20b3dc9a088153eb974afee08192cd0b78c96b847e5705cea818c50043c3bddf

Resubmissions

21-01-2025 14:05

250121-rd357sxper 8

20-01-2025 21:06

250120-zx14ysyqdn 10

Analysis

max time kernel
299s
max time network
301s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-01-2025 14:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file01.ps1
Size

35B
MD5

684c57981b5ed26047c34aee9a2453a1
SHA1

2e154e9c0e6abc9a2bc852aeb941fe5d3117fa3e
SHA256

20b3dc9a088153eb974afee08192cd0b78c96b847e5705cea818c50043c3bddf
SHA512

cca14c6add1e0dfed54e0fe425489bf430bcc438acf386fe4d68cf040fbe55e9997b0d85bcd8cca56e66721292497894b599c919f3af248b4a2ef8a1d112c51b

Score

8^/10

discovery execution

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
4	4880	powershell.exe
11	4880	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
1056	updater.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1056 set thread context of 3732	1056	updater.exe	93

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4880	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe

Checks processor information in registry 2 TTPs 26 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 24 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133819422431367415"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: AddClipboardFormatListener 8 IoCs

pid	Process
812	EXCEL.EXE
1728	EXCEL.EXE
6040	POWERPNT.EXE
5352	WINWORD.EXE
5352	WINWORD.EXE
5964	WINWORD.EXE
5964	WINWORD.EXE
5752	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4880	powershell.exe
4880	powershell.exe
1436	msedge.exe
1436	msedge.exe
4080	msedge.exe
4080	msedge.exe
5788	identity_helper.exe
5788	identity_helper.exe
5708	chrome.exe
5708	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
5708	chrome.exe
5708	chrome.exe
5708	chrome.exe
5708	chrome.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeDebugPrivilege	4880	powershell.exe
Token: SeDebugPrivilege	3064	firefox.exe
Token: SeDebugPrivilege	3064	firefox.exe
Token: SeDebugPrivilege	3064	firefox.exe
Token: SeDebugPrivilege	3064	firefox.exe
Token: SeDebugPrivilege	3064	firefox.exe
Token: SeShutdownPrivilege	5708	chrome.exe
Token: SeCreatePagefilePrivilege	5708	chrome.exe
Token: SeShutdownPrivilege	5708	chrome.exe
Token: SeCreatePagefilePrivilege	5708	chrome.exe
Token: SeShutdownPrivilege	5708	chrome.exe
Token: SeCreatePagefilePrivilege	5708	chrome.exe
Token: SeShutdownPrivilege	5708	chrome.exe
Token: SeCreatePagefilePrivilege	5708	chrome.exe
Token: SeShutdownPrivilege	5708	chrome.exe
Token: SeCreatePagefilePrivilege	5708	chrome.exe
Token: SeShutdownPrivilege	5708	chrome.exe
Token: SeCreatePagefilePrivilege	5708	chrome.exe
Token: SeShutdownPrivilege	5708	chrome.exe
Token: SeCreatePagefilePrivilege	5708	chrome.exe
Token: SeShutdownPrivilege	5708	chrome.exe
Token: SeCreatePagefilePrivilege	5708	chrome.exe
Token: SeShutdownPrivilege	5708	chrome.exe
Token: SeCreatePagefilePrivilege	5708	chrome.exe
Token: SeShutdownPrivilege	5708	chrome.exe
Token: SeCreatePagefilePrivilege	5708	chrome.exe
Token: SeShutdownPrivilege	5708	chrome.exe
Token: SeCreatePagefilePrivilege	5708	chrome.exe
Token: SeShutdownPrivilege	5708	chrome.exe
Token: SeCreatePagefilePrivilege	5708	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3064	firefox.exe
3064	firefox.exe
3064	firefox.exe
3064	firefox.exe
3064	firefox.exe
3064	firefox.exe
3064	firefox.exe
3064	firefox.exe
3064	firefox.exe
3064	firefox.exe
3064	firefox.exe
3064	firefox.exe
3064	firefox.exe
3064	firefox.exe
3064	firefox.exe
3064	firefox.exe
3064	firefox.exe
3064	firefox.exe
3064	firefox.exe
3064	firefox.exe
3064	firefox.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
5708	chrome.exe
5708	chrome.exe
5708	chrome.exe
5708	chrome.exe
5708	chrome.exe
5708	chrome.exe
5708	chrome.exe
5708	chrome.exe
5708	chrome.exe
5708	chrome.exe
5708	chrome.exe
5708	chrome.exe
5708	chrome.exe
5708	chrome.exe
5708	chrome.exe
5708	chrome.exe
5708	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3064	firefox.exe
3064	firefox.exe
3064	firefox.exe
3064	firefox.exe
3064	firefox.exe
3064	firefox.exe
3064	firefox.exe
3064	firefox.exe
3064	firefox.exe
3064	firefox.exe
3064	firefox.exe
3064	firefox.exe
3064	firefox.exe
3064	firefox.exe
3064	firefox.exe
3064	firefox.exe
3064	firefox.exe
3064	firefox.exe
3064	firefox.exe
3064	firefox.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
5708	chrome.exe
5708	chrome.exe
5708	chrome.exe
5708	chrome.exe
5708	chrome.exe
5708	chrome.exe
5708	chrome.exe
5708	chrome.exe
5708	chrome.exe
5708	chrome.exe
5708	chrome.exe
5708	chrome.exe
5708	chrome.exe
5708	chrome.exe
5708	chrome.exe
5708	chrome.exe
5708	chrome.exe
5708	chrome.exe
5708	chrome.exe
5708	chrome.exe

Suspicious use of SetWindowsHookEx 62 IoCs

pid	Process
812	EXCEL.EXE
812	EXCEL.EXE
812	EXCEL.EXE
812	EXCEL.EXE
812	EXCEL.EXE
812	EXCEL.EXE
812	EXCEL.EXE
812	EXCEL.EXE
812	EXCEL.EXE
812	EXCEL.EXE
812	EXCEL.EXE
812	EXCEL.EXE
812	EXCEL.EXE
3064	firefox.exe
3064	firefox.exe
3064	firefox.exe
3064	firefox.exe
1996	CredentialUIBroker.exe
3064	firefox.exe
3064	firefox.exe
3064	firefox.exe
1728	EXCEL.EXE
1728	EXCEL.EXE
1728	EXCEL.EXE
1728	EXCEL.EXE
1728	EXCEL.EXE
1728	EXCEL.EXE
1728	EXCEL.EXE
1728	EXCEL.EXE
1728	EXCEL.EXE
6040	POWERPNT.EXE
6040	POWERPNT.EXE
6040	POWERPNT.EXE
6040	POWERPNT.EXE
5352	WINWORD.EXE
5352	WINWORD.EXE
5352	WINWORD.EXE
5352	WINWORD.EXE
5352	WINWORD.EXE
5352	WINWORD.EXE
5352	WINWORD.EXE
5964	WINWORD.EXE
5964	WINWORD.EXE
5964	WINWORD.EXE
5964	WINWORD.EXE
5964	WINWORD.EXE
5964	WINWORD.EXE
5964	WINWORD.EXE
5964	WINWORD.EXE
5752	EXCEL.EXE
5752	EXCEL.EXE
5752	EXCEL.EXE
5752	EXCEL.EXE
5752	EXCEL.EXE
5752	EXCEL.EXE
5752	EXCEL.EXE
5752	EXCEL.EXE
5752	EXCEL.EXE
5752	EXCEL.EXE
5752	EXCEL.EXE
5752	EXCEL.EXE
5752	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4880 wrote to memory of 1056	4880	powershell.exe	88
PID 4880 wrote to memory of 1056	4880	powershell.exe	88
PID 4880 wrote to memory of 1056	4880	powershell.exe	88
PID 1056 wrote to memory of 3732	1056	updater.exe	93
PID 1056 wrote to memory of 3732	1056	updater.exe	93
PID 1056 wrote to memory of 3732	1056	updater.exe	93
PID 1056 wrote to memory of 3732	1056	updater.exe	93
PID 1056 wrote to memory of 3732	1056	updater.exe	93
PID 1056 wrote to memory of 3732	1056	updater.exe	93
PID 1056 wrote to memory of 3732	1056	updater.exe	93
PID 1056 wrote to memory of 3732	1056	updater.exe	93
PID 1056 wrote to memory of 3732	1056	updater.exe	93
PID 4864 wrote to memory of 3064	4864	firefox.exe	102
PID 4864 wrote to memory of 3064	4864	firefox.exe	102
PID 4864 wrote to memory of 3064	4864	firefox.exe	102
PID 4864 wrote to memory of 3064	4864	firefox.exe	102
PID 4864 wrote to memory of 3064	4864	firefox.exe	102
PID 4864 wrote to memory of 3064	4864	firefox.exe	102
PID 4864 wrote to memory of 3064	4864	firefox.exe	102
PID 4864 wrote to memory of 3064	4864	firefox.exe	102
PID 4864 wrote to memory of 3064	4864	firefox.exe	102
PID 4864 wrote to memory of 3064	4864	firefox.exe	102
PID 4864 wrote to memory of 3064	4864	firefox.exe	102
PID 3064 wrote to memory of 940	3064	firefox.exe	103
PID 3064 wrote to memory of 940	3064	firefox.exe	103
PID 3064 wrote to memory of 940	3064	firefox.exe	103
PID 3064 wrote to memory of 940	3064	firefox.exe	103
PID 3064 wrote to memory of 940	3064	firefox.exe	103
PID 3064 wrote to memory of 940	3064	firefox.exe	103
PID 3064 wrote to memory of 940	3064	firefox.exe	103
PID 3064 wrote to memory of 940	3064	firefox.exe	103
PID 3064 wrote to memory of 940	3064	firefox.exe	103
PID 3064 wrote to memory of 940	3064	firefox.exe	103
PID 3064 wrote to memory of 940	3064	firefox.exe	103
PID 3064 wrote to memory of 940	3064	firefox.exe	103
PID 3064 wrote to memory of 940	3064	firefox.exe	103
PID 3064 wrote to memory of 940	3064	firefox.exe	103
PID 3064 wrote to memory of 940	3064	firefox.exe	103
PID 3064 wrote to memory of 940	3064	firefox.exe	103
PID 3064 wrote to memory of 940	3064	firefox.exe	103
PID 3064 wrote to memory of 940	3064	firefox.exe	103
PID 3064 wrote to memory of 940	3064	firefox.exe	103
PID 3064 wrote to memory of 940	3064	firefox.exe	103
PID 3064 wrote to memory of 940	3064	firefox.exe	103
PID 3064 wrote to memory of 940	3064	firefox.exe	103
PID 3064 wrote to memory of 940	3064	firefox.exe	103
PID 3064 wrote to memory of 940	3064	firefox.exe	103
PID 3064 wrote to memory of 940	3064	firefox.exe	103
PID 3064 wrote to memory of 940	3064	firefox.exe	103
PID 3064 wrote to memory of 940	3064	firefox.exe	103
PID 3064 wrote to memory of 940	3064	firefox.exe	103
PID 3064 wrote to memory of 940	3064	firefox.exe	103
PID 3064 wrote to memory of 940	3064	firefox.exe	103
PID 3064 wrote to memory of 940	3064	firefox.exe	103
PID 3064 wrote to memory of 940	3064	firefox.exe	103
PID 3064 wrote to memory of 940	3064	firefox.exe	103
PID 3064 wrote to memory of 940	3064	firefox.exe	103
PID 3064 wrote to memory of 940	3064	firefox.exe	103
PID 3064 wrote to memory of 940	3064	firefox.exe	103
PID 3064 wrote to memory of 940	3064	firefox.exe	103
PID 3064 wrote to memory of 940	3064	firefox.exe	103
PID 3064 wrote to memory of 940	3064	firefox.exe	103
PID 3064 wrote to memory of 940	3064	firefox.exe	103
PID 3064 wrote to memory of 940	3064	firefox.exe	103

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\file01.ps1
1⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4880
- C:\Users\Admin\AppData\Local\96a46a5e-18a7-4bdf-84c0-d5e5f3064273\updater.exe
  "C:\Users\Admin\AppData\Local\96a46a5e-18a7-4bdf-84c0-d5e5f3064273\updater.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1056
- - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
    "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3732

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /n "C:\Users\Admin\Desktop\CheckpointTest.xlt"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:812

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4864
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1952 -parentBuildID 20240401114208 -prefsHandle 1868 -prefMapHandle 1860 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9321ae72-caca-43c7-b22e-02743fd488e4} 3064 "\\.\pipe\gecko-crash-server-pipe.3064" gpu
    3⤵
    PID:940
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2364 -parentBuildID 20240401114208 -prefsHandle 2356 -prefMapHandle 2352 -prefsLen 23716 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f9aae6f3-ee64-4627-9f47-ccaf43110b67} 3064 "\\.\pipe\gecko-crash-server-pipe.3064" socket
    3⤵
    PID:4372
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2724 -childID 1 -isForBrowser -prefsHandle 2524 -prefMapHandle 3164 -prefsLen 23857 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f49e18d0-e690-4e6b-b4ff-77c01bf7227f} 3064 "\\.\pipe\gecko-crash-server-pipe.3064" tab
    3⤵
    PID:3632
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3872 -childID 2 -isForBrowser -prefsHandle 3864 -prefMapHandle 3860 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1574602f-114b-4756-bb5b-c6363ab8575d} 3064 "\\.\pipe\gecko-crash-server-pipe.3064" tab
    3⤵
    PID:3488
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4828 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4708 -prefMapHandle 4844 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1485acd1-ccc3-4506-9400-141902def2f5} 3064 "\\.\pipe\gecko-crash-server-pipe.3064" utility
    3⤵
    - Checks processor information in registry
    PID:4444
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5328 -childID 3 -isForBrowser -prefsHandle 5460 -prefMapHandle 5452 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4289daef-162e-4060-a011-c4be3ca552fe} 3064 "\\.\pipe\gecko-crash-server-pipe.3064" tab
    3⤵
    PID:3428
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5596 -childID 4 -isForBrowser -prefsHandle 5672 -prefMapHandle 5668 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2b7495dd-a41f-4e32-a7d2-949e22f23f6a} 3064 "\\.\pipe\gecko-crash-server-pipe.3064" tab
    3⤵
    PID:4084
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5812 -childID 5 -isForBrowser -prefsHandle 5436 -prefMapHandle 5564 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8a64ce59-6a56-4dbf-a92a-576c542fe0cb} 3064 "\\.\pipe\gecko-crash-server-pipe.3064" tab
    3⤵
    PID:3784
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5632 -childID 6 -isForBrowser -prefsHandle 5644 -prefMapHandle 6276 -prefsLen 27228 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {746b2727-8cb7-4d81-82b2-e8da75c13d1b} 3064 "\\.\pipe\gecko-crash-server-pipe.3064" tab
    3⤵
    PID:4020
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6480 -childID 7 -isForBrowser -prefsHandle 6392 -prefMapHandle 6396 -prefsLen 27228 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {989e7c20-5697-4159-921c-d1b2f71b64c9} 3064 "\\.\pipe\gecko-crash-server-pipe.3064" tab
    3⤵
    PID:3256

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4152

C:\Windows\System32\CredentialUIBroker.exe
"C:\Windows\System32\CredentialUIBroker.exe" NonAppContainer -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1996

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:2140

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /n "C:\Users\Admin\Desktop\CheckpointTest.xlt"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1728

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\ReadPush.mht
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffcfc9146f8,0x7ffcfc914708,0x7ffcfc914718
  2⤵
  PID:4476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,3552536056055742205,8754895614816492792,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
  2⤵
  PID:3684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,3552536056055742205,8754895614816492792,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,3552536056055742205,8754895614816492792,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:8
  2⤵
  PID:3272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,3552536056055742205,8754895614816492792,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:5148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,3552536056055742205,8754895614816492792,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:5168
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,3552536056055742205,8754895614816492792,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5236 /prefetch:8
  2⤵
  PID:5636
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,3552536056055742205,8754895614816492792,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5236 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,3552536056055742205,8754895614816492792,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4852 /prefetch:1
  2⤵
  PID:5908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,3552536056055742205,8754895614816492792,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4836 /prefetch:1
  2⤵
  PID:5916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,3552536056055742205,8754895614816492792,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1
  2⤵
  PID:6092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,3552536056055742205,8754895614816492792,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
  2⤵
  PID:6100

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5176

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5404

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /n "C:\Users\Admin\Desktop\UndoShow.pot"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:6040

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\PopInstall.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5352

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\WatchCopy.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5964

C:\Windows\System32\fontview.exe
"C:\Windows\System32\fontview.exe" C:\Users\Admin\Desktop\ConfirmOpen.ttf
1⤵
PID:5624

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\SaveDebug.xla"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5752

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcea39cc40,0x7ffcea39cc4c,0x7ffcea39cc58
  2⤵
  PID:5900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1900,i,13965385312600998447,14591887643504434917,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1896 /prefetch:2
  2⤵
  PID:5272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2008,i,13965385312600998447,14591887643504434917,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2080 /prefetch:3
  2⤵
  PID:5928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2292,i,13965385312600998447,14591887643504434917,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2492 /prefetch:8
  2⤵
  PID:5812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3172,i,13965385312600998447,14591887643504434917,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:1436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3316,i,13965385312600998447,14591887643504434917,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3428 /prefetch:1
  2⤵
  PID:2812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4580,i,13965385312600998447,14591887643504434917,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3724 /prefetch:1
  2⤵
  PID:5828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4812,i,13965385312600998447,14591887643504434917,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4820 /prefetch:8
  2⤵
  PID:3136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4836,i,13965385312600998447,14591887643504434917,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4852 /prefetch:8
  2⤵
  PID:4048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4852,i,13965385312600998447,14591887643504434917,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5000 /prefetch:8
  2⤵
  PID:1572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4960,i,13965385312600998447,14591887643504434917,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5284 /prefetch:8
  2⤵
  PID:6092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5036,i,13965385312600998447,14591887643504434917,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5156 /prefetch:8
  2⤵
  PID:5032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5396,i,13965385312600998447,14591887643504434917,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4848 /prefetch:8
  2⤵
  PID:5044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5700,i,13965385312600998447,14591887643504434917,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5352 /prefetch:2
  2⤵
  PID:5844

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:6100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

Filesize
471B

MD5
b0b5f20763cfe618c5cd76f6c19e46f1

SHA1
e670a297a599f8c75d3134b47e33273449d6b416

SHA256
7b18301d609e6119f22bfa14afdc1db73607c74cadd9c160229014ea1fee816d

SHA512
e040133757d198d599fe4886b0119c9ed48f70248f59d75f7f623ce37eb3758013122530eb5da4db562a87f45f6934c33a5159ad4dca2d7de67a65436fc6d68b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
471B

MD5
cbe48a67ae2e7ff2e47772874f42e67b

SHA1
411df8ff00bfb72a4e64f581b58f3ee866674eeb

SHA256
93db9248df0a4d2dc31804bab4818763977151af14c012259451f3485a97a945

SHA512
f01d66a9bb63652b1fdba897ab47da70348182445188b3e753bfbc19bfdb69667eaa86b2eaacde27a87fc5bfd4a46c309674e187523bf750eca0c091edf3b372

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
471B

MD5
20e64b00088a9559c728a14e4531ffa3

SHA1
c9d7ab909a2ffb7dc79ae5090895b861c0de3196

SHA256
8432920aae7dd6cdc1a0faf4aae7cffc8042da0df9b634e06ab8c0651921630d

SHA512
c50b86cb7aa4198424e9420e18e511a8cec1de1b4380efa0dd6e147cb60b2fe59b5698ea27374a213d1ecbe579982b0ef7d53d121f370df874d073f4e71704b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

Filesize
412B

MD5
ed5c5b64b93baf8d04e396b09f90b1e5

SHA1
f2036b29216ec2feb1d50a30a9ab8a924c6df196

SHA256
4fd8c3fcc23943b3bc15c58659f900da9e8658b4df22a7dd331e105817de38ae

SHA512
a7d6ef6fdf53037a3be556ae1df98389873bc36ccd2756b254140236e4b44920e9fcd90d17111b7b6e49b9d19296eb5299044f5c22b91c3b1315babcfa630c70

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
420B

MD5
d37fc394fd23c300af9e2d7a74707a64

SHA1
cc51768bdba8e35d38ef06706369b20e2759b7ff

SHA256
6abbe3ad0e61c95266a42f9d4502356c70102aaf255a60072543ec3359e81abc

SHA512
ae4ba9c813c79cacc7340af2782ea5f011564cfbcacc09a0edc6a4d259aab0c157b522b3160d35ba94687bf2f358c67c75f2fdf177ad16413d0f013dcec50860

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
412B

MD5
e1ce346a1802b79cfc2c8526be22e9fa

SHA1
9eb797b711aa4f1f1f689290cd946fa00fa11269

SHA256
f2db609312cfea59d76d1e484c90a786b6a3b93de2100de037f3dfd63906a3dc

SHA512
a862030da271cd0b55431824db30e2e3656407a58851ccbac3d17c2369a7dc32e9a5935518314c5d7b6ad284f86ee6c9393bcc5c38c0e4cb0a50f3390b2e5ea9

Download Submit
C:\Users\Admin\AppData\Local\96a46a5e-18a7-4bdf-84c0-d5e5f3064273\updater.exe

Filesize
5.3MB

MD5
3c096c52d1f6250c1f809cf41fedc0ba

SHA1
3337edd136b544db4e43b0b1fce2c8cf853677e5

SHA256
9ed2684928ee595c5909962c5959509d3e9ea59dd9e048e696d4f20d7b9aca07

SHA512
fed9c2b0087a933374252dcaf7c234f7c8ee0e1428054ef0e1a1b2c51be1cd8483ea90b3923ea4223ea5b1765e1009dd5261a2f1ae01b43d39444deca548705f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
e2dbbaf4ec82483778a39aa96dc32444

SHA1
f3c40c3f8e6ced373b545c159b5c9d11cc659b2f

SHA256
c843ce9d835db3bd75a1bb5cf0b5a8bbb32f32d80cafe172012e4a9272cdd5d4

SHA512
7dc5f4e54e044ed29a10321cd289c1ca9796b2db7392ebc7489d50f86bff9b63bd99c0ce12094b550082e921feb6cb19d0c6014a17985768c7fb1c2e22c56f42

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
f9e74906c5a9cebc81574f46f3d70498

SHA1
bde375bcfca6097b798d727f19121aa55af90168

SHA256
5119fb86cfb98e2553d27d0cd7123a1a1f6327ff7ade1d629253f0d346dcd348

SHA512
7374bc775f1f702d0acc41752dfa370e62c16d58896ea7ef2556652846389fb53971e88a6b28211c4325baaf7d222ca8447e595bdc39aa17fff9f0370714cf12

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
60c0f8b943f44cecacf102eb83fe8f5c

SHA1
b7752425ed3d370bf3d9ea481e36ccbdb9e3f378

SHA256
d4d24be64f494c0e9dc671c4bb1acee31ef28cac3b6a795b4da15210591f01d8

SHA512
053210e7dbf6f53b62ded65691866435c4b52ecc83d2b05488b9f716deac5fee9a008fec57c7456ed937d42c5fe73cd3463dbf901de7cf6e8ca27c413554a245

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
1baa09d6a83c3ac4fb03355e793d7028

SHA1
4c49f824fbaaa098f022f2fd98111d8f531cba40

SHA256
2ef57b4a31aa4e6456bda7201382ffd879b943d036bf2b0563a4a7a6adb75d5b

SHA512
6e722ff98b6418892eafab432af3a8f72e630de72fc5496a3b92c5d93edbb366ff7f1a1b146076ca98dec796cefb2cfc0bb6e357abba83aac3c7f7b8c23b3242

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f426165d1e5f7df1b7a3758c306cd4ae

SHA1
59ef728fbbb5c4197600f61daec48556fec651c1

SHA256
b68dfc21866d0abe5c75d70acc54670421fa9b26baf98af852768676a901b841

SHA512
8d437fcb85acb0705bf080141e7a021740901248985a76299ea8c43e46ad78fb88c738322cf302f6a550caa5e79d85b36827e9b329b1094521b17cf638c015b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6960857d16aadfa79d36df8ebbf0e423

SHA1
e1db43bd478274366621a8c6497e270d46c6ed4f

SHA256
f40b812ce44e391423eb66602ac0af138a1e948aa8c4116045fef671ef21cd32

SHA512
6deb2a63055a643759dd0ae125fb2f68ec04a443dbf8b066a812b42352bbcfa4517382ed0910c190c986a864559c3453c772e153ee2e9432fb2de2e1e49ca7fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ab5c593b85c355821cf0060b359f8e71

SHA1
0810fe8282bd58b1e402c99affcd095c50b6de2a

SHA256
15f83cf70b10be22a7b451353713dd10b28fa9372ffb1ffafc10458759715cf3

SHA512
b52014862b7ea154ab53dfb73f6afc521ae41aef7b84a893d4f0ae17733a52f8fe766c12520d3eadd87899c9f49742c1fcaf461260874adacc401acf4058833a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ebed02c4722e68ac44d8cd29c00768ae

SHA1
2d8a404cfd80885ba702f661bf53bd1fbc512baf

SHA256
7c0ac7422e94ee2749a1090a48eec245f9defc00c19a54bf1d9dc93c90e9e591

SHA512
f37377975ccbff0991225ff01631773ea3662165113b730670f97774d4e40bdc595c405c62303108ebcc6cc603fb1503e24a0a040a396f59f806d12ed456afef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
9c610802d36fb471092f735713145302

SHA1
7984ea9cc07d646129e1eb7e18dc9ade5aa7738b

SHA256
71c0cbd5dbf87df8fa80a950634893b238aa01f1aec8888a7c03792bde996cb1

SHA512
6304601216bfe95fe8d791fe13541dcb255d6b2b5ac325ae4f94f9c2b138165b4bc1d297b72e63d95bbdff93ec72758f5828cc00c1544813830d1ad3504569a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Excel.CampaignStates.json

Filesize
21B

MD5
f1b59332b953b3c99b3c95a44249c0d2

SHA1
1b16a2ca32bf8481e18ff8b7365229b598908991

SHA256
138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c

SHA512
3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Excel.GovernedChannelStates.json

Filesize
417B

MD5
c56ff60fbd601e84edd5a0ff1010d584

SHA1
342abb130dabeacde1d8ced806d67a3aef00a749

SHA256
200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c

SHA512
acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Excel.Settings.json

Filesize
87B

MD5
e4e83f8123e9740b8aa3c3dfa77c1c04

SHA1
5281eae96efde7b0e16a1d977f005f0d3bd7aad0

SHA256
6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31

SHA512
bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Excel.SurveyHistoryStats.json

Filesize
14B

MD5
6ca4960355e4951c72aa5f6364e459d5

SHA1
2fd90b4ec32804dff7a41b6e63c8b0a40b592113

SHA256
88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

SHA512
8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json

Filesize
537B

MD5
79b9fbafb66f03f446dc198490d34ede

SHA1
16178912b6bfd91a22e08107badebbad58b8fb8f

SHA256
3be7386faec1bd04dd69d09951c96923372ae88c93ea4efc99aaf9e68fb0f588

SHA512
4aec33d70275c313124696eb14c72cd06bbff95c3a028261b274c0eb7f91fe7b92712970829e6077f0e8e99c307f11a44139c47ebc806652710da52af96875f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyEventActivityStats.json

Filesize
110B

MD5
87febbe46a0c2a28626df884e6c44200

SHA1
ae3f5ed8c77aaf7487ce3ecf4746c03c47e5888a

SHA256
d1ce659b406064063d449254b4b0df979d538e07896414e1a7ab92d5873a84cc

SHA512
0cb8fcbbcc6b3d249600d19cf731425d8fefed222421e8fa5e22384c1261271c96ac86e244c4664adaa8afb95866bad557e192e4db4c659386c66af7c9b9ce7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\783D9A61-CD87-4BB6-A9D9-C0C609285C2C

Filesize
177KB

MD5
14a8c3d0d3dfae0b8d1a9911e490734e

SHA1
50e2ff6e868a1418abd7fbf9f4e275ff203f6744

SHA256
d59f5db36e5f035f456ab54b1853447befc26d71aee2bad6e2f1a6de805adc9b

SHA512
07ad9617eea38f48d58d4695ffeb77fae347188f8d5508c5acad6fe3595f0444a40a93cedfd0521dcffc36743be4d722a381503760a178480aff6f3e428918ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

Filesize
321KB

MD5
b2f6e37b9e2ecb984da45b0bc3236fc7

SHA1
b890bed54918fe99428a313d0eed671241444bf0

SHA256
a9b0808bf6ad5d3ce667bf32d759c4548bd88bf0e00b5e866395e1da2b1604c9

SHA512
6a0257ce8dfab8cfcff2d952b1f455876984fd3d6e46ca031a39122f7557184dcc9e7b0866c8c802627b3e84bf2992ed2a54499bfa7e40e7faeaaf156cddc478

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
12KB

MD5
99e618714611c00c637a55afd010df60

SHA1
d3133008470499892f238289e32ca8dd4ab32088

SHA256
8246ab5517e9ee03fd9bd4ac9f8d544bba4b7f28de1fdc56a5f2b92548408097

SHA512
9881d38c1b806f63eb87cbead00e039c1ecc35913de54d7ef0f8a50b7a3080094689e2262bc6fae022fb51574ae311452c041d3f3dfb4db267d38a8c39452f05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
15KB

MD5
54665990c8d8672b682362e8f6c34c77

SHA1
b33bb7a91dab3a1e6db24d7d166092961fe5e387

SHA256
3167cb833a86f73531c22f7ff82c2a9f13d3aa68e9860d0ba017782c54ffc84b

SHA512
a60e2bb94eee3005b5e406ce6021ba4a6a15e8baf6a12edab11aa0c986378d2568a49c1453730244f18175f93822e19a768230dfa480355f68266d60d980c2ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

Filesize
24KB

MD5
085ebd119f5fc6b8f63720fac1166ff5

SHA1
af066018aadec31b8e70a124a158736aca897306

SHA256
b8411fe8ec499074fca9047f6983d920279e84ddf3b02b2dd5c08cf07ec44687

SHA512
adb0522830db26123347cb485c43b156f5c888510e52091ba0fafc22b650ad29630c027746c920321905c28259dce7ff63dded93a79efddd5567c68312117875

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

Filesize
24KB

MD5
33eea2792b9fa42f418d9d609f692007

SHA1
48c3916a14ef2d9609ec4d2887a337b973cf8753

SHA256
8f7807c324626abc2d3504638958c148e2e3f3e212261f078940cf4c5f0c4fbb

SHA512
b2dbfcdf2599c38c966c5ebce714a5cd50e2f8b411555acf9f02b31b9c29b8ab53a9afa9d32bab87a06e08f8b2c7818d600773f659a058c8af81c50be7f09b95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db

Filesize
24KB

MD5
8665de22b67e46648a5a147c1ed296ca

SHA1
b289a96fee9fa77dd8e045ae8fd161debd376f48

SHA256
b5cbae5c48721295a51896f05abd4c9566be7941cda7b8c2aecb762e6e94425f

SHA512
bb03ea9347d302abf3b6fece055cdae0ad2d7c074e8517f230a90233f628e5803928b9ba7ba79c343e58dacb3e7a6fc16b94690a5ab0c71303959654a18bb5da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
f77f63655d141ba1b9ea65a1fea2b494

SHA1
2ca41fc218d23b08651f2303e8f5206c15e55717

SHA256
619c6f3bdaa6e3549e0d3205c9550441ec1c6bdf45115ca8f85c3ac7e77a2648

SHA512
e1bf26536c1ffe3ca5f7e38b0eeae127a4352d8fbae9c432fd31b3adb2bd119afc8eee59a9980b2c7d473694bf6a3cc281e3557d2be469ed095f9ab5495d5f91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
18224b91e5116cd745a9549a76ee3bcb

SHA1
22482d954a6831f405a5b72b2d207449514a6f77

SHA256
6fcd026dec2d4da24c93309dd29fdaae19d24473599ab2fcb7b91d2064f3773f

SHA512
db4e3f76fe51a0a9083b29dd50139f60696828297efb73ae4159f1378260baf6a8e0e4dde9b2826c63e69cbc4b686b521986d48b36a753b1f56d6e9f75d889c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
e1561f58d9e183a661b04aab2d43897a

SHA1
4dfcafdddb5dcf0b36edde245da05d1adf996131

SHA256
c91f1d34881f5d76dd8c304a463879132200b0e27ac65d784701d8e0ff402371

SHA512
a9fda2bbd014aa789b71548512fdf9fd2b0ee69c110007383b19ccac17ec07ab1dd9c586a2a08eb15f1548371f746b8c02351e3e777770f1e309435c5d1c71ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres

Filesize
4KB

MD5
05f855a1e874990b346c4c223cbe15f8

SHA1
ad27f5b32c75c791b0219766f9b3e2d641ee5542

SHA256
32d0033f38265c337c59604d70c68ac5d1961289453e57142af9db48d1f11a8e

SHA512
eb91fc4546b06dfdaedb8062be0eea0abcd30aa1094edbe7e678bbf4b38a235dd811fd3ccdd81f5bbbd2e267b54048bf692bb5dfdf7d6c7b7c7ee59b2de14309

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\f3df91c436730d7a37c58d5f25d9bf4a56fa3a34.tbres

Filesize
4KB

MD5
e277e13b24bcd7c965144172524903b1

SHA1
641fc381a5a63dae2c282e7729719d66bc53f92a

SHA256
d30a5367bbccdc13db2261795e995530595184e1566f7b7753bb2a4b82cf2c7e

SHA512
fb16ef3c769a843b9ad907c2dec958f13d882d32deffa0da9e9a32af53e59206e6f603d1b28a533df9bacf329011b5d84941570d3b023b58c4c835d5e4eafd3e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n4zftpal.default-release\activity-stream.discovery_stream.json

Filesize
21KB

MD5
f3bb491003bf3ce50a608969293e00b9

SHA1
76754b40480adc1b2fa23df3e9f6b2c0437fc405

SHA256
91162e4d0922136d5309942e40634adb5a470d060eae3cf475ec330e75cf156d

SHA512
17524a260895299da1001edb89ae8fe217cdf7243d1bfe652aedc7e94f297e0a417c28bb7c63130bf9a29f125c14978210d38148784f498a6c6e3643f6615f68

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n4zftpal.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oz1c3caq.fd2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ea7a47bf-7a34-439f-ac3e-1e241d6a9975.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5708_1422396297\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5708_1422396297\f3fca9f8-53f1-4020-8789-4845c8bff49e.tmp

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
323B

MD5
775ed42d6283c703d41693ec9663c4b5

SHA1
dbcbd66ae192afed1ab1d9ca276e9cffa43400b2

SHA256
3df2ee1c27be6ec8fd551d0b2b33c339be5b21258316c4c035a6c17be7744db4

SHA512
66ab3e2852f917149207ca2c7bbff864c81bb36b4c204a700437488c47144c94c125643a6271bca6fd74991705c9229cfa086e8e5906514ed91c7d33f8ae6314

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
323B

MD5
7dfd5e745e5b2662f02fd0212b8d3ace

SHA1
65f0337e586f74299a5fae1347afc5e39055b4f0

SHA256
12636af7fc0b57535442c6ffeb831e7e0df1bb566b3f7483ed0b68ce2c2b1546

SHA512
c7ac8b800cfaf603519c8d8b0857a9e50a41f8080f6fa4e4af91f1ee64fb2ba660ce11f23a2a3a8ae2abe85e68bea34fcbe8955ecb61f648ea9028a2bd2fb967

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
376B

MD5
c862a2c7acac8f1ea808bfb6836d6e4d

SHA1
abb51cab7d23f2ac34bf5aec7e33cef0e848c743

SHA256
a80758ea9d44218adc52890038732395ccf9f13bef1d72f83549ee33a8d29973

SHA512
0f946a9b7efc6c5badfda936abe24608fc6352c3de33efeb4e01e7884bd49d19570379b6ba3f8df81d00460358f2e75553eaabccb2dac06f2f9928967ed69089

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
16B

MD5
d29962abc88624befc0135579ae485ec

SHA1
e40a6458296ec6a2427bcb280572d023a9862b31

SHA256
a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866

SHA512
4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\AlternateServices.bin

Filesize
6KB

MD5
e25b43932b5dd021af51d301f49222da

SHA1
0a999ade3de61f8567a433ba8970c44a0c91f000

SHA256
13402bab8cc237ac3e66240280049d4dd3df105a088db30a789fda4625416567

SHA512
0aa6878914a4de38ba8fc8727b1525d3f1eea3c076cc28d42d096a12eaf53c8584803d572611f6602c4b7cf7a87301adb15a0a113ed740dfbbb372050b80e2cb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\AlternateServices.bin

Filesize
8KB

MD5
1c8c19bf0519af1afe4fc3ab176189f5

SHA1
67bfb0b266435a66b2ff1006d95862b2cbd283d2

SHA256
a8144d6880889bf29663ac00e88fc02e85b4b311612f338ece3dc22337afd8f9

SHA512
78a66e04837583cf62bf9d7cd3181656f340cde6f9fe22b767d24057ec14e0c876c54b8bbedc086e80ebdb45e0e60e9484b31d8dbb61274218e6436b3b420a16

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\AlternateServices.bin

Filesize
16KB

MD5
45eff9195c2bff3cba6d5f8d596d7c7e

SHA1
139e588d25e7a867a77fff286a71b9d11074a704

SHA256
5b47e6ed9475a8db9be167ab0cc573fed9990de4d63f060c2242a79afd24828a

SHA512
6234a91ddaf64517601929b52ec0d13f81309576c59a703aa8b92741465c772bbae1aec9d59f4943892e35d4839ff85667bb2e6312def2ce016f98846107f478

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
68ea0d54879a4b0538db3e33c7333e65

SHA1
4692c53f94a7f3e8ce292e682c012b2a3a89005d

SHA256
b28fbc6d41e95bac0a9dbf8b8b45f949750e715927468bbc053a7d72c46fdb61

SHA512
c1e0155bc6236d707e5e06b17de4e9b293b3840cf3e3e313ecf5c68365175c34e2af42238c6d9c4f233d55ec48c5ddecd3233668a481b4c5fc8d3c8d3b3a6f88

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\pending_pings\0d7e5bac-c19c-482e-b9e1-df61926761ef

Filesize
982B

MD5
d1f71c6d4e3e5a51ed08289dac53b2d0

SHA1
8b235814baad9957248da8c520eef94c88c54759

SHA256
d1367edaec439f080b8cbc88e14c7796d119d1676d0500d5fc766043e92cc05a

SHA512
89070353b72be38b90bd42f346577baf9d396c3de74d5bd325fe7b73c7f680cce493d2e8ad981116002d576dc9c5b4dcd471336dd163bc79d84cc94f5c061c68

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\pending_pings\af3015be-a4b7-43df-9963-9a089959e08e

Filesize
671B

MD5
c05822831aa6e98ba6d07cc0139e69d7

SHA1
7a7030bd58d384069c62659aab1b594455dad13c

SHA256
6c6e9ea05d30915a78b1e41c91bcdc9a62244d62ba6682743d936ffe168a86f7

SHA512
229eba0d9a26d761b90066bec1766f974cf8aee84b52994bcfb681ee50c124151cbf5554d65dd2db16b31615ec8e83b5812ed4a3bd62904d2af77d7db32b6620

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\pending_pings\c875a6f3-1dc4-4847-8f47-beecda3708de

Filesize
25KB

MD5
7559e49a5e0446ac07588569ed90b146

SHA1
4f4f06765182274239345a3b3aa0a7d9cd94380e

SHA256
b585fc8152144f861841a5442275b6f8f6f34e9b01eac6a5910635a1b02bf139

SHA512
b06fa8d9b4e402aec5d21be6b02e7e17d8c7d1b7646b55283041c2ba44fc83b1e97d9285e72e74d73884c4557daeda26400dbc40710f80c5ccab6fe9ce0772d4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\prefs-1.js

Filesize
10KB

MD5
1253b8b562acd66a86e3d9b4737be309

SHA1
c6b3a3b63b813a683a2d343313d25780e5ae61e8

SHA256
4ba08ece3e40d117053e908f3129f2beafde66e8b8fd60d8ec5466243b03c9fe

SHA512
4aceeaeb3e693d3d588e6738119760f55b9eec387c9cbe25aadee1e1d38e4b2f91997dc4bc22810d084771d0693af25cd8f9ffa8c9d60e855be73f496ca17ac0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\prefs.js

Filesize
10KB

MD5
61f2fbf7f90e52ce617766db11941700

SHA1
ab0df6fac65b0ede03f3281514495758744d56d2

SHA256
b077945e07f395378d1b9c5958aaa86fcc8a631a66f27c6a9b73dc87c8d92a1f

SHA512
c2d8b150ee6a7e153a84f6aeab85fc4548b8c62bfd5cccad5b92b948531ebf7ace8ac6c5dc73f72358dc5c8cb0e2a77d27ac4fde7556a52e99c7d1cdd7e4a3f7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
076695150671772dd034f97af252bd6c

SHA1
a1b88d2dc8e3f009f6505a47b40ac670d2475878

SHA256
69400a621075955119a24a9de9c4befb0e68212b89ac16f01c2b815b4e4ee583

SHA512
30052c4d70d5698bf06b86dea5e162bdbe1d96ceb66f463f4f31e13c8b20102a990c5e8869d5bef39dbd1c1fc961c76f4dbed3a00e0692ab598c05159ee4a32f

Download Submit
memory/812-94-0x00007FFCC8D20000-0x00007FFCC8D30000-memory.dmp

Filesize
64KB

Download
memory/812-130-0x00007FFCCB3D0000-0x00007FFCCB3E0000-memory.dmp

Filesize
64KB

Download
memory/812-89-0x00007FFCCB3D0000-0x00007FFCCB3E0000-memory.dmp

Filesize
64KB

Download
memory/812-90-0x00007FFCCB3D0000-0x00007FFCCB3E0000-memory.dmp

Filesize
64KB

Download
memory/812-91-0x00007FFCCB3D0000-0x00007FFCCB3E0000-memory.dmp

Filesize
64KB

Download
memory/812-92-0x00007FFCCB3D0000-0x00007FFCCB3E0000-memory.dmp

Filesize
64KB

Download
memory/812-93-0x00007FFCCB3D0000-0x00007FFCCB3E0000-memory.dmp

Filesize
64KB

Download
memory/812-95-0x00007FFCC8D20000-0x00007FFCC8D30000-memory.dmp

Filesize
64KB

Download
memory/812-131-0x00007FFCCB3D0000-0x00007FFCCB3E0000-memory.dmp

Filesize
64KB

Download
memory/812-132-0x00007FFCCB3D0000-0x00007FFCCB3E0000-memory.dmp

Filesize
64KB

Download
memory/812-133-0x00007FFCCB3D0000-0x00007FFCCB3E0000-memory.dmp

Filesize
64KB

Download
memory/1728-616-0x00007FFCC8D20000-0x00007FFCC8D30000-memory.dmp

Filesize
64KB

Download
memory/1728-645-0x00007FFCCB3D0000-0x00007FFCCB3E0000-memory.dmp

Filesize
64KB

Download
memory/1728-613-0x00007FFCCB3D0000-0x00007FFCCB3E0000-memory.dmp

Filesize
64KB

Download
memory/1728-618-0x00007FFCC8D20000-0x00007FFCC8D30000-memory.dmp

Filesize
64KB

Download
memory/1728-615-0x00007FFCCB3D0000-0x00007FFCCB3E0000-memory.dmp

Filesize
64KB

Download
memory/1728-614-0x00007FFCCB3D0000-0x00007FFCCB3E0000-memory.dmp

Filesize
64KB

Download
memory/1728-611-0x00007FFCCB3D0000-0x00007FFCCB3E0000-memory.dmp

Filesize
64KB

Download
memory/1728-648-0x00007FFCCB3D0000-0x00007FFCCB3E0000-memory.dmp

Filesize
64KB

Download
memory/1728-612-0x00007FFCCB3D0000-0x00007FFCCB3E0000-memory.dmp

Filesize
64KB

Download
memory/1728-647-0x00007FFCCB3D0000-0x00007FFCCB3E0000-memory.dmp

Filesize
64KB

Download
memory/1728-646-0x00007FFCCB3D0000-0x00007FFCCB3E0000-memory.dmp

Filesize
64KB

Download
memory/3732-77-0x0000000000390000-0x00000000003EB000-memory.dmp

Filesize
364KB

Download
memory/3732-83-0x0000000000390000-0x00000000003EB000-memory.dmp

Filesize
364KB

Download
memory/3732-81-0x0000000000390000-0x00000000003EB000-memory.dmp

Filesize
364KB

Download
memory/3732-76-0x0000000000390000-0x00000000003EB000-memory.dmp

Filesize
364KB

Download
memory/4880-88-0x00007FFCED2A0000-0x00007FFCEDD61000-memory.dmp

Filesize
10.8MB

Download
memory/4880-66-0x00007FFCED2A0000-0x00007FFCEDD61000-memory.dmp

Filesize
10.8MB

Download
memory/4880-65-0x00007FFCED2A3000-0x00007FFCED2A5000-memory.dmp

Filesize
8KB

Download
memory/4880-13-0x0000027129220000-0x00000271299C6000-memory.dmp

Filesize
7.6MB

Download
memory/4880-12-0x00007FFCED2A0000-0x00007FFCEDD61000-memory.dmp

Filesize
10.8MB

Download
memory/4880-11-0x00007FFCED2A0000-0x00007FFCEDD61000-memory.dmp

Filesize
10.8MB

Download
memory/4880-0-0x00007FFCED2A3000-0x00007FFCED2A5000-memory.dmp

Filesize
8KB

Download
memory/4880-1-0x0000027127B50000-0x0000027127B72000-memory.dmp

Filesize
136KB

Download
memory/5352-803-0x00007FFCCB3D0000-0x00007FFCCB3E0000-memory.dmp

Filesize
64KB

Download
memory/5352-801-0x00007FFCCB3D0000-0x00007FFCCB3E0000-memory.dmp

Filesize
64KB

Download
memory/5352-828-0x00007FFCCB3D0000-0x00007FFCCB3E0000-memory.dmp

Filesize
64KB

Download
memory/5352-829-0x00007FFCCB3D0000-0x00007FFCCB3E0000-memory.dmp

Filesize
64KB

Download
memory/5352-830-0x00007FFCCB3D0000-0x00007FFCCB3E0000-memory.dmp

Filesize
64KB

Download
memory/5352-831-0x00007FFCCB3D0000-0x00007FFCCB3E0000-memory.dmp

Filesize
64KB

Download
memory/5352-802-0x00007FFCCB3D0000-0x00007FFCCB3E0000-memory.dmp

Filesize
64KB

Download
memory/5352-805-0x00007FFCCB3D0000-0x00007FFCCB3E0000-memory.dmp

Filesize
64KB

Download
memory/5352-804-0x00007FFCCB3D0000-0x00007FFCCB3E0000-memory.dmp

Filesize
64KB

Download
memory/6040-773-0x00007FFCCB3D0000-0x00007FFCCB3E0000-memory.dmp

Filesize
64KB

Download
memory/6040-775-0x00007FFCCB3D0000-0x00007FFCCB3E0000-memory.dmp

Filesize
64KB

Download
memory/6040-776-0x00007FFCCB3D0000-0x00007FFCCB3E0000-memory.dmp

Filesize
64KB

Download
memory/6040-796-0x00007FFCCB3D0000-0x00007FFCCB3E0000-memory.dmp

Filesize
64KB

Download
memory/6040-797-0x00007FFCCB3D0000-0x00007FFCCB3E0000-memory.dmp

Filesize
64KB

Download
memory/6040-798-0x00007FFCCB3D0000-0x00007FFCCB3E0000-memory.dmp

Filesize
64KB

Download
memory/6040-799-0x00007FFCCB3D0000-0x00007FFCCB3E0000-memory.dmp

Filesize
64KB

Download
memory/6040-779-0x00007FFCC8D20000-0x00007FFCC8D30000-memory.dmp

Filesize
64KB

Download
memory/6040-778-0x00007FFCC8D20000-0x00007FFCC8D30000-memory.dmp

Filesize
64KB

Download
memory/6040-774-0x00007FFCCB3D0000-0x00007FFCCB3E0000-memory.dmp

Filesize
64KB

Download
memory/6040-777-0x00007FFCCB3D0000-0x00007FFCCB3E0000-memory.dmp

Filesize
64KB

Download