hawkeye | 71dbb1177cb271ab30531fda54cad0f1ea8be87182f96bf21f37dcf65758f6ce

Analysis

max time kernel
1106s
max time network
1150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14-08-2024 08:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PO SAI FOOD PVT LTD .exe
Size

1.0MB
MD5

dea59d578e0e64728780fb67dde7d96d
SHA1

b23c86a74f5514ebcfb8e3f102a4b16f60ff4076
SHA256

71dbb1177cb271ab30531fda54cad0f1ea8be87182f96bf21f37dcf65758f6ce
SHA512

64663c97bcea47b6c265df2598e12b1dfeb437efc6e78a6a23cf0a02cfeaf28b054cc5af85b2d1aff3822c5d5b82905952db2722e095e138a0bf0203977d4bce
SSDEEP

24576:xsep9+wg44M5eh0GGxlA2F4O41ub2z6X46qU8A/yHD5A1:eo9+wg44M5eoA2FGO2m4XU8A/yj5A1

Score

10^/10

hawkeye lloydsbank collection credential_access discovery execution keylogger persistence phishing spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.comedyskits.com.ng
Port:
21
Username:
[email protected]
Password:
TGXs]#J&_ReU

Signatures

Detected lloydsbank phishing page
phishing lloydsbank
HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Detected Nirsoft tools 7 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

Processes:

resource	yara_rule
behavioral1/memory/4380-30-0x0000000000400000-0x0000000000488000-memory.dmp	Nirsoft
behavioral1/memory/2608-92-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/2608-93-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/2608-95-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/4416-97-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral1/memory/4416-96-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral1/memory/4416-104-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft

NirSoft MailPassView 4 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/4380-30-0x0000000000400000-0x0000000000488000-memory.dmp	MailPassView
behavioral1/memory/2608-92-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/2608-93-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/2608-95-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 4 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/4380-30-0x0000000000400000-0x0000000000488000-memory.dmp	WebBrowserPassView
behavioral1/memory/4416-97-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral1/memory/4416-96-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral1/memory/4416-104-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView

Command and Scripting Interpreter: PowerShell 1 TTPs 28 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
3844	powershell.exe
2328	powershell.exe
3056	powershell.exe
4744	powershell.exe
4656	powershell.exe
1232	powershell.exe
4108	powershell.exe
216	powershell.exe
3820	powershell.exe
4548	powershell.exe
1184	powershell.exe
5128	powershell.exe
560	powershell.exe
5220	powershell.exe
1332	powershell.exe
2080	powershell.exe
3780	powershell.exe
2896	powershell.exe
2064	powershell.exe
1456	powershell.exe
1088	powershell.exe
5476	powershell.exe
3296	powershell.exe
5112	powershell.exe
2468	powershell.exe
5276	powershell.exe
3312	powershell.exe
4816	powershell.exe

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

PO SAI FOOD PVT LTD .execIQcmsFxE.exePO SAI FOOD PVT LTD .execIQcmsFxE.execIQcmsFxE.exePO SAI FOOD PVT LTD .exePO SAI FOOD PVT LTD .exePO SAI FOOD PVT LTD .execIQcmsFxE.execIQcmsFxE.exePO SAI FOOD PVT LTD .execIQcmsFxE.execIQcmsFxE.execIQcmsFxE.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	PO SAI FOOD PVT LTD .exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	cIQcmsFxE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	PO SAI FOOD PVT LTD .exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	cIQcmsFxE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	cIQcmsFxE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	PO SAI FOOD PVT LTD .exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	PO SAI FOOD PVT LTD .exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	PO SAI FOOD PVT LTD .exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	cIQcmsFxE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	cIQcmsFxE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	PO SAI FOOD PVT LTD .exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	cIQcmsFxE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	cIQcmsFxE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	cIQcmsFxE.exe

Executes dropped EXE 20 IoCs

Processes:

cIQcmsFxE.execIQcmsFxE.execIQcmsFxE.execIQcmsFxE.execIQcmsFxE.execIQcmsFxE.execIQcmsFxE.execIQcmsFxE.execIQcmsFxE.execIQcmsFxE.execIQcmsFxE.execIQcmsFxE.execIQcmsFxE.execIQcmsFxE.execIQcmsFxE.execIQcmsFxE.execIQcmsFxE.execIQcmsFxE.execIQcmsFxE.execIQcmsFxE.exe

pid	process
1476	cIQcmsFxE.exe
3888	cIQcmsFxE.exe
1524	cIQcmsFxE.exe
4780	cIQcmsFxE.exe
1856	cIQcmsFxE.exe
5068	cIQcmsFxE.exe
1500	cIQcmsFxE.exe
4824	cIQcmsFxE.exe
1076	cIQcmsFxE.exe
3536	cIQcmsFxE.exe
5012	cIQcmsFxE.exe
4060	cIQcmsFxE.exe
2948	cIQcmsFxE.exe
3844	cIQcmsFxE.exe
5332	cIQcmsFxE.exe
2148	cIQcmsFxE.exe
5784	cIQcmsFxE.exe
5428	cIQcmsFxE.exe
5948	cIQcmsFxE.exe
5288	cIQcmsFxE.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

PO SAI FOOD PVT LTD .exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	PO SAI FOOD PVT LTD .exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

31 whatismyipaddress.com
33 whatismyipaddress.com

flow	ioc
31	whatismyipaddress.com
33	whatismyipaddress.com

Drops file in System32 directory 3 IoCs

Processes:

chrome.exemmc.exe

description	ioc	process
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File opened for modification	C:\Windows\system32\taskschd.msc	mmc.exe
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Suspicious use of SetThreadContext 16 IoCs

Processes:

PO SAI FOOD PVT LTD .exePO SAI FOOD PVT LTD .exePO SAI FOOD PVT LTD .exePO SAI FOOD PVT LTD .exePO SAI FOOD PVT LTD .exePO SAI FOOD PVT LTD .execIQcmsFxE.execIQcmsFxE.execIQcmsFxE.execIQcmsFxE.execIQcmsFxE.execIQcmsFxE.execIQcmsFxE.execIQcmsFxE.exePO SAI FOOD PVT LTD .exe

description	pid	process	target process
PID 2964 set thread context of 4380	2964	PO SAI FOOD PVT LTD .exe	PO SAI FOOD PVT LTD .exe
PID 4380 set thread context of 2608	4380	PO SAI FOOD PVT LTD .exe	vbc.exe
PID 4380 set thread context of 4416	4380	PO SAI FOOD PVT LTD .exe	vbc.exe
PID 4304 set thread context of 3260	4304	PO SAI FOOD PVT LTD .exe	PO SAI FOOD PVT LTD .exe
PID 4108 set thread context of 4540	4108	PO SAI FOOD PVT LTD .exe	PO SAI FOOD PVT LTD .exe
PID 2304 set thread context of 4124	2304	PO SAI FOOD PVT LTD .exe	PO SAI FOOD PVT LTD .exe
PID 3252 set thread context of 2768	3252	PO SAI FOOD PVT LTD .exe	PO SAI FOOD PVT LTD .exe
PID 1476 set thread context of 1076	1476	cIQcmsFxE.exe	cIQcmsFxE.exe
PID 3888 set thread context of 5012	3888	cIQcmsFxE.exe	cIQcmsFxE.exe
PID 1524 set thread context of 4060	1524	cIQcmsFxE.exe	cIQcmsFxE.exe
PID 1856 set thread context of 2948	1856	cIQcmsFxE.exe	cIQcmsFxE.exe
PID 4780 set thread context of 5332	4780	cIQcmsFxE.exe	cIQcmsFxE.exe
PID 5068 set thread context of 2148	5068	cIQcmsFxE.exe	cIQcmsFxE.exe
PID 1500 set thread context of 5948	1500	cIQcmsFxE.exe	cIQcmsFxE.exe
PID 4824 set thread context of 5288	4824	cIQcmsFxE.exe	cIQcmsFxE.exe
PID 736 set thread context of 5732	736	PO SAI FOOD PVT LTD .exe	PO SAI FOOD PVT LTD .exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cIQcmsFxE.exepowershell.exevbc.execIQcmsFxE.execIQcmsFxE.execIQcmsFxE.exePO SAI FOOD PVT LTD .execIQcmsFxE.exePO SAI FOOD PVT LTD .exeschtasks.execIQcmsFxE.execIQcmsFxE.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeschtasks.exepowershell.exepowershell.exeschtasks.exePO SAI FOOD PVT LTD .exepowershell.exeschtasks.exepowershell.exePO SAI FOOD PVT LTD .exePO SAI FOOD PVT LTD .exeschtasks.exepowershell.exeschtasks.execIQcmsFxE.exeschtasks.execIQcmsFxE.exepowershell.exevbc.exepowershell.exepowershell.exepowershell.exeschtasks.exeschtasks.execIQcmsFxE.exePO SAI FOOD PVT LTD .exepowershell.exePO SAI FOOD PVT LTD .execIQcmsFxE.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execIQcmsFxE.exePO SAI FOOD PVT LTD .exePO SAI FOOD PVT LTD .exepowershell.exepowershell.exepowershell.exeschtasks.exeschtasks.execIQcmsFxE.exePO SAI FOOD PVT LTD .exeschtasks.exePO SAI FOOD PVT LTD .execIQcmsFxE.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cIQcmsFxE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cIQcmsFxE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cIQcmsFxE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cIQcmsFxE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PO SAI FOOD PVT LTD .exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cIQcmsFxE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PO SAI FOOD PVT LTD .exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cIQcmsFxE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cIQcmsFxE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PO SAI FOOD PVT LTD .exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PO SAI FOOD PVT LTD .exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PO SAI FOOD PVT LTD .exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cIQcmsFxE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cIQcmsFxE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cIQcmsFxE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PO SAI FOOD PVT LTD .exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PO SAI FOOD PVT LTD .exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cIQcmsFxE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cIQcmsFxE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PO SAI FOOD PVT LTD .exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PO SAI FOOD PVT LTD .exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cIQcmsFxE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PO SAI FOOD PVT LTD .exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PO SAI FOOD PVT LTD .exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cIQcmsFxE.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133680968819523647"	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2412658365-3084825385-3340777666-1000\{8E762298-CA76-4701-A68C-8375841DFF90}	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 14 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
4868	schtasks.exe
2288	schtasks.exe
5300	schtasks.exe
5736	schtasks.exe
5412	schtasks.exe
3564	schtasks.exe
400	schtasks.exe
5292	schtasks.exe
5568	schtasks.exe
3056	schtasks.exe
5012	schtasks.exe
5116	schtasks.exe
4568	schtasks.exe
5284	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exevbc.exePO SAI FOOD PVT LTD .exepowershell.exepowershell.exePO SAI FOOD PVT LTD .exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execIQcmsFxE.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
4108	powershell.exe
4108	powershell.exe
1232	powershell.exe
1232	powershell.exe
4108	powershell.exe
1232	powershell.exe
4416	vbc.exe
4416	vbc.exe
4380	PO SAI FOOD PVT LTD .exe
4380	PO SAI FOOD PVT LTD .exe
3844	powershell.exe
3844	powershell.exe
216	powershell.exe
216	powershell.exe
4304	PO SAI FOOD PVT LTD .exe
4304	PO SAI FOOD PVT LTD .exe
3844	powershell.exe
216	powershell.exe
1184	powershell.exe
1184	powershell.exe
1332	powershell.exe
1332	powershell.exe
1332	powershell.exe
1184	powershell.exe
2080	powershell.exe
2080	powershell.exe
3296	powershell.exe
3296	powershell.exe
3296	powershell.exe
2080	powershell.exe
5112	powershell.exe
5112	powershell.exe
1088	powershell.exe
1088	powershell.exe
1088	powershell.exe
5112	powershell.exe
3820	powershell.exe
3820	powershell.exe
3780	powershell.exe
3780	powershell.exe
3820	powershell.exe
2468	powershell.exe
2468	powershell.exe
2896	powershell.exe
2896	powershell.exe
3780	powershell.exe
3888	cIQcmsFxE.exe
3888	cIQcmsFxE.exe
2328	powershell.exe
2328	powershell.exe
2468	powershell.exe
2468	powershell.exe
560	powershell.exe
560	powershell.exe
4744	powershell.exe
4744	powershell.exe
3056	powershell.exe
3056	powershell.exe
4548	powershell.exe
4548	powershell.exe
2064	powershell.exe
1456	powershell.exe
2064	powershell.exe
1456	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

PO SAI FOOD PVT LTD .exemmc.exe

pid process

4380 PO SAI FOOD PVT LTD .exe
4184 mmc.exe

pid	process
4380	PO SAI FOOD PVT LTD .exe
4184	mmc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 28 IoCs

Processes:

chrome.exe

pid	process
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

mmc.exe

pid process

4184 mmc.exe

pid	process
4184	mmc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exePO SAI FOOD PVT LTD .exemmc.exe

description	pid	process
Token: SeDebugPrivilege	4108	powershell.exe
Token: SeDebugPrivilege	1232	powershell.exe
Token: SeDebugPrivilege	4380	PO SAI FOOD PVT LTD .exe
Token: 33	4184	mmc.exe
Token: SeIncBasePriorityPrivilege	4184	mmc.exe
Token: 33	4184	mmc.exe
Token: SeIncBasePriorityPrivilege	4184	mmc.exe
Token: 33	4184	mmc.exe
Token: SeIncBasePriorityPrivilege	4184	mmc.exe
Token: 33	4184	mmc.exe
Token: SeIncBasePriorityPrivilege	4184	mmc.exe
Token: 33	4184	mmc.exe
Token: SeIncBasePriorityPrivilege	4184	mmc.exe
Token: 33	4184	mmc.exe
Token: SeIncBasePriorityPrivilege	4184	mmc.exe
Token: 33	4184	mmc.exe
Token: SeIncBasePriorityPrivilege	4184	mmc.exe
Token: 33	4184	mmc.exe
Token: SeIncBasePriorityPrivilege	4184	mmc.exe
Token: 33	4184	mmc.exe
Token: SeIncBasePriorityPrivilege	4184	mmc.exe
Token: 33	4184	mmc.exe
Token: SeIncBasePriorityPrivilege	4184	mmc.exe
Token: 33	4184	mmc.exe
Token: SeIncBasePriorityPrivilege	4184	mmc.exe
Token: 33	4184	mmc.exe
Token: SeIncBasePriorityPrivilege	4184	mmc.exe
Token: 33	4184	mmc.exe
Token: SeIncBasePriorityPrivilege	4184	mmc.exe
Token: 33	4184	mmc.exe
Token: SeIncBasePriorityPrivilege	4184	mmc.exe
Token: 33	4184	mmc.exe
Token: SeIncBasePriorityPrivilege	4184	mmc.exe
Token: 33	4184	mmc.exe
Token: SeIncBasePriorityPrivilege	4184	mmc.exe
Token: 33	4184	mmc.exe
Token: SeIncBasePriorityPrivilege	4184	mmc.exe
Token: 33	4184	mmc.exe
Token: SeIncBasePriorityPrivilege	4184	mmc.exe
Token: 33	4184	mmc.exe
Token: SeIncBasePriorityPrivilege	4184	mmc.exe
Token: 33	4184	mmc.exe
Token: SeIncBasePriorityPrivilege	4184	mmc.exe
Token: 33	4184	mmc.exe
Token: SeIncBasePriorityPrivilege	4184	mmc.exe
Token: 33	4184	mmc.exe
Token: SeIncBasePriorityPrivilege	4184	mmc.exe
Token: 33	4184	mmc.exe
Token: SeIncBasePriorityPrivilege	4184	mmc.exe
Token: 33	4184	mmc.exe
Token: SeIncBasePriorityPrivilege	4184	mmc.exe
Token: 33	4184	mmc.exe
Token: SeIncBasePriorityPrivilege	4184	mmc.exe
Token: 33	4184	mmc.exe
Token: SeIncBasePriorityPrivilege	4184	mmc.exe
Token: 33	4184	mmc.exe
Token: SeIncBasePriorityPrivilege	4184	mmc.exe
Token: 33	4184	mmc.exe
Token: SeIncBasePriorityPrivilege	4184	mmc.exe
Token: 33	4184	mmc.exe
Token: SeIncBasePriorityPrivilege	4184	mmc.exe
Token: 33	4184	mmc.exe
Token: SeIncBasePriorityPrivilege	4184	mmc.exe
Token: 33	4184	mmc.exe

Suspicious use of FindShellTrayWindow 52 IoCs

Processes:

chrome.exe

pid	process
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe

Suspicious use of SendNotifyMessage 48 IoCs

Processes:

chrome.exe

pid	process
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

PO SAI FOOD PVT LTD .exemmc.exe

pid process

4380 PO SAI FOOD PVT LTD .exe
4184 mmc.exe
4184 mmc.exe

pid	process
4380	PO SAI FOOD PVT LTD .exe
4184	mmc.exe
4184	mmc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

PO SAI FOOD PVT LTD .exePO SAI FOOD PVT LTD .exePO SAI FOOD PVT LTD .exePO SAI FOOD PVT LTD .exe

description	pid	process	target process
PID 2964 wrote to memory of 1232	2964	PO SAI FOOD PVT LTD .exe	powershell.exe
PID 2964 wrote to memory of 1232	2964	PO SAI FOOD PVT LTD .exe	powershell.exe
PID 2964 wrote to memory of 1232	2964	PO SAI FOOD PVT LTD .exe	powershell.exe
PID 2964 wrote to memory of 4108	2964	PO SAI FOOD PVT LTD .exe	powershell.exe
PID 2964 wrote to memory of 4108	2964	PO SAI FOOD PVT LTD .exe	powershell.exe
PID 2964 wrote to memory of 4108	2964	PO SAI FOOD PVT LTD .exe	powershell.exe
PID 2964 wrote to memory of 3564	2964	PO SAI FOOD PVT LTD .exe	schtasks.exe
PID 2964 wrote to memory of 3564	2964	PO SAI FOOD PVT LTD .exe	schtasks.exe
PID 2964 wrote to memory of 3564	2964	PO SAI FOOD PVT LTD .exe	schtasks.exe
PID 2964 wrote to memory of 4380	2964	PO SAI FOOD PVT LTD .exe	PO SAI FOOD PVT LTD .exe
PID 2964 wrote to memory of 4380	2964	PO SAI FOOD PVT LTD .exe	PO SAI FOOD PVT LTD .exe
PID 2964 wrote to memory of 4380	2964	PO SAI FOOD PVT LTD .exe	PO SAI FOOD PVT LTD .exe
PID 2964 wrote to memory of 4380	2964	PO SAI FOOD PVT LTD .exe	PO SAI FOOD PVT LTD .exe
PID 2964 wrote to memory of 4380	2964	PO SAI FOOD PVT LTD .exe	PO SAI FOOD PVT LTD .exe
PID 2964 wrote to memory of 4380	2964	PO SAI FOOD PVT LTD .exe	PO SAI FOOD PVT LTD .exe
PID 2964 wrote to memory of 4380	2964	PO SAI FOOD PVT LTD .exe	PO SAI FOOD PVT LTD .exe
PID 2964 wrote to memory of 4380	2964	PO SAI FOOD PVT LTD .exe	PO SAI FOOD PVT LTD .exe
PID 4380 wrote to memory of 2608	4380	PO SAI FOOD PVT LTD .exe	vbc.exe
PID 4380 wrote to memory of 2608	4380	PO SAI FOOD PVT LTD .exe	vbc.exe
PID 4380 wrote to memory of 2608	4380	PO SAI FOOD PVT LTD .exe	vbc.exe
PID 4380 wrote to memory of 2608	4380	PO SAI FOOD PVT LTD .exe	vbc.exe
PID 4380 wrote to memory of 2608	4380	PO SAI FOOD PVT LTD .exe	vbc.exe
PID 4380 wrote to memory of 2608	4380	PO SAI FOOD PVT LTD .exe	vbc.exe
PID 4380 wrote to memory of 2608	4380	PO SAI FOOD PVT LTD .exe	vbc.exe
PID 4380 wrote to memory of 2608	4380	PO SAI FOOD PVT LTD .exe	vbc.exe
PID 4380 wrote to memory of 2608	4380	PO SAI FOOD PVT LTD .exe	vbc.exe
PID 4380 wrote to memory of 4416	4380	PO SAI FOOD PVT LTD .exe	vbc.exe
PID 4380 wrote to memory of 4416	4380	PO SAI FOOD PVT LTD .exe	vbc.exe
PID 4380 wrote to memory of 4416	4380	PO SAI FOOD PVT LTD .exe	vbc.exe
PID 4380 wrote to memory of 4416	4380	PO SAI FOOD PVT LTD .exe	vbc.exe
PID 4380 wrote to memory of 4416	4380	PO SAI FOOD PVT LTD .exe	vbc.exe
PID 4380 wrote to memory of 4416	4380	PO SAI FOOD PVT LTD .exe	vbc.exe
PID 4380 wrote to memory of 4416	4380	PO SAI FOOD PVT LTD .exe	vbc.exe
PID 4380 wrote to memory of 4416	4380	PO SAI FOOD PVT LTD .exe	vbc.exe
PID 4380 wrote to memory of 4416	4380	PO SAI FOOD PVT LTD .exe	vbc.exe
PID 4304 wrote to memory of 3844	4304	PO SAI FOOD PVT LTD .exe	powershell.exe
PID 4304 wrote to memory of 3844	4304	PO SAI FOOD PVT LTD .exe	powershell.exe
PID 4304 wrote to memory of 3844	4304	PO SAI FOOD PVT LTD .exe	powershell.exe
PID 4304 wrote to memory of 216	4304	PO SAI FOOD PVT LTD .exe	powershell.exe
PID 4304 wrote to memory of 216	4304	PO SAI FOOD PVT LTD .exe	powershell.exe
PID 4304 wrote to memory of 216	4304	PO SAI FOOD PVT LTD .exe	powershell.exe
PID 4304 wrote to memory of 4868	4304	PO SAI FOOD PVT LTD .exe	schtasks.exe
PID 4304 wrote to memory of 4868	4304	PO SAI FOOD PVT LTD .exe	schtasks.exe
PID 4304 wrote to memory of 4868	4304	PO SAI FOOD PVT LTD .exe	schtasks.exe
PID 4304 wrote to memory of 2140	4304	PO SAI FOOD PVT LTD .exe	PO SAI FOOD PVT LTD .exe
PID 4304 wrote to memory of 2140	4304	PO SAI FOOD PVT LTD .exe	PO SAI FOOD PVT LTD .exe
PID 4304 wrote to memory of 2140	4304	PO SAI FOOD PVT LTD .exe	PO SAI FOOD PVT LTD .exe
PID 4304 wrote to memory of 3260	4304	PO SAI FOOD PVT LTD .exe	PO SAI FOOD PVT LTD .exe
PID 4304 wrote to memory of 3260	4304	PO SAI FOOD PVT LTD .exe	PO SAI FOOD PVT LTD .exe
PID 4304 wrote to memory of 3260	4304	PO SAI FOOD PVT LTD .exe	PO SAI FOOD PVT LTD .exe
PID 4304 wrote to memory of 3260	4304	PO SAI FOOD PVT LTD .exe	PO SAI FOOD PVT LTD .exe
PID 4304 wrote to memory of 3260	4304	PO SAI FOOD PVT LTD .exe	PO SAI FOOD PVT LTD .exe
PID 4304 wrote to memory of 3260	4304	PO SAI FOOD PVT LTD .exe	PO SAI FOOD PVT LTD .exe
PID 4304 wrote to memory of 3260	4304	PO SAI FOOD PVT LTD .exe	PO SAI FOOD PVT LTD .exe
PID 4304 wrote to memory of 3260	4304	PO SAI FOOD PVT LTD .exe	PO SAI FOOD PVT LTD .exe
PID 4108 wrote to memory of 1184	4108	PO SAI FOOD PVT LTD .exe	powershell.exe
PID 4108 wrote to memory of 1184	4108	PO SAI FOOD PVT LTD .exe	powershell.exe
PID 4108 wrote to memory of 1184	4108	PO SAI FOOD PVT LTD .exe	powershell.exe
PID 4108 wrote to memory of 1332	4108	PO SAI FOOD PVT LTD .exe	powershell.exe
PID 4108 wrote to memory of 1332	4108	PO SAI FOOD PVT LTD .exe	powershell.exe
PID 4108 wrote to memory of 1332	4108	PO SAI FOOD PVT LTD .exe	powershell.exe
PID 4108 wrote to memory of 2288	4108	PO SAI FOOD PVT LTD .exe	schtasks.exe
PID 4108 wrote to memory of 2288	4108	PO SAI FOOD PVT LTD .exe	schtasks.exe
PID 4108 wrote to memory of 2288	4108	PO SAI FOOD PVT LTD .exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\PO SAI FOOD PVT LTD .exe
"C:\Users\Admin\AppData\Local\Temp\PO SAI FOOD PVT LTD .exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PO SAI FOOD PVT LTD .exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1232
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\cIQcmsFxE.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4108
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cIQcmsFxE" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC2A4.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:3564
- C:\Users\Admin\AppData\Local\Temp\PO SAI FOOD PVT LTD .exe
  "C:\Users\Admin\AppData\Local\Temp\PO SAI FOOD PVT LTD .exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4380
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
    3⤵
    - Accesses Microsoft Outlook accounts
    - System Location Discovery: System Language Discovery
    PID:2608
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4416

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding
1⤵
PID:3600

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2840

C:\Users\Admin\AppData\Local\Temp\PO SAI FOOD PVT LTD .exe
"C:\Users\Admin\AppData\Local\Temp\PO SAI FOOD PVT LTD .exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4304
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PO SAI FOOD PVT LTD .exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3844
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\cIQcmsFxE.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:216
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cIQcmsFxE" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD2EB.tmp"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4868
- C:\Users\Admin\AppData\Local\Temp\PO SAI FOOD PVT LTD .exe
  "C:\Users\Admin\AppData\Local\Temp\PO SAI FOOD PVT LTD .exe"
  2⤵
  PID:2140
- C:\Users\Admin\AppData\Local\Temp\PO SAI FOOD PVT LTD .exe
  "C:\Users\Admin\AppData\Local\Temp\PO SAI FOOD PVT LTD .exe"
  2⤵
  PID:3260

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s
1⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4184

C:\Users\Admin\AppData\Local\Temp\PO SAI FOOD PVT LTD .exe
"C:\Users\Admin\AppData\Local\Temp\PO SAI FOOD PVT LTD .exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4108
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PO SAI FOOD PVT LTD .exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1184
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\cIQcmsFxE.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1332
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cIQcmsFxE" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA0F9.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2288
- C:\Users\Admin\AppData\Local\Temp\PO SAI FOOD PVT LTD .exe
  "C:\Users\Admin\AppData\Local\Temp\PO SAI FOOD PVT LTD .exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4540

C:\Users\Admin\AppData\Local\Temp\PO SAI FOOD PVT LTD .exe
"C:\Users\Admin\AppData\Local\Temp\PO SAI FOOD PVT LTD .exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2304
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PO SAI FOOD PVT LTD .exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3296
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\cIQcmsFxE.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2080
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cIQcmsFxE" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBC51.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:3056
- C:\Users\Admin\AppData\Local\Temp\PO SAI FOOD PVT LTD .exe
  "C:\Users\Admin\AppData\Local\Temp\PO SAI FOOD PVT LTD .exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4124

C:\Users\Admin\AppData\Local\Temp\PO SAI FOOD PVT LTD .exe
"C:\Users\Admin\AppData\Local\Temp\PO SAI FOOD PVT LTD .exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3252
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PO SAI FOOD PVT LTD .exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5112
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\cIQcmsFxE.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1088
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cIQcmsFxE" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1D3E.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:400
- C:\Users\Admin\AppData\Local\Temp\PO SAI FOOD PVT LTD .exe
  "C:\Users\Admin\AppData\Local\Temp\PO SAI FOOD PVT LTD .exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2768

C:\Users\Admin\AppData\Roaming\cIQcmsFxE.exe
C:\Users\Admin\AppData\Roaming\cIQcmsFxE.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1476
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\cIQcmsFxE.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3780
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\cIQcmsFxE.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3820
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cIQcmsFxE" /XML "C:\Users\Admin\AppData\Local\Temp\tmp62D2.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:5012
- C:\Users\Admin\AppData\Roaming\cIQcmsFxE.exe
  "C:\Users\Admin\AppData\Roaming\cIQcmsFxE.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1076

C:\Users\Admin\AppData\Roaming\cIQcmsFxE.exe
C:\Users\Admin\AppData\Roaming\cIQcmsFxE.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3888
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\cIQcmsFxE.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2468
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\cIQcmsFxE.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2896
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cIQcmsFxE" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6747.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:5116
- C:\Users\Admin\AppData\Roaming\cIQcmsFxE.exe
  "C:\Users\Admin\AppData\Roaming\cIQcmsFxE.exe"
  2⤵
  - Executes dropped EXE
  PID:3536
- C:\Users\Admin\AppData\Roaming\cIQcmsFxE.exe
  "C:\Users\Admin\AppData\Roaming\cIQcmsFxE.exe"
  2⤵
  - Executes dropped EXE
  PID:5012

C:\Users\Admin\AppData\Roaming\cIQcmsFxE.exe
C:\Users\Admin\AppData\Roaming\cIQcmsFxE.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1524
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\cIQcmsFxE.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2328
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\cIQcmsFxE.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3056
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cIQcmsFxE" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6E6B.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:4568
- C:\Users\Admin\AppData\Roaming\cIQcmsFxE.exe
  "C:\Users\Admin\AppData\Roaming\cIQcmsFxE.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4060

C:\Users\Admin\AppData\Roaming\cIQcmsFxE.exe
C:\Users\Admin\AppData\Roaming\cIQcmsFxE.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4780
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\cIQcmsFxE.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2064
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\cIQcmsFxE.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4548
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cIQcmsFxE" /XML "C:\Users\Admin\AppData\Local\Temp\tmp708E.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:5300
- C:\Users\Admin\AppData\Roaming\cIQcmsFxE.exe
  "C:\Users\Admin\AppData\Roaming\cIQcmsFxE.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5332

C:\Users\Admin\AppData\Roaming\cIQcmsFxE.exe
C:\Users\Admin\AppData\Roaming\cIQcmsFxE.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1856
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\cIQcmsFxE.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4744
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\cIQcmsFxE.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  PID:4656
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cIQcmsFxE" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6FC3.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:5284
- C:\Users\Admin\AppData\Roaming\cIQcmsFxE.exe
  "C:\Users\Admin\AppData\Roaming\cIQcmsFxE.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2948

C:\Users\Admin\AppData\Roaming\cIQcmsFxE.exe
C:\Users\Admin\AppData\Roaming\cIQcmsFxE.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:5068
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\cIQcmsFxE.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:560
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\cIQcmsFxE.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1456
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cIQcmsFxE" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6FB3.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:5292
- C:\Users\Admin\AppData\Roaming\cIQcmsFxE.exe
  "C:\Users\Admin\AppData\Roaming\cIQcmsFxE.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2148

C:\Users\Admin\AppData\Roaming\cIQcmsFxE.exe
C:\Users\Admin\AppData\Roaming\cIQcmsFxE.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1500
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\cIQcmsFxE.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  PID:5128
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\cIQcmsFxE.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  PID:5276
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cIQcmsFxE" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7282.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:5412
- C:\Users\Admin\AppData\Roaming\cIQcmsFxE.exe
  "C:\Users\Admin\AppData\Roaming\cIQcmsFxE.exe"
  2⤵
  - Executes dropped EXE
  PID:3844
- C:\Users\Admin\AppData\Roaming\cIQcmsFxE.exe
  "C:\Users\Admin\AppData\Roaming\cIQcmsFxE.exe"
  2⤵
  - Executes dropped EXE
  PID:5784
- C:\Users\Admin\AppData\Roaming\cIQcmsFxE.exe
  "C:\Users\Admin\AppData\Roaming\cIQcmsFxE.exe"
  2⤵
  - Executes dropped EXE
  PID:5428
- C:\Users\Admin\AppData\Roaming\cIQcmsFxE.exe
  "C:\Users\Admin\AppData\Roaming\cIQcmsFxE.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5948

C:\Users\Admin\AppData\Roaming\cIQcmsFxE.exe
C:\Users\Admin\AppData\Roaming\cIQcmsFxE.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4824
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\cIQcmsFxE.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  PID:5220
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\cIQcmsFxE.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  PID:5476
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cIQcmsFxE" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7456.tmp"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:5568
- C:\Users\Admin\AppData\Roaming\cIQcmsFxE.exe
  "C:\Users\Admin\AppData\Roaming\cIQcmsFxE.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5288

C:\Users\Admin\AppData\Local\Temp\PO SAI FOOD PVT LTD .exe
"C:\Users\Admin\AppData\Local\Temp\PO SAI FOOD PVT LTD .exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:736
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PO SAI FOOD PVT LTD .exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  PID:3312
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\cIQcmsFxE.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  PID:4816
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cIQcmsFxE" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9AE9.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:5736
- C:\Users\Admin\AppData\Local\Temp\PO SAI FOOD PVT LTD .exe
  "C:\Users\Admin\AppData\Local\Temp\PO SAI FOOD PVT LTD .exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffb742ccc40,0x7ffb742ccc4c,0x7ffb742ccc58
  2⤵
  PID:3260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2124,i,5452897722347568079,1373896996571757843,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2120 /prefetch:2
  2⤵
  PID:2340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1828,i,5452897722347568079,1373896996571757843,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2164 /prefetch:3
  2⤵
  PID:1108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2312,i,5452897722347568079,1373896996571757843,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2476 /prefetch:8
  2⤵
  PID:2336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3160,i,5452897722347568079,1373896996571757843,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:3240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3320,i,5452897722347568079,1373896996571757843,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3420 /prefetch:1
  2⤵
  PID:1048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3936,i,5452897722347568079,1373896996571757843,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4568 /prefetch:1
  2⤵
  PID:736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3144,i,5452897722347568079,1373896996571757843,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4712 /prefetch:8
  2⤵
  PID:4580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4784,i,5452897722347568079,1373896996571757843,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4736 /prefetch:1
  2⤵
  PID:6744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4772,i,5452897722347568079,1373896996571757843,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4760 /prefetch:8
  2⤵
  PID:7108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4952,i,5452897722347568079,1373896996571757843,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4948 /prefetch:1
  2⤵
  PID:6512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5012,i,5452897722347568079,1373896996571757843,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3472 /prefetch:1
  2⤵
  PID:6572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=4620,i,5452897722347568079,1373896996571757843,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4660 /prefetch:1
  2⤵
  PID:6664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4632,i,5452897722347568079,1373896996571757843,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3448 /prefetch:1
  2⤵
  PID:4404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5416,i,5452897722347568079,1373896996571757843,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:6216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5504,i,5452897722347568079,1373896996571757843,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5628 /prefetch:1
  2⤵
  PID:6092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=4652,i,5452897722347568079,1373896996571757843,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4564 /prefetch:1
  2⤵
  PID:5016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5632,i,5452897722347568079,1373896996571757843,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5664 /prefetch:1
  2⤵
  PID:5264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=5940,i,5452897722347568079,1373896996571757843,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5452 /prefetch:8
  2⤵
  PID:628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4544,i,5452897722347568079,1373896996571757843,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3920 /prefetch:8
  2⤵
  - Drops file in System32 directory
  PID:6900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=6008,i,5452897722347568079,1373896996571757843,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4584 /prefetch:1
  2⤵
  PID:7100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=5768,i,5452897722347568079,1373896996571757843,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3424 /prefetch:1
  2⤵
  PID:3236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=4608,i,5452897722347568079,1373896996571757843,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5344 /prefetch:1
  2⤵
  PID:6600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=3964,i,5452897722347568079,1373896996571757843,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6096 /prefetch:1
  2⤵
  PID:3400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=5812,i,5452897722347568079,1373896996571757843,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5312 /prefetch:1
  2⤵
  PID:5928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --field-trial-handle=5828,i,5452897722347568079,1373896996571757843,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5704 /prefetch:1
  2⤵
  PID:6136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --field-trial-handle=3384,i,5452897722347568079,1373896996571757843,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5876 /prefetch:1
  2⤵
  PID:4128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --field-trial-handle=5016,i,5452897722347568079,1373896996571757843,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5264 /prefetch:1
  2⤵
  PID:1184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --field-trial-handle=3576,i,5452897722347568079,1373896996571757843,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6068 /prefetch:1
  2⤵
  PID:2528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --field-trial-handle=3960,i,5452897722347568079,1373896996571757843,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5324 /prefetch:1
  2⤵
  PID:3164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --field-trial-handle=5648,i,5452897722347568079,1373896996571757843,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5876 /prefetch:1
  2⤵
  PID:3380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --field-trial-handle=5720,i,5452897722347568079,1373896996571757843,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5804 /prefetch:1
  2⤵
  PID:5444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --field-trial-handle=5484,i,5452897722347568079,1373896996571757843,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5708 /prefetch:1
  2⤵
  PID:5124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --field-trial-handle=6044,i,5452897722347568079,1373896996571757843,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5308 /prefetch:1
  2⤵
  PID:7148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --field-trial-handle=3768,i,5452897722347568079,1373896996571757843,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:6784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6204,i,5452897722347568079,1373896996571757843,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6244 /prefetch:8
  2⤵
  - Modifies registry class
  PID:6516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --field-trial-handle=5248,i,5452897722347568079,1373896996571757843,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4980 /prefetch:1
  2⤵
  PID:5160

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3084

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:6188

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x244 0x4e8
1⤵
PID:5588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
b2b95f0a2b2ab710f91ea745cb4ada6f

SHA1
2ed59160d9153205d647e551d4c8bc32994acc19

SHA256
dbb2d18fdcf0503f7836ebbb97237906ef6054f0577fc18f07b1bbcd38f93041

SHA512
ce1db009b10691150791b248185878a751307d83ff756d95bcffb6abded4f0a796f2b7c3fc7aae647cb5346e77002f7ee5d7fe8d3997b4e063a7e34300746925

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
209KB

MD5
3e552d017d45f8fd93b94cfc86f842f2

SHA1
dbeebe83854328e2575ff67259e3fb6704b17a47

SHA256
27d9c4613df7a3c04da0b79c13217aa69992b441acb7e44bf2a7578ca87d97d6

SHA512
e616436f2f15615429c7c5c37de3990c3e86c5e1da7d75a0f524fc458b75d44a5be1a3648a628d63e1cf8aa062e08b538f2f2bc9c6a0b42157beb24f82c571d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000002

Filesize
24KB

MD5
c594a826934b9505d591d0f7a7df80b7

SHA1
c04b8637e686f71f3fc46a29a86346ba9b04ae18

SHA256
e664eef3d68ac6336a28be033165d4780e8a5ab28f0d90df1b148ef86babb610

SHA512
04a1dfdb8ee2f5fefa101d5e3ff36e87659fd774e96aa8c5941d3353ccc268a125822cf01533c74839e5f1c54725da9cc437d3d69b88e5bf3f99caccd4d75961

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\56dad2dc34f75993_0

Filesize
361KB

MD5
bc9b5f37144c2979e06500d44317493e

SHA1
82b000cd5ec2aa8aaea6f5bf64e9d3ddd9706fa8

SHA256
665d6e80817bd03c0dc1d67628257f5a5ee2cb4cffb1d04c1819170294312f4d

SHA512
fbf86f4f88f6966153b806a26fad50f331de1f9b4fd2439b2ccb3af8afc0482b69d9830873634b4f2e23802a420106c41f604d01063c6c07c4fc47ba2e506f63

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
2KB

MD5
93cdc8df0b3043364432837ac9a8a6e0

SHA1
b4197875009867fd0c0cddea5dc58e8b439d5d98

SHA256
af4a604344a976b0cb110326525c5439c113d6bf4a1ff7ff6fd2d1d66c528e47

SHA512
cf0165e39da7f55b4369bf93f94cdbd2730fb3ac67fd319579afba807c901192bd94fc551056532eff19bb42b8a90f1f8ba82eb83a3e371ab93aeceaeca5ef57

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
05dc6ae78bd6fefbc494b4bd7d47a82a

SHA1
3c69a87adc25bad2dd85590e38dc033de5f537f7

SHA256
6c5bbe467126be75ded84d60062e2fb4ae39f6d45e2e7d65d935cd8719c6a8ac

SHA512
209d1b19993b5210e48ede68e791051805c221bce88a918f9f4a98656d0637d2b23203e5fdbf2e0e161bf79267f889d1aa6ef0abe2a0559b249ff0026333df3f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
fba18e9679d50759920da233ce07a704

SHA1
a366e2c321f6ec576979045beb00840e4e6daaa8

SHA256
8f60dfa4c0b0704fdf4ea93b591c0214ec986bd1e273ca93550aab4b18b2ddba

SHA512
b5052cd8030c4ca50b29dbf03d7730643088b554530d85f5e7ab062b5a5896a2de39f44bfd1ce0878714bb7552ccaa27bf419d158e511fb0c30267c7376a990a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
5189144250de245b94cb1a178385bd0f

SHA1
b72934711ab84438cc8291e7854a9132e5a6a4e6

SHA256
07c873083cc308b60fb5c2e8f7b02f1e67a50f9c87b126f78072070870c068ce

SHA512
b70581425b933dc6ad498c11e6e91a9ed5e267e2fba051b7de78a83db2cfff9597876bc8eb19d2af7160c06785aab305b12487481e806591fb2b0173917e3521

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
eff605bb997bc6bcb65e50c2e116513c

SHA1
e30e8ab57c2b925895f30068e82925adb49f9853

SHA256
00b091f2e334ba8e31393e923af621f8e01fa24102e9ee2d5c41bb6774f81874

SHA512
9c1bad734e96d517c7b7c5e5a0efa6c00efb9e03038abb9bfaae67f4729ce51b90d9bfd5136e4ff1dd0d095ccff860f82783afbe6d8bd3530a285499b82b727c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_feddy.federalbank.co.in_8443.indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
37898b87dfcc5add3299ec068570a5d5

SHA1
514f48c457163758b133738f4dd100ceb9e79c6d

SHA256
e21eca10c36efd5429c7d4882d53e555257ee4e58588f0ab8107036703194101

SHA512
cfcf5859705fc41fc55fdb897633a698391f014466da84e7ada14bd71a1ddbb857e8ae4e458853974aaf6e38236c1b76c8495a9b7b408882fea424b9a97b796a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
11KB

MD5
c045f020cee4172b25f8e3f7199b7317

SHA1
05c95687004ca906fa234680ed94f96700898731

SHA256
c6bf661149bd75493713fb9134720373bb5bb17555b5a6a318f586f7caa7aed2

SHA512
7007a0e41117db63f683a3e3b80dc1252ff273e963b08ad9dbb3ccd69ebe37138d1e962639c60ddda0fda44889ae8867474fd2bb3cc5a9bfbad191d8fd7d68b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
9KB

MD5
34b8adfee0c2bf9305618c1e2ab9b513

SHA1
3dda021c9bad32e88476b11ba475a3daa6ab5e0e

SHA256
06b7d63da224bbc739afebcd6d2c92ede1d868a6f6156043cd78419fb688e216

SHA512
f2b3823ea8cb82bbf534028d5d19bb9e75ebbc577b31ca5366a810742648feedd959db387cef9c8770fcb51eed5a9c3708751250fa6e7c35a66d51eea2c7b3c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
71121c8453680bd9cba39f7a2c26179d

SHA1
f1814a8a68d305b01a1f14cd3b319e17cbc946a6

SHA256
9089ea8ba9e15e9a58c956accbeec8e6ecdc0a0b4ed60c4272653d20b3f4fb0c

SHA512
7003d9c29cd6e9d187b6e2cc33246aa39a72da5a46925b93ffe08d8f0a9fed637e937f52a752f9a19e7a11f64fe5ecec7dfe5147e1b97316630ecf1b77b78670

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
921d5830e8919ee1450e63e93b5d029b

SHA1
3976438e860540f7c3523f54e1908108cc27b5a1

SHA256
473c188db72ea036087495ea6d0cf45315ee3c90cddbd61ef102e8fb2a342ea1

SHA512
39d9b4bab16ef4a3e4a03f7242539c6666d998ce3585502927df62c7a94a903a459f55bb34a667225070d84c2027abb77787ada741b34422cf1865ad89726908

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
4116c922579e50bab563571f898214cb

SHA1
76bee458174bb2a7b82ed1ac06d2a4e23b172351

SHA256
69bffbac22a4cda834b643425353922aedebf05ce6d509817994056d796dbf7a

SHA512
e838311fe705e9919dc79317470cb9b28a8bf0f0f3d1e9c9d8c3cbda436a59c0cff5a6aecb7754bc92503b2304b48d46b4b4ad7acbba6bd058bdd80692cf76f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
b967950e18f564a0c80a04bf5d356524

SHA1
58537b896d28b2b0a3f21b2cdfdd9ffe4bdfce5e

SHA256
4acb08d10caa97c2695a09c64665a07b8c9280f4c558ecdd4ed14dfe7dd6b771

SHA512
ebc2272558167a910fb6ce6718441583d3e4ba6863c5b78316f4e15a742acd45f30d816533b11aa736f6a1a67d38aedf826a6adc5a9053c570a244da5a9d26ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
1bc56a09d40f1dd5d3694ecc004708eb

SHA1
a5be5f9ecc441935b5a41f69b5e34a5eeae989e4

SHA256
2aa3900e2fba6562ad720ad484e2a1c008196340436463b38c8db4ca0d8657e1

SHA512
e13039109ddc9584b101162c1ba42be733f2394bf0e97bd38b3b9f29fd3458ea16bf5509cf65e51de2abada91eff86cea87d76000b4c3da6b406d62aa117dcf2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
9ee4a3883fed31ef71cadd820035acb8

SHA1
b0d85490abc05fbf7212b1c3a27e32e9a509699d

SHA256
d429581e2d28a22e3df2b7503ea93849f2772553bc83d4bb16ba3d6ebdf3168d

SHA512
19a0fda0542dfc0ae813e3b77e3a4709e0054834b8a5d0790519b6f084940a7cb79076b56d4f84858d6332bf20a97b6332cab149bf3456204d6b8c951139bcf3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
5KB

MD5
02d71908c743ce1edaded605f73138d7

SHA1
434d9d405d0bc73136a975dd24620066cb9f3ae8

SHA256
1ca6aae7dc954ee31533876c3a5098803b745d5d165d3d418fee4d77fc520c0b

SHA512
5767c94ef607e26dd7d4e556c501fd92adac38a3066758aed9920ce8fca7a4c1380f0811d1ddef8a9bd7f240854b663c2e43652c04e15a65a60afc8d4dcfe36d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
72558d2e9c9dc80829830ce02395da46

SHA1
623d38de3a49223608e7553311d1c0e8371d5809

SHA256
147af6b3a2e19e29e9312f4908cabf186075d3d06daedf3a1d19ed7c23b66f4e

SHA512
9cd51f99facf29b91e900c4f798cc501f1cb21ffbdab7a065f552fdf262d979427563aba6942c1892060ca2e9839db24375ad1b4bab80a938c44a5a9154b17fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
4KB

MD5
2e6b9878b485c3e77db17d68f9f4de40

SHA1
dfe0a7a83c7bc8870ff001aee5b6ad1ce8acdbe4

SHA256
3f11ae38c48b528ce21ed329bcd11b01f722423bcea97b51be8a58cb86fcbe0a

SHA512
81a9ad07c69a9931dc5bc192bac05b2625ceeaae826959f6c5f0e7dc27d96556a6388fa4134e9736eca00f6a7cc857e384dfdb272269259d6b1b11b56605e0ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
5KB

MD5
ec2689526a57c4754e67768dd000d9d0

SHA1
77f2c8737b78afe364b0b692ddda95ab55322b71

SHA256
47a5aeade4b89f091336408d8d82f6dae3fe2b093c6c4178af146363f74db33f

SHA512
28d7735fa98c2187e16abe93de7ec227e11042626055ad2ed80de7fefbbdddd4305633f7c136e69bc89e36e51fec45223c9df46246882a2d20af308605cf38ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
d90d3ccabfeaec735f60016367376cbd

SHA1
adc3c50302189f3c57723069563494d386da2cf2

SHA256
c928f6c4a58505047d71e3d28319618296cea4f3be159129c3f03a1eef731b8d

SHA512
1058ed91cf66f40eeef993f7825f0b958c5a7549e03d62feacb74e7a9556e87e97b2d7724773ca27a1013cf29a35aeceb9d117db72af1739c26734a7f0628782

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
5KB

MD5
d7c2cbc7aa397cf7392f4c9bb634c16f

SHA1
afe93ffd4bc8d91344f7f349c350580dd70c2884

SHA256
f6fbc88ea1b53ec8b1fe8966b384bea45b4e5d102066b962ab46a6625f6911c7

SHA512
d9962519de9574def9ac937057aca33dea49b066f551647f13530812f211aa9d4101ad32bec86eb2818a9b3f1d88141295f96c348f393d66dc4b98ff71c5e7c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
abf31b95aa940135eab2cc0eb8c09cdc

SHA1
fe7599eb9ec359fea39fa4edb9b503959b1e96bf

SHA256
5717a00922c13aa10d7629ff3cc5d91382ef4b93610a55d66f2a951d797921c8

SHA512
7207532968a0e934db644a8a2605f991df9a6dce23a3e3d0b56ab07c53737891a66d9236099f8d62a8e81f3b3733927d74672384d2231144c420f0641f841d83

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
e47cab6934932fddf7919e9dd8393a80

SHA1
4e0b422eea9ef52a5a2ad9cc264308080c236284

SHA256
24fd4d783ab4bf1512c2db7ab06c4856040a5498b617b928b1be005bc2aa57cc

SHA512
cb954878cb373b69e4113852cd4c11a39dda12f867ec6e6137cf2bd4389cad5b8989ef2b848b13142571dc27b3430cffc2845c3a99f26952ff3e2eb7680dc4b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1cd4205bd8f5a637060a371b1b6607c2

SHA1
a655ebf0a6b3d10f6a423ef12d7c5dd94b9028f8

SHA256
5ce06679d26303ed656e4380542863f382bfa211e19ad3af3e696427e801e1cc

SHA512
1061acda41971e3da18da5d2f5638cb5929c5be6ec3f1300446362ce2033c4e1b48ef1be8c0f09fa459e675d5b5981841af12c7a99df9908124a53a0818fb4ae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a1f91bcb450d9a209898bfd41925a6b8

SHA1
17e95be0cf74a6308d453e3a290b6d45b957199a

SHA256
89a0c5e4e744fd0ace14bd6a18576295ac409583b2243ad004e2edb49748c4d1

SHA512
6362357c9137b7326199c85fe7b5bb250f608570d6739c48959407effb9fe1be03b0ae2b6354bf267f03e088d7816d31de4ba6cd7eb2c5c8b2e97bac15da1990

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
796b418182f1cfaf6ac0aaa651e84506

SHA1
5cbf9ea531d67d2767ae648fc0a82cb520385c41

SHA256
8bb9da74054b8b74a875a642fa59fb823c5081c77622129b2ef1066870412756

SHA512
57443390c139e9fdae4fb72194212addd1c029e373c293f46f6b65035f9e1f48bedd437cecf723ca4a73909270db3dcaefbbee0b196d9ca75df867ab3c4c7cba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
14e227ce1c95c1e560a66e6f3dab8a87

SHA1
ba37c397b83341bfa62546eb512a1c54fed59a74

SHA256
95fbc1e7cfae895a4c1083c972b227e2c4d9fbd19c287555dad8f5a0495a3e87

SHA512
0af7ad39b2ec0a77017a8c04a87bab658523cfdade68215722dd26e2cc3591957080b6386c84dcc455157bd80d693f7247d5a07a0446d8432406b5b75b7100e5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
cc305cdec420f7ee16bf644209b409f3

SHA1
e463bfc8b8c7df2d71e51439266d7300be56b2c6

SHA256
ac4522e99ee5d98648ed47441a427325d7b9024b38225af46c24f800e2519526

SHA512
a9e0c53714a5dc51fd5cba07a6205948622b08c69a7a11c80cc567e0444f580788e1cc84768a44de510cea06aba50beaeb435b55fc1663933113a4c64b7f2693

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
e132049c4ecb44477d3b96fc48177ae1

SHA1
c984f628bb4c271ef349b8bc234c73b7fb64eb3c

SHA256
6465a6c6df1c23e386c90c5c330be2f9ac63b99b9e82c16c571ffb27fc4d61d5

SHA512
fc1d5a67e062e24930d51dc04c3c43b8c5b5a74a3790947ec5bf43bf64b3840ba01798656ebcd5f7e66a5ed40422eb3d7e1d22ed34a9fefe43f4ed515ef3595c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
72e5ce2215d928ec226632d96790000b

SHA1
6fecbd3583897ae458adede09297267cc48a1c14

SHA256
bfc0012bed768443a7121f3d231b35e99eec81273e6d0034fd46c6ee2430073f

SHA512
f379486a1d094feaa8ffa28fff3d41dc34dc8f0be49d1fe5fc91019cdf962884ca2b85bdf07a25c904072573b82b067a01ed88fc2e07b32a100e4f2da46f1c1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
8c0517d79a19d7464495ab9f8bb725cf

SHA1
68ad0286fe3c694652e95aca773f59e23b761108

SHA256
4f1aff00faf5790fce2d4e3f2fa789379619e17dc867cbd7983daaef34ce4ef8

SHA512
1d42b28a0a3c1150ced5197006d3b7e910f46cfef92418dfe7a4293c229365177ea69ce44466450c1a5c3084e285c7caeddf6fb9393988f4201f1a65e4063d20

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
298b7068376bbfafa142001a1ecb4da5

SHA1
fbc9071245ba72425b244f550df1d6e170128d46

SHA256
22d603b903468d6adb3909c522269d05af87b94a6aa5ecc85f7c592c019fff05

SHA512
68a76e8ecd75390402a101332c627163664e8fdeb4bd57b2833bac735fcea2e8256777f44d08d2518ca34d4c4936ce53bc010aea5eecf602072ca32ecae59c33

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
492680c6bdfeceae9318b33a93bfcc12

SHA1
77a691667ee85734f9aa62d088844f414691c25a

SHA256
7ce4a802a79db3d19242869000f96bbe5c7604ae75522c9a03d555b4b80fab84

SHA512
6fd034bba5f30651ea9aa63d67cbc1643d61ba1f1b9e71700427203be716491c53775e23e56d06d3bb849526ddb10aca1fd5b692119cd594c7669203cc66c1e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
d1483a9f134fd55f9fb7e5e96eff4441

SHA1
e8ce3d348014983c05a630e4f3e6ad4dd3054032

SHA256
644e06395763ccb196f8d962e94ac507dd636130bef952c6adf7da575cc99046

SHA512
7025e357b23475113484fc2759ccb8b055c2606688879c621a569e1bd7d35145497bb6b5a8dad9ac1a369647057358728ac018880883aca56bfab972fc8d8a2f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
a22bc741d1aa470e047891b06fc0d487

SHA1
314720f34224d3f642f297e99fd66e0a340ec626

SHA256
90bbd118f42708fb13321332ddb5f5b5ea881cf06f73034ca74d63b114b8bb5e

SHA512
5f54c3d8ac06fea05e0a1d2e7b0f94c3af17754899c85cafacff6981d14920748a20ee0ef90e17eae33107a4e1fae0b4cf98a40b0465148839d38364053c89cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
287e5ffb29cc04921c68f95214ef7a36

SHA1
99727577aa805491b805befeed2e3bea95af1687

SHA256
f1c96d53e8cdd1287f3d007d18700b4fbe9c94eab0d21c4a1c9ac414f28d5e54

SHA512
755bafcb1e34f26df3cb2c6094ca1405c3b52896f70147a9963d33641ba9b1ece34e32b45b63894699535c8cd045121484ab09ed0a5d28f541536263db58c863

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
5aea9b3c92368018d68ef8a6c7d1f520

SHA1
07a85bae4c8f7e6d81659df9e203b8afdc0dfa2a

SHA256
fbb310dd81d51406bac8870239fa2de54c176fe190d36afbf63fee6b872da628

SHA512
7ec021c8a6044fd7679222cd5b1d78f5214513a81ac2159b740434bec43c15990d5ed6c26f69c4853707f33e52009a6ba33387d1d42fb8dcfaaabda0ada24ff3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
df32aa0a6206feeeea9e28f9679593a2

SHA1
37a730d300f613de3776c5f49f2e51f61308a7e0

SHA256
c6461c33d8eb08dd3ca4c3d55cbf8a7985ffc6c6d40c3acf7dffb9b67f53dd3d

SHA512
d312b0f546faccbc44d51a3a146f004eb00d515a76962529a344f770b2d523f4a155796179801dbbcc8fccd368532a12a87f3d72071bd68ba6413002d1a52226

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
83a9604f9d8762379dabc2006673fdc3

SHA1
55d598c4233713906a450f40e5ac98a1e09256ff

SHA256
ad8ec600807b846c2323d07bb5ace56065b124ee52152236561d15eb071b77f1

SHA512
6eaef657cf66e5231b1e1bc30a1537096a26555c72c8440d181e0c82c8acad55acb27608054cac3a170013047fcd13f0de52a9919f2e1ab22520f55ee585b6c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
13KB

MD5
b83b75d4b178e6e4200bd61b1c1a060f

SHA1
ecf0e6846339fb9f0ef938e9d78139d4e7afab11

SHA256
08a31309b255d25ceb92fd512317cfbcc262ce0bb212b7ecb729a57716be8869

SHA512
eafe7f3e9c55f264f0ad08f96436a18c88b02ada4f750a60624ecb3c6b5ac99e675cb9eea2ffcce589c2517d738965e8bdc7d3382cb484557be5b88e97bfd2c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
13KB

MD5
b838e72bd70a7cbd92b460f41be29856

SHA1
dc8949990ab46be2068df29ab1f044d83eb24b5c

SHA256
8afd87faa28d1bead8739f690cd03f7d786b3cb23228f9a4bb6f2066fd8b4106

SHA512
7eee3329282b7a98fa207d8db2513322ecb391cfac909879aa5b78f81d33da9e781f50d05dafff8609b794d3e19e3bdc79ef353a8a7eae83f055039fa1e3c5e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
120B

MD5
41e0e9ab2435068fcefdad8e2ffed163

SHA1
265560df060fa6b65a6be3b74f5d228814aa9c73

SHA256
9b597d23c7cd412d6c0a79d065e6a6affc3e5c92db144d12f99f6dc589ba33b0

SHA512
8c9932bcc2eea137413dab6ad431909d3b44a6452975c8886c017c2d37e731e732a3eaa41033e91c026972d5f4f7c1c6ecb63ebedea302dfaa9d9657857195c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\3\CacheStorage\index.txt

Filesize
83B

MD5
2b0fe13e23e6515437f2eaed1f38a556

SHA1
bf87abe185ef14277e58f6a06ff35b005ba087fa

SHA256
b7e3e9b009d160436aeb60381a5be9b3e785905a8da68d6996f2d3f631129d7e

SHA512
77b1297a9b5cd5e2b4e2e2902132f46b2c15595aa2de73447f651565c520f5f726b650e6ca01fa706ba8c5e8513e6267153e8e6c17fd7db283e5b48fb7b1e070

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\3\CacheStorage\index.txt~RFe5dce7e.TMP

Filesize
147B

MD5
975641c16dae3ea60581470de685fbee

SHA1
016b1dfe78d4f5c767faba28519d28da1dc2d5a9

SHA256
7769b2f85897fc0c119f203228143c97738c93dbb7ca19538a47a0a0c31905a2

SHA512
6015aa49a326ef22a234b2c11cfa38cf2f5d29672d6a613fdf3878635478a92c54c4f594466b5113ae9a93478d792581eae1fadf78d32a9355eb7537b7c1d6a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\3\IndexedDB\indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
194KB

MD5
208cb5cc221cd3b05fec16027c279235

SHA1
c7d6078c24dbb2f6297205695e3eebbdf4487337

SHA256
8cce8f0d5a3253d6bf8c66fd8d127b55d5b46f35d5a1cb9cb507ebf19a6979f2

SHA512
ff404b3d7a922c3b45259a424f4099b12dd9d733047dc7dc0920812a488ab04410a882d1d4a6a43937ebbdd50ec2145bc3b1c28c329ca943119ac5e2c5a43708

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
194KB

MD5
b30a564f1d21ead5b04a63623f35913d

SHA1
d768d075fec426d7914e2adb276e650e704faec0

SHA256
d7ea9f0173f55ff223fdeae2047d8e6a142790af6293256ee980fc6a01ffc4c7

SHA512
53234f428bdcfb56011788904dafa53ee10affe4deae422067179a710e75e870c8f293c70545dfa75a2123691b93f09f6f0c3c1d9f5a3be723f5690e37528bbb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
194KB

MD5
9eac7de6f3eedbeab63249dbcdb74207

SHA1
badf4eff1cf580dfc23c265ee27936f597c3782f

SHA256
b1996d6b45a6fcaa3e85714db2f20369b0bbdcea3335ff3d2d7d008d29530c39

SHA512
4063fbf61b261906dfb2eeea8b4183f2bb2494764417639cae0ef57d0edf3bb3658dc7198d87c8554003dbd04d7fa19602a6f0d83a9347ca3d21a434489d29e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
194KB

MD5
e0ee3cdf1cf6b621311a8a6cef8a1c7e

SHA1
13741cbacef35e91c5d50a4ecb4e10f74e1b6f8d

SHA256
b54562bbae850fde79aba88bd787c79702e78e02c0fdc2fa7417e03768d366f4

SHA512
b9363e789fe8d997cf9923442ed614b23ab51f216a9d36b1dc5fcb48be3c52b8b16b5c272738986718fa1108e966d0b14d01caea7dbdfa7d021933f1ea76a1cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
194KB

MD5
fba4410e980917584d0f6ce287cc4082

SHA1
cbd9513283e7822b0d06b269880e0b8dcd3108a6

SHA256
5e35eb87d621f49933e588907310fc93052be0f1c75c47c75b2814a261ae84ca

SHA512
bb5cfbf960427a6b6d7e77f60851ee2cfbc6c664e2f8c440d9de0e0f7afa1d4fc715167428a11447ce462df6a3780f98662d31510c1094d9934bc15be625ddcf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
3dc3ef6bf94b8eb253c94adfc09d2d6f

SHA1
322b5fe6d1407a008c62fa0df8ee49bc56592166

SHA256
e88cc614cdff82f4eac1050a7a5f798a0ecd0a5cdb2377b508ea823ccfeecc71

SHA512
2c8ac8aeee2cd3bf59dff8897a582c13415b722127429bc9a3bf8fd75f9939b4f7d586b228da61f11c0cc3073ad3ab1e69901d8e3d9da7096025e40e89a6dcf1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO SAI FOOD PVT LTD .exe.log

Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
124edf3ad57549a6e475f3bc4e6cfe51

SHA1
80f5187eeebb4a304e9caa0ce66fcd78c113d634

SHA256
638c51e173ca6b3469494a7e2e0b656021a761f77b4a83f3e430e82e7b9af675

SHA512
b6c1a9051feeffad54ba1092fd799d34a9578368d7e66b31780fe478c1def0eb4094dce2879003f7389f2f9d86b94a3ef3975e78092a604597841c9b8db120ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
204B

MD5
b3b704828a2a41bb72210fc1664e1665

SHA1
15da0bc702f213ca35e6ac84ef598c2bb6a42e37

SHA256
194cc2c2a4b40673497fce85e6dd460882f4a326ab8108c4c68390fe6a2ecfa4

SHA512
28221def324f298bd8ce8d0560475e67368aced68ab8c0bcbb99b8aa5cf29681dd276f32304fbe20c4facfec83904972fa95197f5a4357b560d61abad5767573

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
fdb51e15658f9a55f84830d4bd1906e1

SHA1
12fb517a33302493c5907d6306738f5f3ee0c819

SHA256
29c61550dc2bf22b07a4a8328bb3792df91ea9cc7e94a87a339536ecd32772e7

SHA512
48d861f17cc38bcff8f7bcad20de9091fdef38b419f6cb4a506caf8b86f9cc0ac13119eb57f7ee6fbdf61f244cc349b02c4437855e9aab7a1ec45ee20dc66fda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
469ff1e71da7528a619ca9564a3d058c

SHA1
aa4023dcea064383bd68e987ddd01e5b9cced5e9

SHA256
ca657b2796b1cc8837b63e9702a1fd4a060d4cf18e10adf378ae3099bea1782a

SHA512
2d0d626c17d2448e52d87a69ea10cca325d06b576c6051f4c596bd1b5e0639f4f11408a132850b290f9e043056ab809b6d973a3c152b40717f154463494f0af5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
f26943e2f7d687f723db6939cd93cbfa

SHA1
bd937a202d06613fd24582828c29cc7f459aa311

SHA256
61b3a068baf395d06fd4facdc0a939ebba770dcad669fad9783ead16614abcc9

SHA512
ab2cf813af7f7893d6940234028e162f9be9a85173092f36834fa883986b3b45535430a21a820b303db4dc84e38b8dd0cea0a05dfd14aa09d3102bf78b5908cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
4ead387cee3bacddd227d55f432abfc4

SHA1
bba3edfd68dea94c14f4ce2e7ce0f5c38c17e4b1

SHA256
ec166e18999d60293185f0383ff332872303834ef7742542da19ec33916c9b96

SHA512
973ca2d2aeadff0f7317cbad0daacecdc432bb03aff3146d937cca8b2d00280d477a96aa03c270c4ee07bd2175ed939b90cc6f0037e10fbcfd219cc324e0c29c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
1c54a200baa6d2a959b83cf9a0b4151f

SHA1
85d570e5318f6ecdc855de81dec760ed0b86c17a

SHA256
09e3168cf0262fad83cdcd4fabd54cdbb45935418b6cfab21dc7da6e166b74b3

SHA512
4a92689fa3dce985826dbedf43b96c8d5a125f05519c061bdd968bbe9b45ef1a36ea4d43fb2aafb475e6f5222c63006739949fdb58de4a800d2c0c6af7e3a75a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
13KB

MD5
3cbd7f9a7e91313b76cfa9cdbc5561c5

SHA1
cda3b3803c491056f5169983aa26b34afab35db3

SHA256
6f8302491726917544748d6a1825d3225f535310e8c13fe4606a8102dfca0b96

SHA512
cbe81b1437a62676063996992ecf7bf5e1933f68a56b5ad904342a15d9391ba7bb909f76910ead0da236b9c2ef112ac57db0ab06c8d8b9750cdc1995d5658f58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
01805a1b46891a2e89cc4b2a795ee13a

SHA1
99bf003ad614dbccbb672ef473ce6991d7cf5b05

SHA256
2eebc36d693030d8882bf06e0ed6c31afc6573b9f10924ad91b2f1a79690f399

SHA512
726b0fee73e1d359aad97f96b8d28bc07af80460581e0a41228ebc6712e3aa1bc6017ffcbd931b5f9c7b7ee19dffcb1d1ce8ef653cf9402a9167981f4c9f2d4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
8937ed8c8b8a5b703768d188c179213c

SHA1
21c380770b546485582df376d5535ea7d3a78f34

SHA256
37bb0fd76bc445e7f8f3bd127b5c7b50eed57e9871f227cee577d06f347a5113

SHA512
0618cc28c699337f9abbb61fafb52f9f1a32f43c7ea6165d6c6064de06678d22e2870f10963a61e72f51393503471f9240e1964aa1267567cb9a9272358bc193

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
3cf300b8e219954f0c6ae8efbc722b22

SHA1
981d4198629902962094e1e988dc8fcbb80e0b81

SHA256
da64ede51fc03dc987e976f149d0470b98bfef0997709389ec5f154dfaf3bf14

SHA512
9eaa3023de5b9ec2396a49d7889c162af4c79f016a0bd901e3a4e6f8e36f4b52ab7340de3da4741c3a90c34b859daf3c8395ff193bfcb5d7b0400027f0c91d1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
0c2fb163c405e7df601bf4c4d5bdbd8b

SHA1
0d3927ed1f7238d79bf1ee9eab15608078c4036e

SHA256
9cbb19addf9589ec1cf40aa6653c9abd97c20b5df359aeb6627c7fba260a0c05

SHA512
d1747a5eb1ab5a8d3e5ab00b9f76545511402770cf76a945b3575124d7ca061e95fa61326bb4544060e553a34f72b5f6348384b0bb4ed64146ea4c95ceae64c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
41b360f0a0930b7eeb84f6711e93ede2

SHA1
fea084cfc3a030dd96642317d98c68bb48458061

SHA256
cb40733e2295c908daa5346cbe63c5b1a8becba04741228dcdc83ba1118f73b3

SHA512
26316b2df8c72ec89f64b83c4b830fa1f6aa85d39a3dd67c4fd315d2eb3a43c0eb831c11177ed50fae6ddaddc0ad750a95ab5a24fc323a8e981e26ff10a0f60e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p1wwymvr.2fv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\holderwb.txt

Filesize
3KB

MD5
f94dc819ca773f1e3cb27abbc9e7fa27

SHA1
9a7700efadc5ea09ab288544ef1e3cd876255086

SHA256
a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92

SHA512
72a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC2A4.tmp

Filesize
1KB

MD5
22a41142fc05e337f14559de9b3c886a

SHA1
96b5fae7f0c2cdfbab0ca200d0b912666fdada98

SHA256
c96accd7eec7efda55c5c08c1e04d56f845d3f60fa237d21327b40265b86d899

SHA512
f86f8ba35373dcdce662ce89c8c95153becaa97d186a46e2750a4965b7f686123637e2643606eedeb89826430b32607b951240f41e4f84c61d5c72eb1c9bb215

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe

Filesize
1.0MB

MD5
dea59d578e0e64728780fb67dde7d96d

SHA1
b23c86a74f5514ebcfb8e3f102a4b16f60ff4076

SHA256
71dbb1177cb271ab30531fda54cad0f1ea8be87182f96bf21f37dcf65758f6ce

SHA512
64663c97bcea47b6c265df2598e12b1dfeb437efc6e78a6a23cf0a02cfeaf28b054cc5af85b2d1aff3822c5d5b82905952db2722e095e138a0bf0203977d4bce

Download Submit
\??\pipe\crashpad_3796_SUBIAWOODVJBBJGC

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/216-106-0x0000000006120000-0x0000000006474000-memory.dmp

Filesize
3.3MB

Download
memory/216-140-0x0000000070F10000-0x0000000070F5C000-memory.dmp

Filesize
304KB

Download
memory/560-606-0x000000006F120000-0x000000006F16C000-memory.dmp

Filesize
304KB

Download
memory/1088-273-0x0000000070FB0000-0x0000000070FFC000-memory.dmp

Filesize
304KB

Download
memory/1184-190-0x0000000070FB0000-0x0000000070FFC000-memory.dmp

Filesize
304KB

Download
memory/1184-157-0x00000000053A0000-0x00000000056F4000-memory.dmp

Filesize
3.3MB

Download
memory/1232-82-0x00000000076C0000-0x00000000076D4000-memory.dmp

Filesize
80KB

Download
memory/1232-53-0x00000000756F0000-0x000000007573C000-memory.dmp

Filesize
304KB

Download
memory/1232-19-0x0000000074E60000-0x0000000075610000-memory.dmp

Filesize
7.7MB

Download
memory/1232-17-0x0000000074E60000-0x0000000075610000-memory.dmp

Filesize
7.7MB

Download
memory/1232-90-0x0000000074E60000-0x0000000075610000-memory.dmp

Filesize
7.7MB

Download
memory/1232-51-0x0000000007330000-0x0000000007362000-memory.dmp

Filesize
200KB

Download
memory/1232-16-0x00000000052A0000-0x00000000058C8000-memory.dmp

Filesize
6.2MB

Download
memory/1232-15-0x0000000074E60000-0x0000000075610000-memory.dmp

Filesize
7.7MB

Download
memory/1232-14-0x0000000002840000-0x0000000002876000-memory.dmp

Filesize
216KB

Download
memory/1332-201-0x0000000007F50000-0x0000000007F64000-memory.dmp

Filesize
80KB

Download
memory/1332-200-0x0000000007F10000-0x0000000007F21000-memory.dmp

Filesize
68KB

Download
memory/1332-189-0x0000000007C00000-0x0000000007CA3000-memory.dmp

Filesize
652KB

Download
memory/1332-179-0x0000000070FB0000-0x0000000070FFC000-memory.dmp

Filesize
304KB

Download
memory/1332-178-0x0000000006D10000-0x0000000006D5C000-memory.dmp

Filesize
304KB

Download
memory/1456-619-0x000000006F120000-0x000000006F16C000-memory.dmp

Filesize
304KB

Download
memory/2064-664-0x000000006F120000-0x000000006F16C000-memory.dmp

Filesize
304KB

Download
memory/2080-238-0x0000000070FB0000-0x0000000070FFC000-memory.dmp

Filesize
304KB

Download
memory/2328-588-0x000000006F120000-0x000000006F16C000-memory.dmp

Filesize
304KB

Download
memory/2468-513-0x000000006F120000-0x000000006F16C000-memory.dmp

Filesize
304KB

Download
memory/2608-93-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2608-92-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2608-95-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2896-522-0x000000006F120000-0x000000006F16C000-memory.dmp

Filesize
304KB

Download
memory/2964-45-0x0000000074E60000-0x0000000075610000-memory.dmp

Filesize
7.7MB

Download
memory/2964-3-0x0000000004B00000-0x0000000004B92000-memory.dmp

Filesize
584KB

Download
memory/2964-5-0x0000000004AC0000-0x0000000004ACA000-memory.dmp

Filesize
40KB

Download
memory/2964-9-0x000000000B530000-0x000000000B5CC000-memory.dmp

Filesize
624KB

Download
memory/2964-4-0x0000000074E60000-0x0000000075610000-memory.dmp

Filesize
7.7MB

Download
memory/2964-2-0x0000000005010000-0x00000000055B4000-memory.dmp

Filesize
5.6MB

Download
memory/2964-0-0x0000000074E6E000-0x0000000074E6F000-memory.dmp

Filesize
4KB

Download
memory/2964-1-0x0000000000120000-0x000000000022C000-memory.dmp

Filesize
1.0MB

Download
memory/2964-8-0x0000000008460000-0x000000000852A000-memory.dmp

Filesize
808KB

Download
memory/2964-7-0x0000000004DB0000-0x0000000004DC6000-memory.dmp

Filesize
88KB

Download
memory/2964-6-0x0000000004D80000-0x0000000004D9E000-memory.dmp

Filesize
120KB

Download
memory/3056-608-0x000000006F120000-0x000000006F16C000-memory.dmp

Filesize
304KB

Download
memory/3296-215-0x00000000054B0000-0x0000000005804000-memory.dmp

Filesize
3.3MB

Download
memory/3296-228-0x0000000070FB0000-0x0000000070FFC000-memory.dmp

Filesize
304KB

Download
memory/3312-554-0x000000006F120000-0x000000006F16C000-memory.dmp

Filesize
304KB

Download
memory/3780-385-0x000000006F120000-0x000000006F16C000-memory.dmp

Filesize
304KB

Download
memory/3820-433-0x0000000006FF0000-0x0000000007001000-memory.dmp

Filesize
68KB

Download
memory/3820-362-0x000000006F120000-0x000000006F16C000-memory.dmp

Filesize
304KB

Download
memory/3820-307-0x00000000053F0000-0x0000000005744000-memory.dmp

Filesize
3.3MB

Download
memory/3820-333-0x0000000005C80000-0x0000000005CCC000-memory.dmp

Filesize
304KB

Download
memory/3820-512-0x0000000007020000-0x0000000007034000-memory.dmp

Filesize
80KB

Download
memory/3820-372-0x0000000006CF0000-0x0000000006D93000-memory.dmp

Filesize
652KB

Download
memory/3844-128-0x0000000006520000-0x000000000656C000-memory.dmp

Filesize
304KB

Download
memory/3844-129-0x0000000070F10000-0x0000000070F5C000-memory.dmp

Filesize
304KB

Download
memory/3844-139-0x00000000071F0000-0x0000000007293000-memory.dmp

Filesize
652KB

Download
memory/3844-150-0x00000000074D0000-0x00000000074E1000-memory.dmp

Filesize
68KB

Download
memory/3844-151-0x0000000007510000-0x0000000007524000-memory.dmp

Filesize
80KB

Download
memory/4108-76-0x0000000007E20000-0x000000000849A000-memory.dmp

Filesize
6.5MB

Download
memory/4108-72-0x0000000006A00000-0x0000000006A1E000-memory.dmp

Filesize
120KB

Download
memory/4108-20-0x00000000054F0000-0x0000000005512000-memory.dmp

Filesize
136KB

Download
memory/4108-22-0x0000000005D90000-0x0000000005DF6000-memory.dmp

Filesize
408KB

Download
memory/4108-21-0x0000000005D20000-0x0000000005D86000-memory.dmp

Filesize
408KB

Download
memory/4108-39-0x0000000005EA0000-0x00000000061F4000-memory.dmp

Filesize
3.3MB

Download
memory/4108-46-0x00000000064C0000-0x00000000064DE000-memory.dmp

Filesize
120KB

Download
memory/4108-47-0x0000000006A20000-0x0000000006A6C000-memory.dmp

Filesize
304KB

Download
memory/4108-52-0x00000000756F0000-0x000000007573C000-memory.dmp

Filesize
304KB

Download
memory/4108-73-0x00000000076B0000-0x0000000007753000-memory.dmp

Filesize
652KB

Download
memory/4108-77-0x00000000077E0000-0x00000000077FA000-memory.dmp

Filesize
104KB

Download
memory/4108-78-0x0000000007850000-0x000000000785A000-memory.dmp

Filesize
40KB

Download
memory/4108-79-0x0000000007A60000-0x0000000007AF6000-memory.dmp

Filesize
600KB

Download
memory/4108-84-0x0000000007B00000-0x0000000007B08000-memory.dmp

Filesize
32KB

Download
memory/4108-83-0x0000000007B20000-0x0000000007B3A000-memory.dmp

Filesize
104KB

Download
memory/4108-81-0x0000000007A10000-0x0000000007A1E000-memory.dmp

Filesize
56KB

Download
memory/4108-80-0x00000000079E0000-0x00000000079F1000-memory.dmp

Filesize
68KB

Download
memory/4380-48-0x00000000051E0000-0x0000000005236000-memory.dmp

Filesize
344KB

Download
memory/4380-30-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/4380-91-0x0000000008150000-0x0000000008158000-memory.dmp

Filesize
32KB

Download
memory/4416-97-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4416-96-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4416-104-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4548-647-0x000000006F120000-0x000000006F16C000-memory.dmp

Filesize
304KB

Download
memory/4656-649-0x000000006F120000-0x000000006F16C000-memory.dmp

Filesize
304KB

Download
memory/4744-586-0x000000006F120000-0x000000006F16C000-memory.dmp

Filesize
304KB

Download
memory/4816-564-0x000000006F120000-0x000000006F16C000-memory.dmp

Filesize
304KB

Download
memory/5112-283-0x0000000070FB0000-0x0000000070FFC000-memory.dmp

Filesize
304KB

Download
memory/5128-620-0x000000006F120000-0x000000006F16C000-memory.dmp

Filesize
304KB

Download
memory/5220-663-0x000000006F120000-0x000000006F16C000-memory.dmp

Filesize
304KB

Download
memory/5276-692-0x000000006F120000-0x000000006F16C000-memory.dmp

Filesize
304KB

Download
memory/5476-703-0x000000006F120000-0x000000006F16C000-memory.dmp

Filesize
304KB

Download