hxxps://drive[.]google[.]com/drive/folders/1bhBRHEc1pstswyQzyw513K1TM4C0jDp8?usp=drive_link

Analysis

max time kernel
80s
max time network
81s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
03-10-2024 21:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/drive/folders/1bhBRHEc1pstswyQzyw513K1TM4C0jDp8?usp=drive_link

Score

6^/10

discovery execution persistence privilege_escalation

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	drive.google.com
5	drive.google.com

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4696	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
2140	timeout.exe
2172	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133724657429673025"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings	chrome.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\EXM Free Network Utility V1.zip:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4160	chrome.exe
4160	chrome.exe
4696	powershell.exe
4696	powershell.exe
1376	msedge.exe
1376	msedge.exe
2944	msedge.exe
2944	msedge.exe
4176	msedge.exe
4176	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4160	chrome.exe
4160	chrome.exe
2944	msedge.exe
2944	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe
Token: SeShutdownPrivilege	4160	chrome.exe
Token: SeCreatePagefilePrivilege	4160	chrome.exe

Suspicious use of FindShellTrayWindow 58 IoCs

pid	Process
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe
2944	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4160 wrote to memory of 332	4160	chrome.exe	78
PID 4160 wrote to memory of 332	4160	chrome.exe	78
PID 4160 wrote to memory of 3636	4160	chrome.exe	79
PID 4160 wrote to memory of 3636	4160	chrome.exe	79
PID 4160 wrote to memory of 3636	4160	chrome.exe	79
PID 4160 wrote to memory of 3636	4160	chrome.exe	79
PID 4160 wrote to memory of 3636	4160	chrome.exe	79
PID 4160 wrote to memory of 3636	4160	chrome.exe	79
PID 4160 wrote to memory of 3636	4160	chrome.exe	79
PID 4160 wrote to memory of 3636	4160	chrome.exe	79
PID 4160 wrote to memory of 3636	4160	chrome.exe	79
PID 4160 wrote to memory of 3636	4160	chrome.exe	79
PID 4160 wrote to memory of 3636	4160	chrome.exe	79
PID 4160 wrote to memory of 3636	4160	chrome.exe	79
PID 4160 wrote to memory of 3636	4160	chrome.exe	79
PID 4160 wrote to memory of 3636	4160	chrome.exe	79
PID 4160 wrote to memory of 3636	4160	chrome.exe	79
PID 4160 wrote to memory of 3636	4160	chrome.exe	79
PID 4160 wrote to memory of 3636	4160	chrome.exe	79
PID 4160 wrote to memory of 3636	4160	chrome.exe	79
PID 4160 wrote to memory of 3636	4160	chrome.exe	79
PID 4160 wrote to memory of 3636	4160	chrome.exe	79
PID 4160 wrote to memory of 3636	4160	chrome.exe	79
PID 4160 wrote to memory of 3636	4160	chrome.exe	79
PID 4160 wrote to memory of 3636	4160	chrome.exe	79
PID 4160 wrote to memory of 3636	4160	chrome.exe	79
PID 4160 wrote to memory of 3636	4160	chrome.exe	79
PID 4160 wrote to memory of 3636	4160	chrome.exe	79
PID 4160 wrote to memory of 3636	4160	chrome.exe	79
PID 4160 wrote to memory of 3636	4160	chrome.exe	79
PID 4160 wrote to memory of 3636	4160	chrome.exe	79
PID 4160 wrote to memory of 3636	4160	chrome.exe	79
PID 4160 wrote to memory of 3676	4160	chrome.exe	80
PID 4160 wrote to memory of 3676	4160	chrome.exe	80
PID 4160 wrote to memory of 3352	4160	chrome.exe	81
PID 4160 wrote to memory of 3352	4160	chrome.exe	81
PID 4160 wrote to memory of 3352	4160	chrome.exe	81
PID 4160 wrote to memory of 3352	4160	chrome.exe	81
PID 4160 wrote to memory of 3352	4160	chrome.exe	81
PID 4160 wrote to memory of 3352	4160	chrome.exe	81
PID 4160 wrote to memory of 3352	4160	chrome.exe	81
PID 4160 wrote to memory of 3352	4160	chrome.exe	81
PID 4160 wrote to memory of 3352	4160	chrome.exe	81
PID 4160 wrote to memory of 3352	4160	chrome.exe	81
PID 4160 wrote to memory of 3352	4160	chrome.exe	81
PID 4160 wrote to memory of 3352	4160	chrome.exe	81
PID 4160 wrote to memory of 3352	4160	chrome.exe	81
PID 4160 wrote to memory of 3352	4160	chrome.exe	81
PID 4160 wrote to memory of 3352	4160	chrome.exe	81
PID 4160 wrote to memory of 3352	4160	chrome.exe	81
PID 4160 wrote to memory of 3352	4160	chrome.exe	81
PID 4160 wrote to memory of 3352	4160	chrome.exe	81
PID 4160 wrote to memory of 3352	4160	chrome.exe	81
PID 4160 wrote to memory of 3352	4160	chrome.exe	81
PID 4160 wrote to memory of 3352	4160	chrome.exe	81
PID 4160 wrote to memory of 3352	4160	chrome.exe	81
PID 4160 wrote to memory of 3352	4160	chrome.exe	81
PID 4160 wrote to memory of 3352	4160	chrome.exe	81
PID 4160 wrote to memory of 3352	4160	chrome.exe	81
PID 4160 wrote to memory of 3352	4160	chrome.exe	81
PID 4160 wrote to memory of 3352	4160	chrome.exe	81
PID 4160 wrote to memory of 3352	4160	chrome.exe	81
PID 4160 wrote to memory of 3352	4160	chrome.exe	81
PID 4160 wrote to memory of 3352	4160	chrome.exe	81

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://drive.google.com/drive/folders/1bhBRHEc1pstswyQzyw513K1TM4C0jDp8?usp=drive_link
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffc96ccc40,0x7fffc96ccc4c,0x7fffc96ccc58
  2⤵
  PID:332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1736,i,6954716529076282749,15689083639548801459,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1732 /prefetch:2
  2⤵
  PID:3636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2068,i,6954716529076282749,15689083639548801459,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2084 /prefetch:3
  2⤵
  PID:3676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2156,i,6954716529076282749,15689083639548801459,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2364 /prefetch:8
  2⤵
  PID:3352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3088,i,6954716529076282749,15689083639548801459,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3112 /prefetch:1
  2⤵
  PID:3928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3092,i,6954716529076282749,15689083639548801459,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:2888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4572,i,6954716529076282749,15689083639548801459,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4580 /prefetch:8
  2⤵
  PID:796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4836,i,6954716529076282749,15689083639548801459,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4568 /prefetch:8
  2⤵
  - NTFS ADS
  PID:1508

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:712

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:772

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\EXM Free Network Utility V1\EXM Free Network Utility V1.bat" "
1⤵
PID:3708
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\CONSOLE" /v "VirtualTerminalLevel" /t REG_DWORD /d "1" /f
  2⤵
  PID:4516
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:1660
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:2140
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:768
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:1992
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -NoProfile Enable-ComputerRestore -Drive 'C:\'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4696
- C:\Windows\system32\reg.exe
  Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "RPSessionInterval" /f
  2⤵
  PID:2952
- C:\Windows\system32\reg.exe
  Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableConfig" /f
  2⤵
  PID:3644
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "SystemRestorePointCreationFrequency" /t REG_DWORD /d 0 /f
  2⤵
  PID:2348
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:1532
- C:\Windows\system32\netsh.exe
  netsh int tcp set heuristics disabled
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:1856
- C:\Windows\system32\netsh.exe
  netsh int ip set global taskoffload=disabled
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:1592
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces" /v "DisableTaskOffload" /t REG_DWORD /d "0" /f
  2⤵
  PID:972
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "DisableTaskOffload" /t REG_DWORD /d "0" /f
  2⤵
  PID:4556
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v "NetworkThrottlingIndex" /t REG_DWORD /d "4294967295" /f
  2⤵
  PID:2272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path win32_NetworkAdapter get PNPDeviceID
  2⤵
  PID:1052
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_NetworkAdapter get PNPDeviceID
    3⤵
    PID:2900
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Enum\PNPDeviceID\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority" /f
  2⤵
  PID:1896
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Enum\PNPDeviceID\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported" /t REG_DWORD /d "1" /f
  2⤵
  PID:2128
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Enum\ROOT\KDNIC\0000\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority" /f
  2⤵
  PID:1828
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Enum\ROOT\KDNIC\0000\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported" /t REG_DWORD /d "1" /f
  2⤵
  PID:2884
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority" /f
  2⤵
  PID:784
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported" /t REG_DWORD /d "1" /f
  2⤵
  PID:2200
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Enum\ \Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority" /f
  2⤵
  PID:3420
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\System\CurrentControlSet\Enum\ \Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported" /t REG_DWORD /d "1" /f
  2⤵
  PID:4328
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path win32_networkadapter get GUID | findstr "{"
  2⤵
  PID:844
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_networkadapter get GUID
    3⤵
    PID:2604
- - C:\Windows\system32\findstr.exe
    findstr "{"
    3⤵
    PID:4128
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3398A700-3921-4678-A0DF-D6A5143B4661}" /v InterfaceMetric /t REG_DWORD /d "55" /f
  2⤵
  PID:3612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path win32_networkadapter get GUID | findstr "{"
  2⤵
  PID:1396
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_networkadapter get GUID
    3⤵
    PID:1348
- - C:\Windows\system32\findstr.exe
    findstr "{"
    3⤵
    PID:4504
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3398A700-3921-4678-A0DF-D6A5143B4661}" /v TCPNoDelay /t REG_DWORD /d "1" /f
  2⤵
  PID:1316
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path win32_networkadapter get GUID | findstr "{"
  2⤵
  PID:4148
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_networkadapter get GUID
    3⤵
    PID:4748
- - C:\Windows\system32\findstr.exe
    findstr "{"
    3⤵
    PID:3388
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3398A700-3921-4678-A0DF-D6A5143B4661}" /v TcpAckFrequency /t REG_DWORD /d "1" /f
  2⤵
  PID:2560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path win32_networkadapter get GUID | findstr "{"
  2⤵
  PID:4956
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_networkadapter get GUID
    3⤵
    PID:2856
- - C:\Windows\system32\findstr.exe
    findstr "{"
    3⤵
    PID:4052
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3398A700-3921-4678-A0DF-D6A5143B4661}" /v TcpDelAckTicks /t REG_DWORD /d "0" /f
  2⤵
  PID:1872
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider" /v "LocalPriority" /t REG_DWORD /d "4" /f
  2⤵
  PID:328
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider" /v "HostsPriority" /t REG_DWORD /d "5" /f
  2⤵
  PID:3552
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider" /v "DnsPriority" /t REG_DWORD /d "6" /f
  2⤵
  PID:1760
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider" /v "NetbtPriority" /t REG_DWORD /d "7" /f
  2⤵
  PID:1464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://exmtweaks.com/
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2944
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffb1a83cb8,0x7fffb1a83cc8,0x7fffb1a83cd8
    3⤵
    PID:968
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1936,4970859086764228308,14182634424367219977,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1932 /prefetch:2
    3⤵
    PID:988
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1936,4970859086764228308,14182634424367219977,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2412 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1376
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1936,4970859086764228308,14182634424367219977,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2664 /prefetch:8
    3⤵
    PID:4680
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,4970859086764228308,14182634424367219977,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1
    3⤵
    PID:1724
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,4970859086764228308,14182634424367219977,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
    3⤵
    PID:5064
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1936,4970859086764228308,14182634424367219977,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3692 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4176
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:2172

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3420

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
f2350056cf438f20670140308e08d13f

SHA1
f49836c2cddd9744e455912016cd2cb0186277d2

SHA256
e28f9dd35f43172af253f59f724164e6932eced12c61e35deca274b8756e3fd8

SHA512
aa8ea4c2b55b31d96d54e404ee426a438ca1cf75ed72b6901d21e9813b9534824143a94167177ea76feedc8535c1c4dbb3a871f1c8b85dc91aef1cece58b1bf3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000015

Filesize
28KB

MD5
78fbaa6c69ccc961b8ec438a8588001b

SHA1
990c7f85fd6739a39ceb934cacbddd8ca7672627

SHA256
708cc85c1b714f37d78a73e237276b2525f644e3e5ab935d7671368f21c2d4d9

SHA512
c9b167bc97e6a65745576831721bc21c1ebb4ea9545643f2af6e7b4879b5930db85991013a12a8debf645f3b152b9c27afa619c245e21d35d9cd66b1347a0aa1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
25e3dfa21a49a266652ccf24e16ea7b9

SHA1
0a8782aabcc0ec3ef5cff8d4eab8a3e7a511db19

SHA256
cdecf28a148102b26e3e4406f1cab20e957b7fbbd426b56d117d1e67f1d3e46d

SHA512
feebc02f29d01256426c33ea67e7c2edcda3af356b5c0aa4e9d3c5069e6ccc912bf539ecb98e6d8a940459810e4e399152187760d85ec17b2c5b16af145e3cd9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
a91cfc5a4cf8a2863551926f814c8a74

SHA1
e891f33c9dd7452c34948f737079b21c3ccaf018

SHA256
1dc0986b8231f6c65a88eceadbdee3dc5e15eb7c8656ed67519768b6589a902b

SHA512
d849852232e632955e36186cfc51d6bc36657c53f95f433a700ddea1dc67482d97f1e3ae3ee0c595acc1f993ee7ca268602e8ca3610b4d29b0979c6e85cf58d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
b547da8050e940c9ea6673ba64fa2e2e

SHA1
36eb2279027633fe8a1c1ce1c08dc286279cf8ce

SHA256
288ebc0ffc96fdf067e4bd8db47502d9df1bc74fc27401cd1a1aa8fc28df5e36

SHA512
0bb9f21683f29c5763ad58f3f5aef9736237cdc5944bb96c1b3ab45d585a84e79e5b4a7067eaca6908e961d068acac708ca4cda12b16cfada9d58f57af1693ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
ac22a6d077bd9d4ba4478901c755ceae

SHA1
e2c9d1ef977e0d552b09e00974dc65af7a364e9a

SHA256
0d28b5f212497bfef394abcd4a48ab549d6f1cb6c6a3fca5dde01b07e114eba0

SHA512
188464eaca67f822f4e4e88dce0fc7de413c1455a36e45ae0aa71d135004e09fac7a0f5cb70fb576906cda5ac4b1d518302943924a7c9cd66d2555ce9eabd033

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
db0e3020194005537bce21ba21757778

SHA1
e28e1a96bc1fcc219b869850dd60bc6345608c0a

SHA256
930862d71c630d25bd004e859583ca22f5f11f8be1c2cd49982178fbde660f5e

SHA512
e660a840dfd9a7eea2acfe8e6bfc4cee30456de11bc3901509531f225fcc31f1ff45c40af43718d9d6ab20f961f6ebff3d2af0ffcc7c885d4f742369219f4b02

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
93eac785168dea26525c07cfe09a62c7

SHA1
d69ccad12b864759c08c4451ea7193d461566a97

SHA256
779b48213efbd3b74a360d5e5f44f980f5942c82fc7fdf50c037398d5b0941e0

SHA512
06ae41651926c9fe92358ec275d4bd8f0b2b7ca431d1324663e910fc7b7294d7d76a9f3a084b3237d302005dd9078faaf17f66a53ff158a319974d6df165a60a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
791a9542f73cecf3a76fb350d3dc7d39

SHA1
97af65062ba765a8f32c46ac34b553e6cba61f64

SHA256
89eb19766cf713417d40796b05584fe18fceceae2a60d2a8dd8a403edee47928

SHA512
cc38c6df87968c63f8bf6a0661f063f86a345f1f8ac879cc262b79ac3b2d07bc396748bf61d65835e3d66496d1790a334398c120bdca05abf82821ba66a94f1d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
68b0d764e650acf8d1f0d5518bbca99f

SHA1
b9f78e669bb3665324343a9e0851f2d62700022b

SHA256
f478db798d436d768cb61b8a6fc2b2c2090e04ec162532bcd6a08c96df70095b

SHA512
e0239d7a0716c9d9d3b5445a9124d2d04f844a139ae2fd7ec31f75c4bfa91d8b2cade2c14ae7fcad9804b66ea39bcbc4af9bb2aaaf4ec527e5d203deb386b0d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\c75c08a8-157b-45fd-a864-90c9004f6ff1.tmp

Filesize
9KB

MD5
7abf81a411d1262e5119a4acb0240546

SHA1
3ae2c78ae69085289b28596621846d34d978060d

SHA256
19f0d4e63c0f621e4ed86e3618bd82879668e8b2e924215993a4d07b6dc9214c

SHA512
b5f600a85fc026524a5ae9b4260b6175de1cc506f93c235666093c0734843494d496aced249208ef22cfd4ba2d02af841fad7a6b73ce25de89f83b24d2ba52cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
2b9274e2834506fb8b90375ac55cb3e4

SHA1
a96e5b4f0400deefe2a1225d0d6ee8611dbd38d7

SHA256
5d7dfc6733bf306854a4bb4494f8b6ea20b8eb4ea1f9ed79332d4e0645cbd2a6

SHA512
34a36ff384b5130c11b940d9b896026f66998b7422795d652d62f5967e08e990fcba87a28c2afa905c915c26731a7b50449ed1ad4a908f78a1301b0e478f8a07

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
e384adda9954de3b72bfe63549c4b079

SHA1
58573dc9d24756e2b44dd8906575ceaa3d92bf82

SHA256
60344a7bb6d1ce0486bb86ce88ffbd0a37389f97249a0f33ab6f82bbd6365fb0

SHA512
371290c052ba9694ed7dfcb2d18f57cdbcc38510e0c956708c27122bfa3b27f21ebf1f1d704514d732f9ec3864d183734e7b481ca1c0778a10d404cae756dae9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c9efc5ba989271670c86d3d3dd581b39

SHA1
3ad714bcf6bac85e368b8ba379540698d038084f

SHA256
c2e16990b0f6f23efdcecd99044993a4c2b8ba87bd542dd8f6256d69e24b93b3

SHA512
c1bc0dc70ab827b54feb64ad069d21e1c3c28d57d126b08314a9670437881d77dba02b5cca57ef0f2aa7f8e7d4d163fbd2c6f246ea2d51ce201d61a89015e8b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
302c3de891ef3a75b81a269db4e1cf22

SHA1
5401eb5166da78256771e8e0281ca2d1f471c76f

SHA256
1d1640e5755779c90676290853d2e3ca948f57cf5fb1df4b786e277a97757f58

SHA512
da18e7d40376fd13255f3f67a004c3a7f408466bd7ce92e36a4d0c20441279fe4b1b6e0874ab74c494663fb97bd7992b5e7c264b3fc434c1e981326595263d33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b7691f8cf5c5471abd8702bbcf891376

SHA1
0410ac16bc8d0073ee3181f832b0e5aa3c6b4f81

SHA256
5b1a63127e8e08a87a7812e12c05af4214db2e58af46004cadccacb1104899d4

SHA512
9835db30e88a73962924fa6da8de3db1ab66fbec2c663682db427b5b596cb89286f1550490d148ac852f761ebf8fa493c6793408eb7ad63f2326f768f3dca78f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bqfdhzwm.iia.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\EXM Free Network Utility V1.zip

Filesize
11KB

MD5
15757b5ce3829feeea2fb7cf6d8f46ca

SHA1
8b334814bc54ac9ad0518b9a089af29cb54f8d72

SHA256
355b6083f0395ff040b2b02b3a8ea12f23730daef9e002f4c82cdfebc7bcc60c

SHA512
c2015498fc82c055aaaa8fba83f20c5c828bc536e1041bd1a650734612314b47bb328fa8663c82243cee9e480a06eec1e00054a9a856bc13ac97668d77976ff1

Download Submit
C:\Users\Admin\Downloads\EXM Free Network Utility V1.zip:Zone.Identifier

Filesize
186B

MD5
f8d851d166aa89bb0e90465452531a1e

SHA1
c3db132b7813a43d51b4f2ee41a777fd884341ce

SHA256
5344b5940ed8f5d36ed83ca21f2a0224115f28bc3fc9ad0b0a661d2365c32660

SHA512
a85b366642f691d03f4d9484365f9fc63a6a407907431e3a167840de8a0b4fea030f65fbeb041146112f76036934dc24683e5677b5997c0be740085234ecbdfe

Download Submit
memory/4696-188-0x0000027355490000-0x00000273554B2000-memory.dmp

Filesize
136KB

Download