exelastealer | 06f03c671ecb399a18f1deaf75e6cab4c6fde9d7f7b0202475c2767b1e1b7bd1

Analysis

max time kernel
321s
max time network
322s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01-12-2024 14:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sglotz.html
Size

4KB
MD5

64072f808173e6b2cdbad75306c91e67
SHA1

f43c55999f3bbd457ff97bd727ba7b9721006f9a
SHA256

06f03c671ecb399a18f1deaf75e6cab4c6fde9d7f7b0202475c2767b1e1b7bd1
SHA512

f927b1e5b5f005a4d049be8873fe458306e054a355a47df75b97a8ca412c94bba881d58ede37146e4a341249772535cb3bd9f0587c12c5393638a29494682956
SSDEEP

96:6zYRupRsDpRYpRGZjRxQWQhFS+burexZCe5VadYCzK9bKwof:6UIp4pWpUZ1QhFUa5bahMbfof

Score

10^/10

exelastealer collection defense_evasion discovery evasion persistence privilege_escalation pyinstaller spyware stealer themida trojan upx

Malware Config

Signatures

Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Exelastealer family
exelastealer
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	RippleSpoofer.exe

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
5244	netsh.exe
5256	netsh.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RippleSpoofer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RippleSpoofer.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	RippleSpoofer.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
2600	cmd.exe
4004	powershell.exe

Deletes itself 1 IoCs

pid	Process
692	mac.exe

Executes dropped EXE 5 IoCs

pid	Process
636	RippleSpoofer.exe
3408	fv.exe
2684	fv.exe
4616	mac.exe
692	mac.exe

Loads dropped DLL 32 IoCs

pid	Process
692	mac.exe
692	mac.exe
692	mac.exe
692	mac.exe
692	mac.exe
692	mac.exe
692	mac.exe
692	mac.exe
692	mac.exe
692	mac.exe
692	mac.exe
692	mac.exe
692	mac.exe
692	mac.exe
692	mac.exe
692	mac.exe
692	mac.exe
692	mac.exe
692	mac.exe
692	mac.exe
692	mac.exe
692	mac.exe
692	mac.exe
692	mac.exe
692	mac.exe
692	mac.exe
692	mac.exe
692	mac.exe
692	mac.exe
692	mac.exe
692	mac.exe
692	mac.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x0006000000000034-150.dat	themida
behavioral1/memory/636-203-0x00000000000C0000-0x0000000001D40000-memory.dmp	themida
behavioral1/memory/636-204-0x00000000000C0000-0x0000000001D40000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RippleSpoofer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
154	discord.com
155	discord.com
156	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
147	ip-api.com

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
5884	ARP.EXE
4556	cmd.exe

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
2684	tasklist.exe
1472	tasklist.exe
4620	tasklist.exe
5856	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2080	cmd.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
636	RippleSpoofer.exe

UPX packed file 55 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000023d9b-766.dat	upx
behavioral1/memory/692-770-0x00007FFC0B8F0000-0x00007FFC0BED8000-memory.dmp	upx
behavioral1/files/0x0007000000023d93-779.dat	upx
behavioral1/memory/692-778-0x00007FFC1D180000-0x00007FFC1D1A4000-memory.dmp	upx
behavioral1/memory/692-795-0x00007FFC1D140000-0x00007FFC1D14D000-memory.dmp	upx
behavioral1/memory/692-798-0x00007FFC1B6E0000-0x00007FFC1B703000-memory.dmp	upx
behavioral1/memory/692-799-0x00007FFC0B8F0000-0x00007FFC0BED8000-memory.dmp	upx
behavioral1/memory/692-800-0x00007FFC0AE40000-0x00007FFC0AFB3000-memory.dmp	upx
behavioral1/memory/692-803-0x00007FFC1B6B0000-0x00007FFC1B6DE000-memory.dmp	upx
behavioral1/memory/692-802-0x00007FFC09D00000-0x00007FFC0A075000-memory.dmp	upx
behavioral1/memory/692-807-0x00007FFC1B650000-0x00007FFC1B664000-memory.dmp	upx
behavioral1/memory/692-808-0x00007FFC1D150000-0x00007FFC1D169000-memory.dmp	upx
behavioral1/memory/692-812-0x00007FFC190E0000-0x00007FFC190FB000-memory.dmp	upx
behavioral1/memory/692-815-0x00007FFC190C0000-0x00007FFC190D9000-memory.dmp	upx
behavioral1/memory/692-822-0x00007FFC18240000-0x00007FFC1825E000-memory.dmp	upx
behavioral1/memory/692-823-0x00007FFBF5180000-0x00007FFBF597B000-memory.dmp	upx
behavioral1/memory/692-821-0x00007FFC183C0000-0x00007FFC183F2000-memory.dmp	upx
behavioral1/memory/692-820-0x00007FFC19050000-0x00007FFC19061000-memory.dmp	upx
behavioral1/memory/692-819-0x00007FFC1B6B0000-0x00007FFC1B6DE000-memory.dmp	upx
behavioral1/memory/692-818-0x00007FFC1B5D0000-0x00007FFC1B5DA000-memory.dmp	upx
behavioral1/memory/692-824-0x00007FFC181B0000-0x00007FFC181E7000-memory.dmp	upx
behavioral1/memory/692-817-0x00007FFC19070000-0x00007FFC190BD000-memory.dmp	upx
behavioral1/memory/692-816-0x00007FFC09D00000-0x00007FFC0A075000-memory.dmp	upx
behavioral1/memory/692-814-0x00007FFC13590000-0x00007FFC13648000-memory.dmp	upx
behavioral1/memory/692-813-0x00007FFC1B6E0000-0x00007FFC1B703000-memory.dmp	upx
behavioral1/memory/692-811-0x00007FFC0B7D0000-0x00007FFC0B8EC000-memory.dmp	upx
behavioral1/memory/692-809-0x00007FFC1B630000-0x00007FFC1B644000-memory.dmp	upx
behavioral1/memory/692-810-0x00007FFC1B5E0000-0x00007FFC1B602000-memory.dmp	upx
behavioral1/memory/692-806-0x00007FFC1B670000-0x00007FFC1B682000-memory.dmp	upx
behavioral1/memory/692-805-0x00007FFC1D180000-0x00007FFC1D1A4000-memory.dmp	upx
behavioral1/memory/692-804-0x00007FFC1B690000-0x00007FFC1B6A5000-memory.dmp	upx
behavioral1/memory/692-801-0x00007FFC13590000-0x00007FFC13648000-memory.dmp	upx
behavioral1/memory/692-797-0x00007FFC1D0F0000-0x00007FFC1D11D000-memory.dmp	upx
behavioral1/memory/692-796-0x00007FFC1D120000-0x00007FFC1D139000-memory.dmp	upx
behavioral1/memory/692-794-0x00007FFC1D150000-0x00007FFC1D169000-memory.dmp	upx
behavioral1/memory/692-780-0x00007FFC1D170000-0x00007FFC1D17F000-memory.dmp	upx
behavioral1/files/0x0007000000023d43-776.dat	upx
behavioral1/memory/692-862-0x00007FFC1B5E0000-0x00007FFC1B602000-memory.dmp	upx
behavioral1/memory/692-909-0x00007FFC1B620000-0x00007FFC1B62D000-memory.dmp	upx
behavioral1/memory/692-927-0x00007FFC190E0000-0x00007FFC190FB000-memory.dmp	upx
behavioral1/memory/692-928-0x00007FFC190C0000-0x00007FFC190D9000-memory.dmp	upx
behavioral1/memory/692-929-0x00007FFC19070000-0x00007FFC190BD000-memory.dmp	upx
behavioral1/memory/692-938-0x00007FFBF5180000-0x00007FFBF597B000-memory.dmp	upx
behavioral1/memory/692-968-0x00007FFC181B0000-0x00007FFC181E7000-memory.dmp	upx
behavioral1/memory/692-951-0x00007FFC09D00000-0x00007FFC0A075000-memory.dmp	upx
behavioral1/memory/692-953-0x00007FFC1B670000-0x00007FFC1B682000-memory.dmp	upx
behavioral1/memory/692-952-0x00007FFC1B690000-0x00007FFC1B6A5000-memory.dmp	upx
behavioral1/memory/692-940-0x00007FFC0B8F0000-0x00007FFC0BED8000-memory.dmp	upx
behavioral1/memory/692-950-0x00007FFC13590000-0x00007FFC13648000-memory.dmp	upx
behavioral1/memory/692-949-0x00007FFC1B6B0000-0x00007FFC1B6DE000-memory.dmp	upx
behavioral1/memory/692-948-0x00007FFC0AE40000-0x00007FFC0AFB3000-memory.dmp	upx
behavioral1/memory/692-941-0x00007FFC1D180000-0x00007FFC1D1A4000-memory.dmp	upx
behavioral1/memory/692-984-0x00007FFC1B690000-0x00007FFC1B6A5000-memory.dmp	upx
behavioral1/memory/692-972-0x00007FFC0B8F0000-0x00007FFC0BED8000-memory.dmp	upx
behavioral1/memory/692-981-0x00007FFC1B6B0000-0x00007FFC1B6DE000-memory.dmp	upx

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5252	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0007000000023d3d-676.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4432	netsh.exe
5736	cmd.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
5552	NETSTAT.EXE

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
3420	WMIC.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	RippleSpoofer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	RippleSpoofer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	RippleSpoofer.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
3380	ipconfig.exe
5552	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
3700	systeminfo.exe

Kills process with taskkill 22 IoCs

evasion

pid	Process
1060	taskkill.exe
6068	taskkill.exe
5292	taskkill.exe
1084	taskkill.exe
3408	taskkill.exe
2980	taskkill.exe
5596	taskkill.exe
3244	taskkill.exe
5248	taskkill.exe
5148	taskkill.exe
5724	taskkill.exe
3732	taskkill.exe
5368	taskkill.exe
3468	taskkill.exe
904	taskkill.exe
996	taskkill.exe
2508	taskkill.exe
2400	taskkill.exe
2128	taskkill.exe
3716	taskkill.exe
4920	taskkill.exe
5036	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133775353550146303"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3442511616-637977696-3186306149-1000\{12456444-FA9A-436A-B244-F1099AC0F70F}	RippleSpoofer.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
3772	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4060	chrome.exe
4060	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
2900	chrome.exe
636	RippleSpoofer.exe
636	RippleSpoofer.exe
636	RippleSpoofer.exe
636	RippleSpoofer.exe
636	RippleSpoofer.exe
636	RippleSpoofer.exe
636	RippleSpoofer.exe
636	RippleSpoofer.exe
636	RippleSpoofer.exe
636	RippleSpoofer.exe
636	RippleSpoofer.exe
636	RippleSpoofer.exe
636	RippleSpoofer.exe
636	RippleSpoofer.exe
636	RippleSpoofer.exe
636	RippleSpoofer.exe
636	RippleSpoofer.exe
636	RippleSpoofer.exe
636	RippleSpoofer.exe
636	RippleSpoofer.exe
636	RippleSpoofer.exe
636	RippleSpoofer.exe
636	RippleSpoofer.exe
636	RippleSpoofer.exe
636	RippleSpoofer.exe
636	RippleSpoofer.exe
636	RippleSpoofer.exe
636	RippleSpoofer.exe
636	RippleSpoofer.exe
636	RippleSpoofer.exe
636	RippleSpoofer.exe
636	RippleSpoofer.exe
636	RippleSpoofer.exe
636	RippleSpoofer.exe
636	RippleSpoofer.exe
636	RippleSpoofer.exe
636	RippleSpoofer.exe
636	RippleSpoofer.exe
636	RippleSpoofer.exe
636	RippleSpoofer.exe
636	RippleSpoofer.exe
636	RippleSpoofer.exe
636	RippleSpoofer.exe
636	RippleSpoofer.exe
636	RippleSpoofer.exe
636	RippleSpoofer.exe
636	RippleSpoofer.exe
636	RippleSpoofer.exe
636	RippleSpoofer.exe
636	RippleSpoofer.exe
636	RippleSpoofer.exe
636	RippleSpoofer.exe
636	RippleSpoofer.exe
636	RippleSpoofer.exe
636	RippleSpoofer.exe
636	RippleSpoofer.exe
636	RippleSpoofer.exe
636	RippleSpoofer.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe

Suspicious use of FindShellTrayWindow 59 IoCs

pid	Process
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4060 wrote to memory of 3592	4060	chrome.exe	82
PID 4060 wrote to memory of 3592	4060	chrome.exe	82
PID 4060 wrote to memory of 3356	4060	chrome.exe	83
PID 4060 wrote to memory of 3356	4060	chrome.exe	83
PID 4060 wrote to memory of 3356	4060	chrome.exe	83
PID 4060 wrote to memory of 3356	4060	chrome.exe	83
PID 4060 wrote to memory of 3356	4060	chrome.exe	83
PID 4060 wrote to memory of 3356	4060	chrome.exe	83
PID 4060 wrote to memory of 3356	4060	chrome.exe	83
PID 4060 wrote to memory of 3356	4060	chrome.exe	83
PID 4060 wrote to memory of 3356	4060	chrome.exe	83
PID 4060 wrote to memory of 3356	4060	chrome.exe	83
PID 4060 wrote to memory of 3356	4060	chrome.exe	83
PID 4060 wrote to memory of 3356	4060	chrome.exe	83
PID 4060 wrote to memory of 3356	4060	chrome.exe	83
PID 4060 wrote to memory of 3356	4060	chrome.exe	83
PID 4060 wrote to memory of 3356	4060	chrome.exe	83
PID 4060 wrote to memory of 3356	4060	chrome.exe	83
PID 4060 wrote to memory of 3356	4060	chrome.exe	83
PID 4060 wrote to memory of 3356	4060	chrome.exe	83
PID 4060 wrote to memory of 3356	4060	chrome.exe	83
PID 4060 wrote to memory of 3356	4060	chrome.exe	83
PID 4060 wrote to memory of 3356	4060	chrome.exe	83
PID 4060 wrote to memory of 3356	4060	chrome.exe	83
PID 4060 wrote to memory of 3356	4060	chrome.exe	83
PID 4060 wrote to memory of 3356	4060	chrome.exe	83
PID 4060 wrote to memory of 3356	4060	chrome.exe	83
PID 4060 wrote to memory of 3356	4060	chrome.exe	83
PID 4060 wrote to memory of 3356	4060	chrome.exe	83
PID 4060 wrote to memory of 3356	4060	chrome.exe	83
PID 4060 wrote to memory of 3356	4060	chrome.exe	83
PID 4060 wrote to memory of 3356	4060	chrome.exe	83
PID 4060 wrote to memory of 3536	4060	chrome.exe	84
PID 4060 wrote to memory of 3536	4060	chrome.exe	84
PID 4060 wrote to memory of 1812	4060	chrome.exe	85
PID 4060 wrote to memory of 1812	4060	chrome.exe	85
PID 4060 wrote to memory of 1812	4060	chrome.exe	85
PID 4060 wrote to memory of 1812	4060	chrome.exe	85
PID 4060 wrote to memory of 1812	4060	chrome.exe	85
PID 4060 wrote to memory of 1812	4060	chrome.exe	85
PID 4060 wrote to memory of 1812	4060	chrome.exe	85
PID 4060 wrote to memory of 1812	4060	chrome.exe	85
PID 4060 wrote to memory of 1812	4060	chrome.exe	85
PID 4060 wrote to memory of 1812	4060	chrome.exe	85
PID 4060 wrote to memory of 1812	4060	chrome.exe	85
PID 4060 wrote to memory of 1812	4060	chrome.exe	85
PID 4060 wrote to memory of 1812	4060	chrome.exe	85
PID 4060 wrote to memory of 1812	4060	chrome.exe	85
PID 4060 wrote to memory of 1812	4060	chrome.exe	85
PID 4060 wrote to memory of 1812	4060	chrome.exe	85
PID 4060 wrote to memory of 1812	4060	chrome.exe	85
PID 4060 wrote to memory of 1812	4060	chrome.exe	85
PID 4060 wrote to memory of 1812	4060	chrome.exe	85
PID 4060 wrote to memory of 1812	4060	chrome.exe	85
PID 4060 wrote to memory of 1812	4060	chrome.exe	85
PID 4060 wrote to memory of 1812	4060	chrome.exe	85
PID 4060 wrote to memory of 1812	4060	chrome.exe	85
PID 4060 wrote to memory of 1812	4060	chrome.exe	85
PID 4060 wrote to memory of 1812	4060	chrome.exe	85
PID 4060 wrote to memory of 1812	4060	chrome.exe	85
PID 4060 wrote to memory of 1812	4060	chrome.exe	85
PID 4060 wrote to memory of 1812	4060	chrome.exe	85
PID 4060 wrote to memory of 1812	4060	chrome.exe	85
PID 4060 wrote to memory of 1812	4060	chrome.exe	85

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3476	attrib.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument C:\Users\Admin\AppData\Local\Temp\sglotz.html
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc13cbcc40,0x7ffc13cbcc4c,0x7ffc13cbcc58
  2⤵
  PID:3592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2092,i,13040680298817834599,1604327367477022396,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2096 /prefetch:2
  2⤵
  PID:3356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1816,i,13040680298817834599,1604327367477022396,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1592 /prefetch:3
  2⤵
  PID:3536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2256,i,13040680298817834599,1604327367477022396,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2112 /prefetch:8
  2⤵
  PID:1812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3096,i,13040680298817834599,1604327367477022396,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3140 /prefetch:1
  2⤵
  PID:2456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3104,i,13040680298817834599,1604327367477022396,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3156 /prefetch:1
  2⤵
  PID:3824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4568,i,13040680298817834599,1604327367477022396,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4580 /prefetch:8
  2⤵
  PID:3368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4612,i,13040680298817834599,1604327367477022396,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4904 /prefetch:1
  2⤵
  PID:5068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5100,i,13040680298817834599,1604327367477022396,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5096 /prefetch:8
  2⤵
  PID:4932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5104,i,13040680298817834599,1604327367477022396,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5256 /prefetch:8
  2⤵
  PID:2688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5280,i,13040680298817834599,1604327367477022396,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5316 /prefetch:8
  2⤵
  PID:4044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5276,i,13040680298817834599,1604327367477022396,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5564 /prefetch:8
  2⤵
  PID:2160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5464,i,13040680298817834599,1604327367477022396,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5724 /prefetch:8
  2⤵
  PID:4456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5624,i,13040680298817834599,1604327367477022396,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5088 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5584,i,13040680298817834599,1604327367477022396,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5316 /prefetch:8
  2⤵
  PID:860

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1612

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4956

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3824

C:\Users\Admin\Downloads\RippleSpoofer.exe
"C:\Users\Admin\Downloads\RippleSpoofer.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:636
- C:\Users\Admin\AppData\Local\Temp\TempAppFiles\fv.exe
  "C:\Users\Admin\AppData\Local\Temp\TempAppFiles\fv.exe"
  2⤵
  - Executes dropped EXE
  PID:3408
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /F /IM WmiPrvSE.exe
    3⤵
    PID:4924
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM WmiPrvSE.exe
      4⤵
      Kills process with taskkill
      PID:996
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /F /IM WmiPrvSE.exe
    3⤵
    PID:4140
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM WmiPrvSE.exe
      4⤵
      Kills process with taskkill
      PID:2508
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /F /IM WmiPrvSE.exe
    3⤵
    PID:1628
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM WmiPrvSE.exe
      4⤵
      Kills process with taskkill
      PID:2980
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /F /IM WmiPrvSE.exe
    3⤵
    PID:3276
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM WmiPrvSE.exe
      4⤵
      Kills process with taskkill
      PID:3716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /F /IM WmiPrvSE.exe
    3⤵
    PID:1080
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM WmiPrvSE.exe
      4⤵
      Kills process with taskkill
      PID:2400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\CurrentControlSet\Control\WMI\Restrictions /v HideMachine /t REG_DWORD /d 1 /F
    3⤵
    PID:876
  - - C:\Windows\system32\reg.exe
      reg add HKLM\SYSTEM\CurrentControlSet\Control\WMI\Restrictions /v HideMachine /t REG_DWORD /d 1 /F
      4⤵
      Modifies registry key
      PID:3772
- C:\Users\Admin\AppData\Local\Temp\TempAppFiles\fv.exe
  "C:\Users\Admin\AppData\Local\Temp\TempAppFiles\fv.exe"
  2⤵
  - Executes dropped EXE
  PID:2684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://justpaste.it/9fxdx
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4416
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffc027b46f8,0x7ffc027b4708,0x7ffc027b4718
    3⤵
    PID:4964
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2016,13207583828363734491,15925684726172584606,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2012 /prefetch:2
    3⤵
    PID:1612
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2016,13207583828363734491,15925684726172584606,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2324 /prefetch:3
    3⤵
    PID:4684
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2016,13207583828363734491,15925684726172584606,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:8
    3⤵
    PID:5100
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,13207583828363734491,15925684726172584606,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
    3⤵
    PID:3772
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,13207583828363734491,15925684726172584606,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3520 /prefetch:1
    3⤵
    PID:1076
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2016,13207583828363734491,15925684726172584606,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5124 /prefetch:8
    3⤵
    PID:4932
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2016,13207583828363734491,15925684726172584606,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5124 /prefetch:8
    3⤵
    PID:3908
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,13207583828363734491,15925684726172584606,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:1
    3⤵
    PID:5192
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2016,13207583828363734491,15925684726172584606,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3720 /prefetch:8
    3⤵
    PID:5572
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,13207583828363734491,15925684726172584606,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:1
    3⤵
    PID:5932
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,13207583828363734491,15925684726172584606,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
    3⤵
    PID:5940
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,13207583828363734491,15925684726172584606,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:1
    3⤵
    PID:6088
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,13207583828363734491,15925684726172584606,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5876 /prefetch:1
    3⤵
    PID:6096
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2016,13207583828363734491,15925684726172584606,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5708 /prefetch:8
    3⤵
    PID:5368
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill" /F /IM explorer.exe
  2⤵
  - Kills process with taskkill
  PID:5596
- C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe
  "C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe"
  2⤵
  - Executes dropped EXE
  PID:4616
- - C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe
    "C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Loads dropped DLL
    PID:692
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:5324
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:904
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:1864
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist"
      4⤵
      PID:4000
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:2684
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""
      4⤵
      Hide Artifacts: Hidden Files and Directories
      PID:2080
    - - C:\Windows\system32\attrib.exe
        
        attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"
        5⤵
        Views/modifies file attributes
        
        PID:3476
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist"
      4⤵
      PID:2292
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:1472
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4060"
      4⤵
      PID:2252
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4060
        5⤵
        Kills process with taskkill
        
        PID:5724
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3592"
      4⤵
      PID:728
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3592
        5⤵
        Kills process with taskkill
        
        PID:4920
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3356"
      4⤵
      PID:404
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3356
        5⤵
        Kills process with taskkill
        
        PID:3732
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3536"
      4⤵
      PID:4172
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3536
        5⤵
        Kills process with taskkill
        
        PID:3468
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1812"
      4⤵
      PID:2960
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1812
        5⤵
        Kills process with taskkill
        
        PID:5036
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2456"
      4⤵
      PID:2744
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2456
        5⤵
        Kills process with taskkill
        
        PID:3244
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5068"
      4⤵
      PID:4264
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 5068
        5⤵
        Kills process with taskkill
        
        PID:5368
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4416"
      4⤵
      PID:5216
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4416
        5⤵
        Kills process with taskkill
        
        PID:5248
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4964"
      4⤵
      PID:4056
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4964
        5⤵
        Kills process with taskkill
        
        PID:5148
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1612"
      4⤵
      PID:2408
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1612
        5⤵
        Kills process with taskkill
        
        PID:1060
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4684"
      4⤵
      PID:6056
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4684
        5⤵
        Kills process with taskkill
        
        PID:6068
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5100"
      4⤵
      PID:6048
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 5100
        5⤵
        Kills process with taskkill
        
        PID:5292
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3772"
      4⤵
      PID:5352
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3772
        5⤵
        Kills process with taskkill
        
        PID:1084
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5572"
      4⤵
      PID:5188
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 5572
        5⤵
        Kills process with taskkill
        
        PID:904
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 6088"
      4⤵
      PID:3120
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 6088
        5⤵
        Kills process with taskkill
        
        PID:2128
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 6096"
      4⤵
      PID:2920
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 6096
        5⤵
        Kills process with taskkill
        
        PID:3408
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
      4⤵
      PID:4452
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        5⤵
        
        PID:5748
      - C:\Windows\system32\chcp.com
        
        chcp
        6⤵
        
        PID:5132
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
      4⤵
      PID:1964
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        5⤵
        
        PID:2940
      - C:\Windows\system32\chcp.com
        
        chcp
        6⤵
        
        PID:1184
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:5024
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:4620
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
      4⤵
      Clipboard Data
      PID:2600
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Get-Clipboard
        5⤵
        Clipboard Data
        
        PID:4004
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
      4⤵
      Network Service Discovery
      PID:4556
    - - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        5⤵
        Gathers system information
        
        PID:3700
    - - C:\Windows\system32\HOSTNAME.EXE
        
        hostname
        5⤵
        
        PID:1396
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic logicaldisk get caption,description,providername
        5⤵
        Collects information from the system
        
        PID:3420
    - - C:\Windows\system32\net.exe
        
        net user
        5⤵
        
        PID:4696
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        6⤵
        
        PID:3392
    - - C:\Windows\system32\query.exe
        
        query user
        5⤵
        
        PID:4240
      - C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        6⤵
        
        PID:4168
    - - C:\Windows\system32\net.exe
        
        net localgroup
        5⤵
        
        PID:5212
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        6⤵
        
        PID:5900
    - - C:\Windows\system32\net.exe
        
        net localgroup administrators
        5⤵
        
        PID:5004
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        6⤵
        
        PID:2960
    - - C:\Windows\system32\net.exe
        
        net user guest
        5⤵
        
        PID:2984
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        6⤵
        
        PID:4792
    - - C:\Windows\system32\net.exe
        
        net user administrator
        5⤵
        
        PID:3928
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        6⤵
        
        PID:3924
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic startup get caption,command
        5⤵
        
        PID:3964
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /svc
        5⤵
        Enumerates processes with tasklist
        
        PID:5856
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        5⤵
        Gathers network information
        
        PID:3380
    - - C:\Windows\system32\ROUTE.EXE
        
        route print
        5⤵
        
        PID:4264
    - - C:\Windows\system32\ARP.EXE
        
        arp -a
        5⤵
        Network Service Discovery
        
        PID:5884
    - - C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        5⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:5552
    - - C:\Windows\system32\sc.exe
        
        sc query type= service state= all
        5⤵
        Launches sc.exe
        
        PID:5252
    - - C:\Windows\system32\netsh.exe
        
        netsh firewall show state
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5244
    - - C:\Windows\system32\netsh.exe
        
        netsh firewall show config
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5256
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:5736
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4432
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:4960
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:2616
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:736
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:4160

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x420 0x308
1⤵
PID:4404

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1964

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
6f68f3ffb1dadefc96d1de1c1d440acf

SHA1
93abcf8fdcd282debdd613bcf41ced6c773cdf9b

SHA256
28d04b9d08d447ac0be9dd4cb06480e452d106575bde529e4d6c1f033e4cf4fd

SHA512
8c39f9efc73e3df517ceca202a6ef9cf38a35be10aeefff95fd9eb3c912174ba89f3c42e356434c3ac77ab342ac5a4d2af2e5e4c8247c8b413d2b7ae3bbabcc1

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
992B

MD5
ff9615348bafab70a615c61fd851b1ad

SHA1
4a42b22af709709fb9e23911cc2290aae99ccd8a

SHA256
896ac590c141fe0109068f3a3d4059fd0a888c0202574e3c4326f9fcec62c38f

SHA512
a0fc04d882774717cd8aa4967b2ac8b0bd401a960f7d318c3864bf347c424412047fe4c18c8854c03920d376601adbd784a8808ef9e9c6ca6276a466dd3e0be1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
2e0d6385b93a4582bef37166eaeee556

SHA1
802ad7554884e63908a862a18cbf89cd4dacc799

SHA256
6965a3f466c5cf898db983eaf6b47a41d3ea286ce40c55d6788be79e31f894eb

SHA512
91bc82aa92d95c949a0a25beec2e656c4520797112dde99c3fadaad7fbad1c475841bf32df7fbe955680477481b5055472f8c6423f67601d994a21c527a93da7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
e16b20f05fd00478ea204cd9e919cc9f

SHA1
e5c2b33383b9f0a7bc39604f0502ba4a7e26f065

SHA256
4b2dc874d113549829848a9e286d72d00a450258cf8411cd3d2f18492b64aefa

SHA512
39c065d273e9d1041118f007baa5549717889f17d8bc81f034c0be0cac1bcfb249e3e677582a75c169affe2dc5868bb3a1bc63d4c8565c7fa968d643a8520a9a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
9b866d1a40ad2e013ab2497170277c31

SHA1
185b604b80ee643487b8bf628a671c661adba2b4

SHA256
ec82399209a85dfea5ab277fadd373fbff0d87b4fb70e4153f9d6ad6ba9fbdce

SHA512
a2f079eb3caffd37ebb1468b3173f33ed1430d8508f6855f539b473634e79e22af1ea15876bd4ff6ecabed8753de805cc8fbc24b3ab23b237606c602b671792e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
fe187aa670924b899405328c0d8ac5a1

SHA1
2e16c28eed93b70802095270aff4a28ace838e2d

SHA256
824a8535fa5c52f94944944789161f019f478c08d90ac5d722f689bf4ed8149e

SHA512
f26ea6eb34a008e55c27985c79738e6493b0c40034e87cc03bac9202691513ef0b6ddb05bb8a54c11499cc89988e35b1bca465a30b21ae210255a6e50502cf37

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
e402e6d9d1f0c6e9abb85547e65eb692

SHA1
a41aa5d4af5e7196718dbf7da88c4a4441f407b9

SHA256
c1d7b00f1e0455e81b1d9397a071390f77dfa78e95e97f163e510c14ac64ade4

SHA512
e7457470133191cfe106db2595164c46110b0fb704452cb460a6956f3fed57cbf2e38e0578a897d1418eca2e3b567215665bd2c6f77ffe81278b49249f7ed42e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0b014b51626b1e6a17a8e6e32b2f7145

SHA1
76f60bf9b3ae8d39cff2781b407a2e57f3db370c

SHA256
e4eb2a32442c8ba4e8ce0400b0557258f0b04ef12f728956cd8b6b127a66368e

SHA512
9eb6e48e0fcee5b9124054e87c3cdaf0c1fc9ab8963b62de4d93bf1f691de45af10e3f391caff0925d54ec856bf2887579c441afc75e9fa877c1c6e991236d59

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5fbd4156c9839598dbbd171853a8cd57

SHA1
6e49bf8ef5c1008a00b1b43d9b993223911fcf07

SHA256
e4a9355cfcec794863f6f473e242ea5be9a9872c7f073904d4fa38e54a44edaf

SHA512
573e14e26c0b010b481a4b96e878d32ce05713593ddd407df954ddf431d3630e1f9db89f18db2c8324921099a95c8700d4ecfce214f62d71ca990f4ae2801bb6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
eca07062b5e6a46dfd26bd86cce13a55

SHA1
4f6a0ef9dfdb0f1f192e811e3d5948bc7b0c176d

SHA256
991134ec5db20fcb2bedfad9c03ededf267ed242fae080f16623d9aed9335d0e

SHA512
3fd255cfad003372747a2647ede0006945456ce63f2c51aa3bc701665071633eea99436ee1a6bcfb42b6dd9d617926fdc3bb0edb413da0cf8e66f41c658177cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
cd89d022a2cfa8bb89995943716e8207

SHA1
289ae91f2969465f7a3d371eb0dc05b25db879fc

SHA256
1600f7ee466ba4f0af7a064393dbdeb61aa32b30acd3dd4ba4f3ee58c8b7b85d

SHA512
c3c6eace972b40d9b1dca18afabedff557d1cebbf51c904c0dab801e27bda048cf754a9c9b5536a11ce2e9d4bfbec3d2582931196e42c93f0391c5948ce4b931

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d798f8ccda8fd68bc27e71eab2f8a76c

SHA1
4301ee9cc9685ab580e22a99c1d3c610ca5ae2a6

SHA256
de177eb7e77d8d56f30075379917d9b307666e59586b45beb9b6be79b745f6eb

SHA512
3e7fbefa497e0ee4c678b6f8efb292a009486ab72cfc893bc2182ca99150e04f83519d0bea567b9089933354fe5181a4693cc6d6ac18b8d47b83c75310568815

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2740d9bd12a0dd7190a2cf8c4241590a

SHA1
e6c85be73d6b1ae60ba2807b8a06a50442f962a8

SHA256
e2ecee53e04e6421247674843ea6b246bd423042af8035e41f894fac64862fba

SHA512
5904f45a2388e08b440c135ce22a950749f0164036dba9f9158f4b1ddd341e279ca3746a8d73d08f63dd7e0ae7e6becd4da6079181ff35a72a9017321729a624

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b878cd5ca858ce683d6db9fc1dd2eaf7

SHA1
a804b3ac1178ce9c8cb54c1c08cb513290268640

SHA256
3180e296abff8d5d789ebfe405360a82eca85e9cbc988df6104704e254afd55c

SHA512
7703cccb030b8ea0f68210d7c8eb396e4212f75be6294f79b020e5d718f0af3348c7ab2428d9b75296f0188ca01210e9df004315ec11489f48c9465daaea0ce4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
58d51010a6890c2c37c1b9eba4a8ea13

SHA1
2eb5e014296b4816128dd5015e9dbb14229aeb8b

SHA256
61ee35b752903cd04c14d1a7a1ce700f9b30c07e0f15c528b0bbe320879b5824

SHA512
eeb8d48fb52e38b753488f9c4bae5e27aa85f81289bee91ad4820cd39ddcc7df6b4c07053da1ce777551280fbe4d7ba3583a62c7426ef50c84dd8a38537ab5c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f6cc6afe0432ec5a8d856d1af51182d0

SHA1
ecc6338b9bf93c6650ac1bfd46573135a2e3f9a9

SHA256
8d9b1770e7fe14ac2a4039a43358e7a5a0fa5323555b084c99feaa19c131d414

SHA512
da403cec8caffbb72665d4d5ee823b9616b0dbd861fcc12d7e44000310107a1cc44231b8a5b1effad815e942ced8ca0bc823082320c83e54e82227420945fb45

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fb4aa2ed31d418bf607aa04e85e5a0be

SHA1
e8b8ca49d675825fb1db9f3388d73fc280fafa2f

SHA256
e7130639c161d60fc944f8c7af80074e1e6773cc0474f7e5c58fb2e1b8d32dbd

SHA512
925b06c43741e11a0461b599e1f38e6104d0b2d6b8c5ed6e06fa9dd03639fee6213da22e1e41fd35b09ae0a8027315e91b889fd8a2587204a5fd520c7148b0f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
72dd29c63c12de2b0789384cadcdc305

SHA1
851c9b98a36fd1fd8b9fb05dc2fd92c890e0b0c9

SHA256
aaf902057ef1bd324d9a0101b6ff5191f065e2db68513a2290f435eca2e1bf5d

SHA512
3d5184332b89f09eff3cd083c0b0546c115aff4c526ea3af1854cf6de228bb5b87166cc148254fc8fd48cd19dd691b84e51f8f462fc24e58650eb1b365fb00ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8bb5e2b53b64f097f4be3c2ceead153e

SHA1
05713d8539888947cb912bb04d2da99fffd89a6e

SHA256
219f5dd28d9b76cc4232a08a34b0c2f9a819349eb5ee5a80284ad351cdf88b00

SHA512
06e8956b6df6fe55a11b3a2c3555590223e320556957466e849ab8f04e44c395e611011ff607928d446c50705952e4b6a0e53035ca59b6444f396cef885a5253

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7fa0f28836c7c80760d2f4a69aef6822

SHA1
49f117bc77d4f3ac42341d0ce61e23eb1a6e3753

SHA256
fbf97ff7d0e13ea32a34e8ef1df44490a7597da5999a3cec877d9aa60625dd32

SHA512
7fbc71bdf410cec16f26c25128eb9df351c16c521b3cb3c09687e57749e628002f9470ef392e75f432ef585685bbddcd0b57fac16439f7a6bfd84568b5fd6d74

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
249b2b50627c753d6cb28a156eaef0b5

SHA1
ae8413ff8db0c1f34e4a9606f3005778621d12e4

SHA256
2d8f6af9cfcadb605dc0f533dc06b62a3622875df8ce8e3bd24dd676b84f60a6

SHA512
0b9d03722dd550537a59f857a854b88b8f13f0e2472691c2fc6803b4bcc4b90aa6f62c6f7be0f3735c6eaf490c6438f0f3c14c02a4cdcb7ba3c27246d25ce92d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
420b0acdb76eb8754dabe0bfb187f0ba

SHA1
1fd4b509391ee9ac30ebcbc8e60a955a59c817be

SHA256
5c29b09dbcba756c3d2a88c455a488dc40cbd3191295707ba8d4dd231d634d42

SHA512
6471892a8a3eab55487eff5b615ed9bf523b75b2793dd2bb981517a8a0cb75dd728a95124a18cce498cbd5093526bae7155dbba1ebe46aa5b0fb52f117325f0c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
35e534f67c6f1fead22a6409991e2636

SHA1
4bffde75e45314c12fd08502e6cd695c89fdf744

SHA256
c338cc074c76f3bed631eda62e65931d484b7a110fd04db7cd686ebc66abadf5

SHA512
6048db1acd81ab31f2afa515ce4c04a999997621b387fb4b42fa2cc24b6622efb166e69fa0acd19ed49c9065695a89cb68f247af895ed067024ba53887571f08

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4a100a72f7cc433b5ddd22f6e4db927b

SHA1
59cb2af1753697b98294c8d24dae99a1670937d8

SHA256
a31d0c8c9f189fad15c72576b18ff6fe870c7273a280bacf70c6009b8989c5ba

SHA512
312decf784e2f20c440d445fa06367af15f832788c80a81d360824674d6e6a52fbedf0f8906ec60700db681cc7055b31ae327fc2c4948319061967d7da9e2e4d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e0de6ae2b9c934bf6dab2d0b1e6483ff

SHA1
2c34d76d3f5021ba2ff451b722a821f1b9b888f0

SHA256
eeffa8cfe1776aebbbc9782e33402f039d869ce594014367c596d8cfcfc4407c

SHA512
3b5f28c11464deddf21aa1c571c61f14e048af1cb27730604b8f4aa8f520a3493aa33d91f4d31c4216eab2e63462f3054a95572878ac3f0a74ebde8b67b9576e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b141d503b0e744d9aeb2c2bf5e92c4de

SHA1
3ceebd11a2b86452501b48ad182908b29b7c92a2

SHA256
d260e331c8ac8bed8c61896f2883977cdff070528d39ef972d3d4d0312525015

SHA512
9869f7470762128d2cc42a57644e48d8e99115d444c608e9e4c5a0f39a6bddc41f57770b231fea5cebbb541d54f2ff81e0a9fe4ca0d4a544d9248eb6ee52d896

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
e5fd4558b0acf827975dcce8dce82957

SHA1
cc46d4cc819aabae79cec3799171ccbefb234f40

SHA256
3c845d7755d4e173ece1497fb558b81743f489927c55a38b416ba9ea01d6dd03

SHA512
2ec86e77671aabe0b1dfbbb09e697211c04dd70daacefb96849f94b6636a0594c80e6519124b0dc8b13522b16721328bfd1af4a743b5b6aca42ee69e4fff4d03

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
f92acfc5785310a5f8ef73bbfe5eaac0

SHA1
8cd28561d0ec542de03f877a8eae215c3554a57c

SHA256
78a556734344b0ff3842e9a1d77aac625152d3d9695aeb05b4d00f1b843e1a35

SHA512
c812a054547b5adf3fe3b37784b715244c6ec11fc13fff62346128651f86e2fe3e60aed76c95a19881bfd6f778a1c353bb2e3b467837edb4da637f68037e6506

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ba6ef346187b40694d493da98d5da979

SHA1
643c15bec043f8673943885199bb06cd1652ee37

SHA256
d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73

SHA512
2e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b8880802fc2bb880a7a869faa01315b0

SHA1
51d1a3fa2c272f094515675d82150bfce08ee8d3

SHA256
467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812

SHA512
e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

Filesize
1024KB

MD5
b6b13cf27459569a30a87e2e4d7f1ece

SHA1
8277f703ca5e916be3755d9b47b8e70c5820bcbb

SHA256
12e5569ca168e7c60295011959819399d2a2270e63df6ace8bd6b7acf0d08bee

SHA512
0299c304f649bd1af9b77ad0f47f22ac273209eec005ea48065d4a048832569892a990d2284ea59c94e7f3aa43b746f180836a8dd01dfb11368659e38d8baf5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011

Filesize
1024KB

MD5
26b9ea94b02bdc57ae7b3cd8151b6f29

SHA1
34b21217c43084e3a16a9dab23bdb935150891b1

SHA256
cd88d8151802ee864080bfa768a6f58bce5b654846efb89fc9d3f1a10acab22a

SHA512
c2c7f4268a023db891cc0c6313085995b340347079a926fac2c4474ef40aa4fc128760078215ceae1d6df9b59bb77891910712fb1b0e48b7240fc88e85f52842

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012

Filesize
1024KB

MD5
9c5ef3244218f94d4391db8ba8b99bb1

SHA1
d780a9124a7e1e088a590fe851df83f286520320

SHA256
7089baaf59a0397e6f191e434ce2aab60878fc9604dc39f11def621fb5db80ec

SHA512
300dc8b7af87dc70ed004fc5818584c7a4e10403072fd3cea5216c52e27fb320f85a8fba262ca68b84d2a723f987141171d512497c840886d624be55943e147b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013

Filesize
1024KB

MD5
d9879171f62f9de6b7f53079c203c9f9

SHA1
d079ef73bcd3bd5ca5a6526eb397faca58d4bb32

SHA256
92f46bb7e425f3738ebfaafba6dc4bc6219327fd3527bde929faa68669b767be

SHA512
8bce913db22f5743873d03583d49801b6ce576c574b083ba0f654248963a504110eb827fe950109344eb3f0d6d3c7c0475c48f001ff5a4d9e0c4bef6ed3ffed2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000014

Filesize
1024KB

MD5
71c46f473f7da335e2630cbbe0a7e59b

SHA1
8408e42affabdb088132a294d9607e45a0151c5e

SHA256
d17704b11362ba48e563f3502ab371831f9fea6980cc0ba8efb2079657f51e99

SHA512
dfc6b542b712c66f749ccc4b395ae313274a307792d9a86d91bfdeba35112b16efc1c234d99ef742beeca42aaa9cdfe75b34c82ebb6f8223e1f4c73680c742d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000015

Filesize
1024KB

MD5
0d33db1c9cb58d91c78f9efa9d665641

SHA1
28fe8b1f6fa70c9b0de48c38133819f86371d4bd

SHA256
b1e10b4092357d8c134222be20f28aa9ee778227749546be35b909c25af376af

SHA512
e766a83e9a8178e936f106d89cb020dd7d1fc1ca89adce790ac35e830d7e08e60eddc2b8fc516fc6170e84f0647bca740a6a13807a2f8bd8c48962146bc67702

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001d

Filesize
1024KB

MD5
c61cc25d3db50d6176aaefa817a13fdf

SHA1
3ae85461a531e518e6f8e4de2ed5925014d1c2c3

SHA256
3ffb5fe8ccfdcb5bc2b6b5a16f4293aea64e273ba4f66fff5df5fdf73daa2f6f

SHA512
9718991e5e55a363db0c473fb707facf95167a9585bc160b5d72c56dab1ff3999e1e20993474f9b17e09e84c9ae9a651c8a68cba23a2a50e4747dcc5b62dd468

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
696B

MD5
a4c65d94418113f98d8c283b238a9921

SHA1
a2a0c1e05ec5f457f36dd97aa92bdf141dbab231

SHA256
71e838585aa2b8e01ec77fc3970642efb38d6c91a742b4faecb580a5f1679bbc

SHA512
eb44a6241f0e301dfee14c369d268760e08eb2c6a591943ea46e454331b5dc0d0ba3590eca7c61acce091781b6662403d587e9bc1981ffcd980cc27744d9f34b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
988B

MD5
be818b5519d8114e37b11e2b0631bab6

SHA1
55ff9d5502cba249a63bc63f39b07a21f42c4485

SHA256
57ac11f73ce683a489e1506fbc8a2e80c5108f06b6766eaa8c09f787826a5e97

SHA512
c418f93582c822ecd7d0748da69965ad56865128c10fa82174ab98225266007331c260316141bee9658fa0a9739e84f2c685aa422facd768cd58b8c31520db80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
007e2c3e7252042120f8665747d5b6f5

SHA1
5f0493e81a85fc38c0be6815742e5f170661e550

SHA256
d2cbd3c6e0c3cb155a1e1fd917bce143b9933df75b8733b925f378633acd70a5

SHA512
a7f2dc1d766e72d85c3220c474aa85a9d47392b65344c3103dd224f7f46725b918262b7885b7ec62b4b32e1f7319f2c423c07a0b167c653906727794dba626b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f6be50fa1e96cf504441619e7fd1d577

SHA1
346bc161dcd886167f889587288b88a610017973

SHA256
22a9c10f22929a4f62f963e95d4a58bb01885f3e9a6cce1e604e7105ba243012

SHA512
1c80bc4d925b90888494278467a64cba76736b6a5d126682f0170e36e072fcca68a7792a44fdd09befa94e185ef421025b7afcd67cf7fc36bd403149bd4fd0a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
d4dcb4e7535dc779ace89a1503e037e6

SHA1
6ddeeec922e2122aeb2e1b745ee953d14d7d1d68

SHA256
9b2de925efff84bac1ed664fdabdf0dee900a39ed3ff9ea9894366ce1498d0c7

SHA512
d42fda8e57babb2b48816068a00e250a7cf53e023069f8f96c52c61371cff6ee2c5a2ae2c0849106a60218831b1f330efd7f625187c0a8a45e54a3484a60964d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
23c0bd348b5d58e416d232a837858ab1

SHA1
6c140d29a956ab2712d9ca3b49abd72debf34eff

SHA256
1e9a7d748db118bda36f555896749ac6ab743540144c5042352e3b7253ae2e46

SHA512
9827cbcb886903eab3355bab997ca5d4b9efc7ebf735ca86bfad272ac333e2160a1d573263e174477e301a60f50d74ef689ffbdc4921b08e56f57b7b532ed60c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\fv.exe

Filesize
704KB

MD5
be322cb110da6187bfa1aa2857f08015

SHA1
c852390a85444e7dd1ea95bd3b57d6f78104d917

SHA256
27adbb6b07726ceef6ee93b1f74fb89c4ecafdf479af4f99c7d1c7a94af03d62

SHA512
7007b420ade524f7fe4ac2009d12582c14d8c144a9ace4c761504ca5a12290c8199ecd40fc0e1d74e7576d6e9440066f8f6c77faf93e3185c3541c51b1fab637

Download Submit
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe

Filesize
11.6MB

MD5
5e4af59b15f707006f96e6472a176f65

SHA1
fcef247cc530ec493f207fce18b416e1c9b7e03c

SHA256
abbc5d4d36cf8606190e7af53b7360eea48eb698027838235acf6b15b006437a

SHA512
f35b1d71bc8669c37665653beb522a93d7b287199abb30c6e63c75a90516884ab38a54524e6afbb8581f1d19a7522c455d8cfc02d6810539fd03d2cddc781c28

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46162\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46162\_ctypes.pyd

Filesize
57KB

MD5
b4c41a4a46e1d08206c109ce547480c7

SHA1
9588387007a49ec2304160f27376aedca5bc854d

SHA256
9925ab71a4d74ce0ccc036034d422782395dd496472bd2d7b6d617f4d6ddc1f9

SHA512
30debb8e766b430a57f3f6649eeb04eb0aad75ab50423252585db7e28a974d629eb81844a05f5cb94c1702308d3feda7a7a99cb37458e2acb8e87efc486a1d33

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46162\api-ms-win-core-console-l1-1-0.dll

Filesize
21KB

MD5
e8b9d74bfd1f6d1cc1d99b24f44da796

SHA1
a312cfc6a7ed7bf1b786e5b3fd842a7eeb683452

SHA256
b1b3fd40ab437a43c8db4994ccffc7f88000cc8bb6e34a2bcbff8e2464930c59

SHA512
b74d9b12b69db81a96fc5a001fd88c1e62ee8299ba435e242c5cb2ce446740ed3d8a623e1924c2bc07bfd9aef7b2577c9ec8264e53e5be625f4379119bafcc27

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46162\api-ms-win-core-datetime-l1-1-0.dll

Filesize
21KB

MD5
cfe0c1dfde224ea5fed9bd5ff778a6e0

SHA1
5150e7edd1293e29d2e4d6bb68067374b8a07ce6

SHA256
0d0f80cbf476af5b1c9fd3775e086ed0dfdb510cd0cc208ec1ccb04572396e3e

SHA512
b0e02e1f19cfa7de3693d4d63e404bdb9d15527ac85a6d492db1128bb695bffd11bec33d32f317a7615cb9a820cd14f9f8b182469d65af2430ffcdbad4bd7000

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46162\api-ms-win-core-debug-l1-1-0.dll

Filesize
21KB

MD5
33bbece432f8da57f17bf2e396ebaa58

SHA1
890df2dddfdf3eeccc698312d32407f3e2ec7eb1

SHA256
7cf0944901f7f7e0d0b9ad62753fc2fe380461b1cce8cdc7e9c9867c980e3b0e

SHA512
619b684e83546d97fc1d1bc7181ad09c083e880629726ee3af138a9e4791a6dcf675a8df65dc20edbe6465b5f4eac92a64265df37e53a5f34f6be93a5c2a7ae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46162\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
21KB

MD5
eb0978a9213e7f6fdd63b2967f02d999

SHA1
9833f4134f7ac4766991c918aece900acfbf969f

SHA256
ab25a1fe836fc68bcb199f1fe565c27d26af0c390a38da158e0d8815efe1103e

SHA512
6f268148f959693ee213db7d3db136b8e3ad1f80267d8cbd7d5429c021adaccc9c14424c09d527e181b9c9b5ea41765aff568b9630e4eb83bfc532e56dfe5b63

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46162\api-ms-win-core-file-l1-1-0.dll

Filesize
25KB

MD5
efad0ee0136532e8e8402770a64c71f9

SHA1
cda3774fe9781400792d8605869f4e6b08153e55

SHA256
3d2c55902385381869db850b526261ddeb4628b83e690a32b67d2e0936b2c6ed

SHA512
69d25edf0f4c8ac5d77cb5815dfb53eac7f403dc8d11bfe336a545c19a19ffde1031fa59019507d119e4570da0d79b95351eac697f46024b4e558a0ff6349852

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46162\api-ms-win-core-file-l1-2-0.dll

Filesize
21KB

MD5
1c58526d681efe507deb8f1935c75487

SHA1
0e6d328faf3563f2aae029bc5f2272fb7a742672

SHA256
ef13dce8f71173315dfc64ab839b033ab19a968ee15230e9d4d2c9d558efeee2

SHA512
8edb9a0022f417648e2ece9e22c96e2727976332025c3e7d8f15bcf6d7d97e680d1bf008eb28e2e0bd57787dcbb71d38b2deb995b8edc35fa6852ab1d593f3d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46162\api-ms-win-core-file-l2-1-0.dll

Filesize
18KB

MD5
bfffa7117fd9b1622c66d949bac3f1d7

SHA1
402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2

SHA256
1ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e

SHA512
b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46162\api-ms-win-core-handle-l1-1-0.dll

Filesize
21KB

MD5
e89cdcd4d95cda04e4abba8193a5b492

SHA1
5c0aee81f32d7f9ec9f0650239ee58880c9b0337

SHA256
1a489e0606484bd71a0d9cb37a1dc6ca8437777b3d67bfc8c0075d0cc59e6238

SHA512
55d01e68c8c899e99a3c62c2c36d6bcb1a66ff6ecd2636d2d0157409a1f53a84ce5d6f0c703d5ed47f8e9e2d1c9d2d87cc52585ee624a23d92183062c999b97e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46162\api-ms-win-core-heap-l1-1-0.dll

Filesize
21KB

MD5
accc640d1b06fb8552fe02f823126ff5

SHA1
82ccc763d62660bfa8b8a09e566120d469f6ab67

SHA256
332ba469ae84aa72ec8cce2b33781db1ab81a42ece5863f7a3cb5a990059594f

SHA512
6382302fb7158fc9f2be790811e5c459c5c441f8caee63df1e09b203b8077a27e023c4c01957b252ac8ac288f8310bcee5b4dcc1f7fc691458b90cdfaa36dcbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46162\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
21KB

MD5
c6024cc04201312f7688a021d25b056d

SHA1
48a1d01ae8bc90f889fb5f09c0d2a0602ee4b0fd

SHA256
8751d30df554af08ef42d2faa0a71abcf8c7d17ce9e9ff2ea68a4662603ec500

SHA512
d86c773416b332945acbb95cbe90e16730ef8e16b7f3ccd459d7131485760c2f07e95951aeb47c1cf29de76affeb1c21bdf6d8260845e32205fe8411ed5efa47

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46162\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
21KB

MD5
1f2a00e72bc8fa2bd887bdb651ed6de5

SHA1
04d92e41ce002251cc09c297cf2b38c4263709ea

SHA256
9c8a08a7d40b6f697a21054770f1afa9ffb197f90ef1eee77c67751df28b7142

SHA512
8cf72df019f9fc9cd22ff77c37a563652becee0708ff5c6f1da87317f41037909e64dcbdcc43e890c5777e6bcfa4035a27afc1aeeb0f5deba878e3e9aef7b02a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46162\api-ms-win-core-localization-l1-2-0.dll

Filesize
21KB

MD5
724223109e49cb01d61d63a8be926b8f

SHA1
072a4d01e01dbbab7281d9bd3add76f9a3c8b23b

SHA256
4e975f618df01a492ae433dff0dd713774d47568e44c377ceef9e5b34aad1210

SHA512
19b0065b894dc66c30a602c9464f118e7f84d83010e74457d48e93aaca4422812b093b15247b24d5c398b42ef0319108700543d13f156067b169ccfb4d7b6b7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46162\api-ms-win-core-memory-l1-1-0.dll

Filesize
21KB

MD5
3c38aac78b7ce7f94f4916372800e242

SHA1
c793186bcf8fdb55a1b74568102b4e073f6971d6

SHA256
3f81a149ba3862776af307d5c7feef978f258196f0a1bf909da2d3f440ff954d

SHA512
c2746aa4342c6afffbd174819440e1bbf4371a7fed29738801c75b49e2f4f94fd6d013e002bad2aadafbc477171b8332c8c5579d624684ef1afbfde9384b8588

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46162\base_library.zip

Filesize
1.4MB

MD5
3b3654276bbb89fcba4df6a0a0fad8d6

SHA1
668cd7e62cb6449e820ce1c24484e7ab9c4ca9a4

SHA256
de67ef0597974ce98ac33c99d230f370284031ef62249d55c5d6210066874938

SHA512
ecade71b589213ba9bcf8f997e4ab1d1c7c2c78fb88d5f2d562f376986c005e9b98ffdbbd0988f6b5f50adff4cc46be1c076b377a6e6152014d5552effec4973

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46162\libffi-8.dll

Filesize
24KB

MD5
decbba3add4c2246928ab385fb16a21e

SHA1
5f019eff11de3122ffa67a06d52d446a3448b75e

SHA256
4b43c1e42f6050ddb8e184c8ec4fb1de4a6001e068ece8e6ad47de0cc9fd4a2d

SHA512
760a42a3eb3ca13fa7b95d3bd0f411c270594ae3cf1d3cda349fa4f8b06ebe548b60cd438d68e2da37de0bc6f1c711823f5e917da02ed7047a45779ee08d7012

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46162\python3.dll

Filesize
64KB

MD5
34e49bb1dfddf6037f0001d9aefe7d61

SHA1
a25a39dca11cdc195c9ecd49e95657a3e4fe3215

SHA256
4055d1b9e553b78c244143ab6b48151604003b39a9bf54879dee9175455c1281

SHA512
edb715654baaf499cf788bcacd5657adcf9f20b37b02671abe71bda334629344415ed3a7e95cb51164e66a7aa3ed4bf84acb05649ccd55e3f64036f3178b7856

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46162\python311.dll

Filesize
1.6MB

MD5
db09c9bbec6134db1766d369c339a0a1

SHA1
c156d9f2d0e80b4cf41794cd9b8b1e8a352e0a0b

SHA256
b1aac1e461174bbae952434e4dac092590d72b9832a04457c94bd9bb7ee8ad79

SHA512
653a7fff6a2b6bffb9ea2c0b72ddb83c9c53d555e798eea47101b0d932358180a01af2b9dab9c27723057439c1eaffb8d84b9b41f6f9cd1c3c934f1794104d45

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46162\ucrtbase.dll

Filesize
992KB

MD5
0e0bac3d1dcc1833eae4e3e4cf83c4ef

SHA1
4189f4459c54e69c6d3155a82524bda7549a75a6

SHA256
8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae

SHA512
a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lymlt5g0.ktr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 766365.crdownload

Filesize
15.6MB

MD5
76ed914a265f60ff93751afe02cf35a4

SHA1
4f8ea583e5999faaec38be4c66ff4849fcf715c6

SHA256
51bd245f8cb24c624674cd2bebcad4152d83273dab4d1ee7d982e74a0548890b

SHA512
83135f8b040b68cafb896c4624bd66be1ae98857907b9817701d46952d4be9aaf7ad1ab3754995363bb5192fa2c669c26f526cafc6c487b061c2edcceebde6ac

Download Submit
memory/636-241-0x0000013BAFC30000-0x0000013BB06F1000-memory.dmp

Filesize
10.8MB

Download
memory/636-216-0x0000013BCBD90000-0x0000013BCBD98000-memory.dmp

Filesize
32KB

Download
memory/636-619-0x0000013BAFC30000-0x0000013BB06F1000-memory.dmp

Filesize
10.8MB

Download
memory/636-613-0x0000013BAFC30000-0x0000013BB06F1000-memory.dmp

Filesize
10.8MB

Download
memory/636-573-0x0000013BAFC30000-0x0000013BB06F1000-memory.dmp

Filesize
10.8MB

Download
memory/636-544-0x0000013BAFC30000-0x0000013BB06F1000-memory.dmp

Filesize
10.8MB

Download
memory/636-661-0x0000013BAFC30000-0x0000013BB06F1000-memory.dmp

Filesize
10.8MB

Download
memory/636-533-0x0000013BAFC30000-0x0000013BB06F1000-memory.dmp

Filesize
10.8MB

Download
memory/636-491-0x0000013BAFC30000-0x0000013BB06F1000-memory.dmp

Filesize
10.8MB

Download
memory/636-462-0x0000013BAFC30000-0x0000013BB06F1000-memory.dmp

Filesize
10.8MB

Download
memory/636-446-0x0000013BAFC30000-0x0000013BB06F1000-memory.dmp

Filesize
10.8MB

Download
memory/636-328-0x0000013BAFC30000-0x0000013BB06F1000-memory.dmp

Filesize
10.8MB

Download
memory/636-274-0x0000013BAFC30000-0x0000013BB06F1000-memory.dmp

Filesize
10.8MB

Download
memory/636-971-0x0000013BAFC30000-0x0000013BB06F1000-memory.dmp

Filesize
10.8MB

Download
memory/636-252-0x0000013BAFC30000-0x0000013BB06F1000-memory.dmp

Filesize
10.8MB

Download
memory/636-199-0x00007FFC21CCB000-0x00007FFC21CCC000-memory.dmp

Filesize
4KB

Download
memory/636-222-0x0000013BAFC30000-0x0000013BB06F1000-memory.dmp

Filesize
10.8MB

Download
memory/636-219-0x0000013BCCAC0000-0x0000013BCCAF2000-memory.dmp

Filesize
200KB

Download
memory/636-861-0x0000013BAFC30000-0x0000013BB06F1000-memory.dmp

Filesize
10.8MB

Download
memory/636-198-0x00000000000C0000-0x0000000001D40000-memory.dmp

Filesize
28.5MB

Download
memory/636-201-0x00007FFC21CB0000-0x00007FFC21D6E000-memory.dmp

Filesize
760KB

Download
memory/636-200-0x00007FFC21CB0000-0x00007FFC21D6E000-memory.dmp

Filesize
760KB

Download
memory/636-644-0x0000013BAFC30000-0x0000013BB06F1000-memory.dmp

Filesize
10.8MB

Download
memory/636-203-0x00000000000C0000-0x0000000001D40000-memory.dmp

Filesize
28.5MB

Download
memory/636-204-0x00000000000C0000-0x0000000001D40000-memory.dmp

Filesize
28.5MB

Download
memory/636-206-0x0000013BAF870000-0x0000013BAF871000-memory.dmp

Filesize
4KB

Download
memory/636-207-0x0000013BCBA80000-0x0000013BCBB32000-memory.dmp

Filesize
712KB

Download
memory/636-208-0x00000000000C0000-0x0000000001D40000-memory.dmp

Filesize
28.5MB

Download
memory/636-209-0x0000013BCBD10000-0x0000013BCBD32000-memory.dmp

Filesize
136KB

Download
memory/636-210-0x0000013BCBDA0000-0x0000013BCBFB4000-memory.dmp

Filesize
2.1MB

Download
memory/636-211-0x00007FFC21CB0000-0x00007FFC21D6E000-memory.dmp

Filesize
760KB

Download
memory/636-214-0x0000013BCCA50000-0x0000013BCCA84000-memory.dmp

Filesize
208KB

Download
memory/636-215-0x0000013BCCAA0000-0x0000013BCCABA000-memory.dmp

Filesize
104KB

Download
memory/636-217-0x0000013BCCA80000-0x0000013BCCA94000-memory.dmp

Filesize
80KB

Download
memory/692-803-0x00007FFC1B6B0000-0x00007FFC1B6DE000-memory.dmp

Filesize
184KB

Download
memory/692-807-0x00007FFC1B650000-0x00007FFC1B664000-memory.dmp

Filesize
80KB

Download
memory/692-816-0x00007FFC09D00000-0x00007FFC0A075000-memory.dmp

Filesize
3.5MB

Download
memory/692-814-0x00007FFC13590000-0x00007FFC13648000-memory.dmp

Filesize
736KB

Download
memory/692-813-0x00007FFC1B6E0000-0x00007FFC1B703000-memory.dmp

Filesize
140KB

Download
memory/692-811-0x00007FFC0B7D0000-0x00007FFC0B8EC000-memory.dmp

Filesize
1.1MB

Download
memory/692-809-0x00007FFC1B630000-0x00007FFC1B644000-memory.dmp

Filesize
80KB

Download
memory/692-810-0x00007FFC1B5E0000-0x00007FFC1B602000-memory.dmp

Filesize
136KB

Download
memory/692-806-0x00007FFC1B670000-0x00007FFC1B682000-memory.dmp

Filesize
72KB

Download
memory/692-805-0x00007FFC1D180000-0x00007FFC1D1A4000-memory.dmp

Filesize
144KB

Download
memory/692-804-0x00007FFC1B690000-0x00007FFC1B6A5000-memory.dmp

Filesize
84KB

Download
memory/692-801-0x00007FFC13590000-0x00007FFC13648000-memory.dmp

Filesize
736KB

Download
memory/692-797-0x00007FFC1D0F0000-0x00007FFC1D11D000-memory.dmp

Filesize
180KB

Download
memory/692-796-0x00007FFC1D120000-0x00007FFC1D139000-memory.dmp

Filesize
100KB

Download
memory/692-794-0x00007FFC1D150000-0x00007FFC1D169000-memory.dmp

Filesize
100KB

Download
memory/692-824-0x00007FFC181B0000-0x00007FFC181E7000-memory.dmp

Filesize
220KB

Download
memory/692-818-0x00007FFC1B5D0000-0x00007FFC1B5DA000-memory.dmp

Filesize
40KB

Download
memory/692-819-0x00007FFC1B6B0000-0x00007FFC1B6DE000-memory.dmp

Filesize
184KB

Download
memory/692-820-0x00007FFC19050000-0x00007FFC19061000-memory.dmp

Filesize
68KB

Download
memory/692-821-0x00007FFC183C0000-0x00007FFC183F2000-memory.dmp

Filesize
200KB

Download
memory/692-823-0x00007FFBF5180000-0x00007FFBF597B000-memory.dmp

Filesize
8.0MB

Download
memory/692-822-0x00007FFC18240000-0x00007FFC1825E000-memory.dmp

Filesize
120KB

Download
memory/692-815-0x00007FFC190C0000-0x00007FFC190D9000-memory.dmp

Filesize
100KB

Download
memory/692-812-0x00007FFC190E0000-0x00007FFC190FB000-memory.dmp

Filesize
108KB

Download
memory/692-808-0x00007FFC1D150000-0x00007FFC1D169000-memory.dmp

Filesize
100KB

Download
memory/692-817-0x00007FFC19070000-0x00007FFC190BD000-memory.dmp

Filesize
308KB

Download
memory/692-802-0x00007FFC09D00000-0x00007FFC0A075000-memory.dmp

Filesize
3.5MB

Download
memory/692-780-0x00007FFC1D170000-0x00007FFC1D17F000-memory.dmp

Filesize
60KB

Download
memory/692-800-0x00007FFC0AE40000-0x00007FFC0AFB3000-memory.dmp

Filesize
1.4MB

Download
memory/692-799-0x00007FFC0B8F0000-0x00007FFC0BED8000-memory.dmp

Filesize
5.9MB

Download
memory/692-798-0x00007FFC1B6E0000-0x00007FFC1B703000-memory.dmp

Filesize
140KB

Download
memory/692-862-0x00007FFC1B5E0000-0x00007FFC1B602000-memory.dmp

Filesize
136KB

Download
memory/692-795-0x00007FFC1D140000-0x00007FFC1D14D000-memory.dmp

Filesize
52KB

Download
memory/692-909-0x00007FFC1B620000-0x00007FFC1B62D000-memory.dmp

Filesize
52KB

Download
memory/692-778-0x00007FFC1D180000-0x00007FFC1D1A4000-memory.dmp

Filesize
144KB

Download
memory/692-927-0x00007FFC190E0000-0x00007FFC190FB000-memory.dmp

Filesize
108KB

Download
memory/692-928-0x00007FFC190C0000-0x00007FFC190D9000-memory.dmp

Filesize
100KB

Download
memory/692-929-0x00007FFC19070000-0x00007FFC190BD000-memory.dmp

Filesize
308KB

Download
memory/692-938-0x00007FFBF5180000-0x00007FFBF597B000-memory.dmp

Filesize
8.0MB

Download
memory/692-968-0x00007FFC181B0000-0x00007FFC181E7000-memory.dmp

Filesize
220KB

Download
memory/692-951-0x00007FFC09D00000-0x00007FFC0A075000-memory.dmp

Filesize
3.5MB

Download
memory/692-953-0x00007FFC1B670000-0x00007FFC1B682000-memory.dmp

Filesize
72KB

Download
memory/692-952-0x00007FFC1B690000-0x00007FFC1B6A5000-memory.dmp

Filesize
84KB

Download
memory/692-940-0x00007FFC0B8F0000-0x00007FFC0BED8000-memory.dmp

Filesize
5.9MB

Download
memory/692-950-0x00007FFC13590000-0x00007FFC13648000-memory.dmp

Filesize
736KB

Download
memory/692-949-0x00007FFC1B6B0000-0x00007FFC1B6DE000-memory.dmp

Filesize
184KB

Download
memory/692-948-0x00007FFC0AE40000-0x00007FFC0AFB3000-memory.dmp

Filesize
1.4MB

Download
memory/692-941-0x00007FFC1D180000-0x00007FFC1D1A4000-memory.dmp

Filesize
144KB

Download
memory/692-770-0x00007FFC0B8F0000-0x00007FFC0BED8000-memory.dmp

Filesize
5.9MB

Download
memory/692-984-0x00007FFC1B690000-0x00007FFC1B6A5000-memory.dmp

Filesize
84KB

Download
memory/692-972-0x00007FFC0B8F0000-0x00007FFC0BED8000-memory.dmp

Filesize
5.9MB

Download
memory/692-981-0x00007FFC1B6B0000-0x00007FFC1B6DE000-memory.dmp

Filesize
184KB

Download