f2e6371c8f3a08a142e2e792a6e77105a

SHA256
1d370406c3b0c6bfe109feb76229fd4a0fe1d4171ae2a77655a0fd3264558d2f

SHA512
be71b3dcc24cea203d59e08d8a4082dcf253eb02a971e67034f8cc0930f6af72830b1e35430cc861c08341082156585adcedcbfc788a83ec35fbd78107e20f2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\25w1I2G4GRffZZ6RIz7wZXEzr5r\resources\assets\license.txt

MD5
7f8e6e93556bc778f97ef40829432b36

SHA1
791a4d22a923718548e1a99795c6504d4c54094c

SHA256
eb3755e99c586f75e466047f377b3d22717ffa2733da135b6e4ece2186e0e491

SHA512
7ae3a22c0eab36458d8b73d759c277a81776c6686c2564e50bb684de7aac12d41c93367becb486dc099a8a43c31bf74e61c6f226bee0469de49de478d73f11f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\25w1I2G4GRffZZ6RIz7wZXEzr5r\swiftshader\libEGL.dll

MD5
a0317784b0f2a415ba104c649f07afdb

SHA1
89263be130d10ae56d7e5e6f22346d73c77e649b

SHA256
5c53d3368de804706ba87da47db599d40e31f835460fcdc6fb1797afe96fcd5a

SHA512
a477d1273feb5cb91868a60c6de5d6db3020f25c29134876fa1840ede4a98206d6963620c7a224d9afc13d273bbf0ef5d73a4571f42c2b810c21bbb29fe3b106

Download Submit
C:\Users\Admin\AppData\Local\Temp\25w1I2G4GRffZZ6RIz7wZXEzr5r\swiftshader\libGLESv2.dll

MD5
c0481ac7e49d58dfcdd8d6d410dc1127

SHA1
be53da962844f448defc088a2f1f21023268c89d

SHA256
e0c1c19b704d414aba732ab8dc20d289e7fe597b21715a68b4153dbba720879c

SHA512
7d3c747f639bb6e3b8140da6acb28b6206fd7ac7156b4f6948b818002587a29df07f399fc23160e314a46f6a912544fdab377caa1b926f4f2ac31995a8ade515

Download Submit
C:\Users\Admin\AppData\Local\Temp\25w1I2G4GRffZZ6RIz7wZXEzr5r\swiftshader\libegl.dll

MD5
a0317784b0f2a415ba104c649f07afdb

SHA1
89263be130d10ae56d7e5e6f22346d73c77e649b

SHA256
5c53d3368de804706ba87da47db599d40e31f835460fcdc6fb1797afe96fcd5a

SHA512
a477d1273feb5cb91868a60c6de5d6db3020f25c29134876fa1840ede4a98206d6963620c7a224d9afc13d273bbf0ef5d73a4571f42c2b810c21bbb29fe3b106

Download Submit
C:\Users\Admin\AppData\Local\Temp\25w1I2G4GRffZZ6RIz7wZXEzr5r\swiftshader\libglesv2.dll

MD5
c0481ac7e49d58dfcdd8d6d410dc1127

SHA1
be53da962844f448defc088a2f1f21023268c89d

SHA256
e0c1c19b704d414aba732ab8dc20d289e7fe597b21715a68b4153dbba720879c

SHA512
7d3c747f639bb6e3b8140da6acb28b6206fd7ac7156b4f6948b818002587a29df07f399fc23160e314a46f6a912544fdab377caa1b926f4f2ac31995a8ade515

Download Submit
C:\Users\Admin\AppData\Local\Temp\25w1I2G4GRffZZ6RIz7wZXEzr5r\v8_context_snapshot.bin

MD5
dd199449f39f224376c2e3b3f5862d83

SHA1
1568ed6bf9b92371a11176f4ddf01c7f5a2d7b0f

SHA256
c9740e7e3028b643acfbfd634318c76e56f7f6bb53ce09e4b3ac179a6132bffa

SHA512
d88364ee2b540debf5e3e16fd712977c4f8dd979c2ea4746fccbd02a9daaee0c99fb84a2081d4dea2e29c1cae1a006140cb9dd0204c17ec0cf18bf815aea5621

Download Submit
C:\Users\Admin\AppData\Local\Temp\2abe5aed-ed74-48ce-909e-451d66ea81e7.tmp.node

MD5
e1395451f14b2507ec56d8c7c2026745

SHA1
541c2fa6ac3042bcee10573f69d9163d5fa86903

SHA256
a1075c41bd120d21769140f554921d3860aab4879ea4107c6c725cfa0e94b85c

SHA512
8c7e4bddac7e0943d93dd320ff24d0f568af5ae08bbd42559d734b80782ad9b8a56baf2ac2e052be2dbc08c23e1bccc927fd45c7270c7607c5141652b0cd391e

Download Submit
C:\Users\Admin\AppData\Local\Temp\b3ef0c35-a2dc-46ae-a011-3f8f9b58a368.tmp.node

MD5
ad5488ba1d8eb5b474b5bc412231d787

SHA1
33ef46b36e266b200f9e978bcc6b09053a7fe6e8

SHA256
a7e418807eeb89fe247ff420fa848c07daad82ac2a0188064136f6003ffb404d

SHA512
ccc250bb33aa96247403f26ef2fd926b9501109f0fa6971390c6eda7438f6cca138f0f307f805cd2f4cc43b343031a22af3f0ce951b7a46680766c9fce192e82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn1743.tmp\System.dll

MD5
b8992e497d57001ddf100f9c397fcef5

SHA1
e26ddf101a2ec5027975d2909306457c6f61cfbd

SHA256
98bcd1dd88642f4dd36a300c76ebb1ddfbbbc5bfc7e3b6d7435dc6d6e030c13b

SHA512
8823b1904dccfaf031068102cb1def7958a057f49ff369f0e061f1b4db2090021aa620bb8442a2a6ac9355bb74ee54371dc2599c20dc723755a46ede81533a3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstF4F4.tmp\FiddlerSetup.exe

MD5
457790e53e39073fa6744fc2e9cfcf33

SHA1
7632bea661f1b11392d9d16df398eb0c751b287b

SHA256
22957b18fb746f1bd91d2ae5f06a25d402ecc08244a9f6489f9ebd11de98e402

SHA512
595b2d73a97585c842a8f9ac57b233bad67d02df14efadcd8065dcb2938c31da61d3950487121f9185c7bc837178b4f40b8ab46f720ccf43ba3d6a5dc5b0dfb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstF4F4.tmp\FiddlerSetup.exe

MD5
457790e53e39073fa6744fc2e9cfcf33

SHA1
7632bea661f1b11392d9d16df398eb0c751b287b

SHA256
22957b18fb746f1bd91d2ae5f06a25d402ecc08244a9f6489f9ebd11de98e402

SHA512
595b2d73a97585c842a8f9ac57b233bad67d02df14efadcd8065dcb2938c31da61d3950487121f9185c7bc837178b4f40b8ab46f720ccf43ba3d6a5dc5b0dfb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsvC894.tmp\StdUtils.dll

MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsvC894.tmp\System.dll

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
C:\Users\Admin\Downloads\AnyRunHelper.exe

MD5
01c688ba3c37612569e188db6f589ad5

SHA1
544189f58b91ed79a7938650aaf8c974723d4f7c

SHA256
aa42b2d38a85f13a354ce0df8d84d5dc8c1ec3b04ce321562f36eb9fa35bcd85

SHA512
abfe9aa53f4418eeef263df94a7878f17710d08bb09a00ea7f919e7d3fa0c7fdff41256d848da33ff6243c1420aa2599c2c09858c9bdb355670bff6ce5b4deea

Download Submit
C:\Users\Admin\Downloads\AnyRunHelper.exe

MD5
01c688ba3c37612569e188db6f589ad5

SHA1
544189f58b91ed79a7938650aaf8c974723d4f7c

SHA256
aa42b2d38a85f13a354ce0df8d84d5dc8c1ec3b04ce321562f36eb9fa35bcd85

SHA512
abfe9aa53f4418eeef263df94a7878f17710d08bb09a00ea7f919e7d3fa0c7fdff41256d848da33ff6243c1420aa2599c2c09858c9bdb355670bff6ce5b4deea

Download Submit
C:\Users\Admin\Downloads\Signalis.exe

MD5
33bd053094b7591ca9ae11aa8dd7b8a4

SHA1
4b72562246dd98ff3d592bd0a837ce56a06f3dce

SHA256
1aa24aaa3e192b52553a16d16cffdb34ca1c30c7ace18f8e4195afaeec738997

SHA512
860fa50cc5c62b3c93b7dbabe1d216dbe28bf874887c957181beae61f22716a81f3ec0924fa456ba84a51abb5f083d6cd803fa4bfb1244c87e6e97a889174d68

Download Submit
C:\Users\Admin\Downloads\Signalis.exe

MD5
33bd053094b7591ca9ae11aa8dd7b8a4

SHA1
4b72562246dd98ff3d592bd0a837ce56a06f3dce

SHA256
1aa24aaa3e192b52553a16d16cffdb34ca1c30c7ace18f8e4195afaeec738997

SHA512
860fa50cc5c62b3c93b7dbabe1d216dbe28bf874887c957181beae61f22716a81f3ec0924fa456ba84a51abb5f083d6cd803fa4bfb1244c87e6e97a889174d68

Download Submit
C:\Users\Admin\FiddlerInstaller.exe

MD5
ff7ce5771a7d4b3b0e34a04cf776acb9

SHA1
2adab5e1704a4a6cbb45e8057cb0afda4c029c9b

SHA256
aaa4d714eeaae8f6a96a63110cd239ec44fac75ae591ab181c13ac837e0ec1a4

SHA512
0238a1b438c0fb70c5c12205c81b1bf955146276ed07408cb7513d387420598f8540b22d6efcc8e163d1aea2594ea811cf145d5bfa08d80a7c6e23003ffdb2b2

Download Submit
C:\Users\Admin\FiddlerInstaller.exe

MD5
ff7ce5771a7d4b3b0e34a04cf776acb9

SHA1
2adab5e1704a4a6cbb45e8057cb0afda4c029c9b

SHA256
aaa4d714eeaae8f6a96a63110cd239ec44fac75ae591ab181c13ac837e0ec1a4

SHA512
0238a1b438c0fb70c5c12205c81b1bf955146276ed07408cb7513d387420598f8540b22d6efcc8e163d1aea2594ea811cf145d5bfa08d80a7c6e23003ffdb2b2

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\EnableLoopback\5b8fe9b0a9fcfdaaeb3088c08c05d848\EnableLoopback.ni.exe

MD5
796111e9466fd9a8319b9c0e99f9b747

SHA1
ea7a5072b231144f118b70c16cff691e1998f05a

SHA256
dcc5852cb96f11b409a3d3087548bdec0f2208a9cb75c5ac9156ddf6ebc5d88c

SHA512
997b322d00c06e176bce82bf36a1c8b306d23d4a6c64b871d2e45ba70c4d4304a70ef36a5eeddcba14a6dc8a7ef6af9a6bfba176ec391540606bc361441a3717

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.SqlXml\22b31f1b9eca85580b198424dd16a98a\System.Data.SqlXml.ni.dll

MD5
b0bd1b2c367441f420d9cc270cf7fab6

SHA1
bdd65767f9c8047125a86b66b5678d8d72a76911

SHA256
447bfc33e8f3bc3d661200891933fed1bb28c402d1063e6838f55096ec9833aa

SHA512
551becf8035964921fca26458e46cd32fadf1703e66724df5cc868447bb0b0c181f87eba1c3df1bece2a9a127aea78bcc2f00ad38ecd05d438119cd1a9ce8324

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Deployment\18271de25c06b49b2aaa391461de2df6\System.Deployment.ni.dll

MD5
3385fdacfda1fc77da651550a705936d

SHA1
207023bf3b3ff2c93e9368ba018d32bb11e47a8a

SHA256
44a217d721c0fb7de3f52123ace1eeaf62f48f40f55bd816bb32c422d0939eec

SHA512
bb8f38dc08b1983a5b5b1b6dac069364cec4f3a9a88fcf277cfdefac376a8c6207078938f064aacef1032f9a15cf9d21174aef4b94a89513fd65a2cfaaab5174

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Numerics\ba90284a07d8bc0ce7e6273afa79210f\System.Numerics.ni.dll

MD5
50b28be2b84f9dd1258a346525f8c2e5

SHA1
203abebaa5c22c9f6ac099d020711669e6655ed8

SHA256
6c51e5a928f227bb64a7eb9e48089bca5e9bbef0d0329b971ebbf918335ee1ac

SHA512
d5336827cdb202ab51583c32a45960ae43c56499dbe149ec0edb907f8f33e12800c7aa187a52a3c93e3f2ebcb677bed4e7e829e1df3fee05fe3fdc21948f571d

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runt9064068c#\f85535a7092741215f67fdedf2846499\System.Runtime.Serialization.Formatters.Soap.ni.dll

MD5
35738b026183e92c1f7a6344cfa189fd

SHA1
ccc1510ef4a88a010087321b8af89f0c0c29b6d8

SHA256
4075d88d2ba1cff2a8ab9be66176045628d24cae370428e0128f8af3a77639fb

SHA512
ab7100c26f60ae30a84ba3de31ca96c530e86e052ffc997fd7fd3144e2049fc0d188a3d075a123b6f728dc882beee3d6a35a086d19d7dad4d385e101382fc436

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Security\7355af105ad86679d6c9070a9b4dc0c3\System.Security.ni.dll

MD5
e4b53e736786edcfbfc70f87c5ef4aad

SHA1
62cdd43c2d1f8ae9b28c484344e3fb7135a4e4d5

SHA256
9ac6d5445caaacae6813243c787e8d67c974988acd1a4a5f564503fd36e91e46

SHA512
42a3b1cc0b805674f48a8d7891ab5ecae33d5a2205059317ca5441e7de52f26eabb32e79a3040d7aa0e0333b19f80d93d25e1faa1dfe5cfb0ea39efba5767fde

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Security\7355af105ad86679d6c9070a9b4dc0c3\System.Security.ni.dll

MD5
e4b53e736786edcfbfc70f87c5ef4aad

SHA1
62cdd43c2d1f8ae9b28c484344e3fb7135a4e4d5

SHA256
9ac6d5445caaacae6813243c787e8d67c974988acd1a4a5f564503fd36e91e46

SHA512
42a3b1cc0b805674f48a8d7891ab5ecae33d5a2205059317ca5441e7de52f26eabb32e79a3040d7aa0e0333b19f80d93d25e1faa1dfe5cfb0ea39efba5767fde

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Security\7355af105ad86679d6c9070a9b4dc0c3\System.Security.ni.dll

MD5
e4b53e736786edcfbfc70f87c5ef4aad

SHA1
62cdd43c2d1f8ae9b28c484344e3fb7135a4e4d5

SHA256
9ac6d5445caaacae6813243c787e8d67c974988acd1a4a5f564503fd36e91e46

SHA512
42a3b1cc0b805674f48a8d7891ab5ecae33d5a2205059317ca5441e7de52f26eabb32e79a3040d7aa0e0333b19f80d93d25e1faa1dfe5cfb0ea39efba5767fde

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Security\7355af105ad86679d6c9070a9b4dc0c3\System.Security.ni.dll.aux

MD5
255a843ca54e88fd16d2befcc1bafb7a

SHA1
aee7882de50a5cea1e4c2c2ddfaa4476f20a9be9

SHA256
8cd849585fe99e63f28b49f1dae2d1b47a406268dcc5a161e58331a6a3cba3ed

SHA512
666866c0d25d61dc04341cf95eb61969698cfafce232097e60cb0537ea2a35635e1e4986036e413fb51927187183aa2e64ecac7fbc26bac46998c0bd84f69e45

Download Submit
\??\pipe\LOCAL\crashpad_4924_VTWVDSGNIIAVYRQV

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/768-179-0x00000215E1BA0000-0x00000215E1D26000-memory.dmp

Filesize
1.5MB

Download
memory/768-181-0x00000215E1AD0000-0x00000215E1B82000-memory.dmp

Filesize
712KB

Download
memory/768-180-0x00000215E1970000-0x00000215E1992000-memory.dmp

Filesize
136KB

Download
memory/768-177-0x00000215E19C0000-0x00000215E1A10000-memory.dmp

Filesize
320KB

Download
memory/768-182-0x00000215E1A10000-0x00000215E1A32000-memory.dmp

Filesize
136KB

Download
memory/768-183-0x00007FFC294B0000-0x00007FFC29F71000-memory.dmp

Filesize
10.8MB

Download
memory/768-176-0x00000215C7AF0000-0x00000215C7B08000-memory.dmp

Filesize
96KB

Download
memory/804-260-0x00007FFC294B0000-0x00007FFC29F71000-memory.dmp

Filesize
10.8MB

Download
memory/832-247-0x00007FFC294B0000-0x00007FFC29F71000-memory.dmp

Filesize
10.8MB

Download
memory/860-186-0x00007FFC294B0000-0x00007FFC29F71000-memory.dmp

Filesize
10.8MB

Download
memory/872-256-0x00007FFC294B0000-0x00007FFC29F71000-memory.dmp

Filesize
10.8MB

Download
memory/896-257-0x00007FFC294B0000-0x00007FFC29F71000-memory.dmp

Filesize
10.8MB

Download
memory/1144-190-0x00007FFC294B0000-0x00007FFC29F71000-memory.dmp

Filesize
10.8MB

Download
memory/1336-255-0x00007FFC294B0000-0x00007FFC29F71000-memory.dmp

Filesize
10.8MB

Download
memory/1516-258-0x00007FFC294B0000-0x00007FFC29F71000-memory.dmp

Filesize
10.8MB

Download
memory/1900-252-0x00007FFC294B0000-0x00007FFC29F71000-memory.dmp

Filesize
10.8MB

Download
memory/2184-185-0x00007FFC294B0000-0x00007FFC29F71000-memory.dmp

Filesize
10.8MB

Download
memory/2428-197-0x00007FFC4B4A0000-0x00007FFC4B4A1000-memory.dmp

Filesize
4KB

Download
memory/2532-194-0x00007FFC294B0000-0x00007FFC29F71000-memory.dmp

Filesize
10.8MB

Download
memory/3156-226-0x000001DD6A8D0000-0x000001DD6ADF8000-memory.dmp

Filesize
5.2MB

Download
memory/3156-240-0x000001DD6A420000-0x000001DD6A452000-memory.dmp

Filesize
200KB

Download
memory/3156-221-0x000001DD6A0C0000-0x000001DD6A10A000-memory.dmp

Filesize
296KB

Download
memory/3156-215-0x000001DD4FFC0000-0x000001DD50010000-memory.dmp

Filesize
320KB

Download
memory/3156-223-0x000001DD4FF50000-0x000001DD4FF5C000-memory.dmp

Filesize
48KB

Download
memory/3156-211-0x000001DD69F40000-0x000001DD6A0B6000-memory.dmp

Filesize
1.5MB

Download
memory/3156-213-0x000001DD6A180000-0x000001DD6A23A000-memory.dmp

Filesize
744KB

Download
memory/3156-225-0x000001DD6A2F0000-0x000001DD6A398000-memory.dmp

Filesize
672KB

Download
memory/3156-217-0x000001DD4FF80000-0x000001DD4FFA4000-memory.dmp

Filesize
144KB

Download
memory/3156-228-0x000001DD69EC0000-0x000001DD69ED6000-memory.dmp

Filesize
88KB

Download
memory/3156-229-0x000001DD6A110000-0x000001DD6A158000-memory.dmp

Filesize
288KB

Download
memory/3156-230-0x000001DD4FF60000-0x000001DD4FF68000-memory.dmp

Filesize
32KB

Download
memory/3156-231-0x000001DD4FF70000-0x000001DD4FF80000-memory.dmp

Filesize
64KB

Download
memory/3156-232-0x000001DD6A240000-0x000001DD6A27C000-memory.dmp

Filesize
240KB

Download
memory/3156-233-0x000001DD69F00000-0x000001DD69F12000-memory.dmp

Filesize
72KB

Download
memory/3156-234-0x000001DD69F20000-0x000001DD69F3E000-memory.dmp

Filesize
120KB

Download
memory/3156-235-0x000001DD6A3A0000-0x000001DD6A3DA000-memory.dmp

Filesize
232KB

Download
memory/3156-236-0x000001DD6A160000-0x000001DD6A17C000-memory.dmp

Filesize
112KB

Download
memory/3156-237-0x000001DD6AE00000-0x000001DD6B2CC000-memory.dmp

Filesize
4.8MB

Download
memory/3156-238-0x000001DD6A280000-0x000001DD6A292000-memory.dmp

Filesize
72KB

Download
memory/3156-239-0x000001DD6A2A0000-0x000001DD6A2C0000-memory.dmp

Filesize
128KB

Download
memory/3156-218-0x00007FFC294B0000-0x00007FFC29F71000-memory.dmp

Filesize
10.8MB

Download
memory/3156-241-0x000001DD6A4B0000-0x000001DD6A4F4000-memory.dmp

Filesize
272KB

Download
memory/3156-242-0x000001DD6A2C0000-0x000001DD6A2DA000-memory.dmp

Filesize
104KB

Download
memory/3156-243-0x000001DD6A630000-0x000001DD6A752000-memory.dmp

Filesize
1.1MB

Download
memory/3156-244-0x000001DD6A3E0000-0x000001DD6A400000-memory.dmp

Filesize
128KB

Download
memory/3156-220-0x000001DD4FF30000-0x000001DD4FF3C000-memory.dmp

Filesize
48KB

Download
memory/3588-165-0x0000000000580000-0x0000000000C00000-memory.dmp

Filesize
6.5MB

Download
memory/3588-166-0x0000000074770000-0x0000000074F20000-memory.dmp

Filesize
7.7MB

Download
memory/3676-206-0x00007FFC294B0000-0x00007FFC29F71000-memory.dmp

Filesize
10.8MB

Download
memory/4024-187-0x00007FFC294B0000-0x00007FFC29F71000-memory.dmp

Filesize
10.8MB

Download
memory/4140-261-0x00007FFC294B0000-0x00007FFC29F71000-memory.dmp

Filesize
10.8MB

Download
memory/4148-253-0x00007FFC294B0000-0x00007FFC29F71000-memory.dmp

Filesize
10.8MB

Download
memory/4276-246-0x00007FFC294B0000-0x00007FFC29F71000-memory.dmp

Filesize
10.8MB

Download
memory/4308-263-0x00007FFC294B0000-0x00007FFC29F71000-memory.dmp

Filesize
10.8MB

Download
memory/4312-259-0x00007FFC294B0000-0x00007FFC29F71000-memory.dmp

Filesize
10.8MB

Download
memory/4544-178-0x00007FFC294B0000-0x00007FFC29F71000-memory.dmp

Filesize
10.8MB

Download
memory/4544-174-0x00000000004F0000-0x00000000004F8000-memory.dmp

Filesize
32KB

Download
memory/4828-254-0x00007FFC294B0000-0x00007FFC29F71000-memory.dmp

Filesize
10.8MB

Download
memory/5020-262-0x00007FFC294B0000-0x00007FFC29F71000-memory.dmp

Filesize
10.8MB

Download
memory/5064-264-0x00007FFC294B0000-0x00007FFC29F71000-memory.dmp

Filesize
10.8MB

Download