lumma | hxxps://goo[.]su/beVuS

Analysis

max time kernel
222s
max time network
216s
platform
windows10-2004_x64
resource
win10v2004-20241007-de
resource tags

arch:x64arch:x86image:win10v2004-20241007-delocale:de-deos:windows10-2004-x64systemwindows
submitted
23-01-2025 13:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://goo.su/beVuS

Score

10^/10

lumma discovery execution spyware stealer

Malware Config

Extracted

Family

lumma

https://toppyneedus.biz/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2308	Powershell.exe
3560	powershell.exe
4888	Powershell.exe
4652	powershell.exe
3628	powershell.exe
1716	powershell.exe
2592	powershell.exe
2008	Powershell.exe
4888	Powershell.exe
1656	powershell.exe
4440	Powershell.exe
3280	Powershell.exe
2308	Powershell.exe
1036	Powershell.exe
4528	powershell.exe
2340	Powershell.exe
228	Powershell.exe
3884	Powershell.exe
1496	powershell.exe
2416	powershell.exe

Executes dropped EXE 4 IoCs

pid	Process
3304	Driver.exe
2200	Driver.exe
2992	Driver.exe
3060	Driver.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3304 set thread context of 2200	3304	Driver.exe	134
PID 2992 set thread context of 3060	2992	Driver.exe	159

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\display.PNF	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4892	3304	WerFault.exe	130
5100	2992	WerFault.exe	158

System Location Discovery: System Language Discovery 1 TTPs 26 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Driver.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Driver.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Driver.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Driver.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaw.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133821110855397743"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1732	chrome.exe
1732	chrome.exe
4440	Powershell.exe
4440	Powershell.exe
4440	Powershell.exe
2592	powershell.exe
2592	powershell.exe
2592	powershell.exe
2308	Powershell.exe
2308	Powershell.exe
3280	Powershell.exe
3280	Powershell.exe
2308	Powershell.exe
3280	Powershell.exe
3560	powershell.exe
3560	powershell.exe
1496	powershell.exe
1496	powershell.exe
3560	powershell.exe
1496	powershell.exe
1036	Powershell.exe
1036	Powershell.exe
2008	Powershell.exe
2008	Powershell.exe
2008	Powershell.exe
1036	Powershell.exe
4528	powershell.exe
4528	powershell.exe
3628	powershell.exe
3628	powershell.exe
3628	powershell.exe
4528	powershell.exe
2200	Driver.exe
2200	Driver.exe
2200	Driver.exe
2200	Driver.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
4888	Powershell.exe
4888	Powershell.exe
2340	Powershell.exe
2340	Powershell.exe
4888	Powershell.exe
2340	Powershell.exe
2416	powershell.exe
2416	powershell.exe
4652	powershell.exe
4652	powershell.exe
2416	powershell.exe
4652	powershell.exe
228	Powershell.exe
3884	Powershell.exe
228	Powershell.exe
3884	Powershell.exe
228	Powershell.exe
3884	Powershell.exe
1656	powershell.exe
1656	powershell.exe
1656	powershell.exe
1716	powershell.exe
1716	powershell.exe
1716	powershell.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
688	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1732	chrome.exe
1732	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe
1428	taskmgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4500	javaw.exe
4516	javaw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 4000	1732	chrome.exe	82
PID 1732 wrote to memory of 4000	1732	chrome.exe	82
PID 1732 wrote to memory of 4992	1732	chrome.exe	84
PID 1732 wrote to memory of 4992	1732	chrome.exe	84
PID 1732 wrote to memory of 4992	1732	chrome.exe	84
PID 1732 wrote to memory of 4992	1732	chrome.exe	84
PID 1732 wrote to memory of 4992	1732	chrome.exe	84
PID 1732 wrote to memory of 4992	1732	chrome.exe	84
PID 1732 wrote to memory of 4992	1732	chrome.exe	84
PID 1732 wrote to memory of 4992	1732	chrome.exe	84
PID 1732 wrote to memory of 4992	1732	chrome.exe	84
PID 1732 wrote to memory of 4992	1732	chrome.exe	84
PID 1732 wrote to memory of 4992	1732	chrome.exe	84
PID 1732 wrote to memory of 4992	1732	chrome.exe	84
PID 1732 wrote to memory of 4992	1732	chrome.exe	84
PID 1732 wrote to memory of 4992	1732	chrome.exe	84
PID 1732 wrote to memory of 4992	1732	chrome.exe	84
PID 1732 wrote to memory of 4992	1732	chrome.exe	84
PID 1732 wrote to memory of 4992	1732	chrome.exe	84
PID 1732 wrote to memory of 4992	1732	chrome.exe	84
PID 1732 wrote to memory of 4992	1732	chrome.exe	84
PID 1732 wrote to memory of 4992	1732	chrome.exe	84
PID 1732 wrote to memory of 4992	1732	chrome.exe	84
PID 1732 wrote to memory of 4992	1732	chrome.exe	84
PID 1732 wrote to memory of 4992	1732	chrome.exe	84
PID 1732 wrote to memory of 4992	1732	chrome.exe	84
PID 1732 wrote to memory of 4992	1732	chrome.exe	84
PID 1732 wrote to memory of 4992	1732	chrome.exe	84
PID 1732 wrote to memory of 4992	1732	chrome.exe	84
PID 1732 wrote to memory of 4992	1732	chrome.exe	84
PID 1732 wrote to memory of 4992	1732	chrome.exe	84
PID 1732 wrote to memory of 4992	1732	chrome.exe	84
PID 1732 wrote to memory of 496	1732	chrome.exe	85
PID 1732 wrote to memory of 496	1732	chrome.exe	85
PID 1732 wrote to memory of 4956	1732	chrome.exe	86
PID 1732 wrote to memory of 4956	1732	chrome.exe	86
PID 1732 wrote to memory of 4956	1732	chrome.exe	86
PID 1732 wrote to memory of 4956	1732	chrome.exe	86
PID 1732 wrote to memory of 4956	1732	chrome.exe	86
PID 1732 wrote to memory of 4956	1732	chrome.exe	86
PID 1732 wrote to memory of 4956	1732	chrome.exe	86
PID 1732 wrote to memory of 4956	1732	chrome.exe	86
PID 1732 wrote to memory of 4956	1732	chrome.exe	86
PID 1732 wrote to memory of 4956	1732	chrome.exe	86
PID 1732 wrote to memory of 4956	1732	chrome.exe	86
PID 1732 wrote to memory of 4956	1732	chrome.exe	86
PID 1732 wrote to memory of 4956	1732	chrome.exe	86
PID 1732 wrote to memory of 4956	1732	chrome.exe	86
PID 1732 wrote to memory of 4956	1732	chrome.exe	86
PID 1732 wrote to memory of 4956	1732	chrome.exe	86
PID 1732 wrote to memory of 4956	1732	chrome.exe	86
PID 1732 wrote to memory of 4956	1732	chrome.exe	86
PID 1732 wrote to memory of 4956	1732	chrome.exe	86
PID 1732 wrote to memory of 4956	1732	chrome.exe	86
PID 1732 wrote to memory of 4956	1732	chrome.exe	86
PID 1732 wrote to memory of 4956	1732	chrome.exe	86
PID 1732 wrote to memory of 4956	1732	chrome.exe	86
PID 1732 wrote to memory of 4956	1732	chrome.exe	86
PID 1732 wrote to memory of 4956	1732	chrome.exe	86
PID 1732 wrote to memory of 4956	1732	chrome.exe	86
PID 1732 wrote to memory of 4956	1732	chrome.exe	86
PID 1732 wrote to memory of 4956	1732	chrome.exe	86
PID 1732 wrote to memory of 4956	1732	chrome.exe	86
PID 1732 wrote to memory of 4956	1732	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://goo.su/beVuS
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffcec21cc40,0x7ffcec21cc4c,0x7ffcec21cc58
  2⤵
  PID:4000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1636,i,16071293771833464501,4430871033678328737,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1628 /prefetch:2
  2⤵
  PID:4992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2144,i,16071293771833464501,4430871033678328737,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2200 /prefetch:3
  2⤵
  PID:496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2232,i,16071293771833464501,4430871033678328737,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2244 /prefetch:8
  2⤵
  PID:4956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3108,i,16071293771833464501,4430871033678328737,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3144 /prefetch:1
  2⤵
  PID:1640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3136,i,16071293771833464501,4430871033678328737,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:4236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4780,i,16071293771833464501,4430871033678328737,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4796 /prefetch:8
  2⤵
  PID:1756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4492,i,16071293771833464501,4430871033678328737,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4444 /prefetch:8
  2⤵
  PID:3104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4820,i,16071293771833464501,4430871033678328737,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5088 /prefetch:8
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2204

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3616

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1772

C:\Users\Admin\Desktop\Neuer Ordner\Setup.exe
"C:\Users\Admin\Desktop\Neuer Ordner\Setup.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:2996
- C:\Users\Admin\Desktop\Neuer Ordner\jre\bin\javaw.exe
  "C:\Users\Admin\Desktop\Neuer Ordner\jre\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "lib\.;lib\..;lib\activation.jar;lib\antlr4-runtime.jar;lib\asm-all.jar;lib\commons-email.jar;lib\connector-api.jar;lib\dn-compiled-module.jar;lib\dn-php-sdk.jar;lib\dyn4j.jar;lib\gson.jar;lib\HikariCP-java6.jar;lib\javassist-GA.jar;lib\jaybird-jdk18.jar;lib\jfoenix.jar;lib\jkeymaster.jar;lib\jna.jar;lib\jphp-app-framework.jar;lib\jphp-core.jar;lib\jphp-desktop-ext.jar;lib\jphp-desktop-hotkey-ext.jar;lib\jphp-game-ext.jar;lib\jphp-gui-ext.jar;lib\jphp-gui-jfoenix-ext.jar;lib\jphp-json-ext.jar;lib\jphp-jsoup-ext.jar;lib\jphp-mail-ext.jar;lib\jphp-runtime.jar;lib\jphp-sql-ext.jar;lib\jphp-systemtray-ext.jar;lib\jphp-xml-ext.jar;lib\jphp-zend-ext.jar;lib\jphp-zip-ext.jar;lib\jsoup.jar;lib\mail.jar;lib\mysql-connector-java.jar;lib\postgresql.jre7.jar;lib\slf4j-api.jar;lib\slf4j-simple.jar;lib\sqlite-jdbc.jar;lib\zt-zip.jar" org.develnext.jphp.ext.javafx.FXLauncher
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4500
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
    Powershell.exe -Command "& {Start-Process PowerShell.exe -WindowStyle Hidden -ArgumentList '-Command "Set-ItemProperty -Path "C:\Users\Admin\AppData\Local\Temp\/LocalTempCached" -Name Attributes -Value ([System.IO.FileAttributes]::Hidden)"' -Verb RunAs}"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4440
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-ItemProperty -Path C:\Users\Admin\AppData\Local\Temp\/LocalTempCached -Name Attributes -Value ([System.IO.FileAttributes]::Hidden)
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2592
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
    Powershell.exe -Command "& {Start-Process PowerShell.exe -WindowStyle Hidden -ArgumentList '-Command "Add-MpPreference -Force -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\/LocalTempCached""' -Verb RunAs}"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2308
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -Force -ExclusionPath C:\Users\Admin\AppData\Local\Temp\/LocalTempCached"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3560
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
    Powershell.exe -Command "& {Start-Process PowerShell.exe -WindowStyle Hidden -ArgumentList '-Command "Set-MpPreference -Force -DisableBehaviorMonitoring $true"' -Verb RunAs}"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3280
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -Force -DisableBehaviorMonitoring $true
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1496
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
    Powershell.exe -Command "& {Start-Process PowerShell.exe -WindowStyle Hidden -ArgumentList '-Command "Set-ItemProperty -Path "C:\Users\Admin\AppData\Local\Temp\/LocalTempCached/Driver.exe" -Name Attributes -Value ([System.IO.FileAttributes]::Hidden)"' -Verb RunAs}"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1036
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-ItemProperty -Path C:\Users\Admin\AppData\Local\Temp\/LocalTempCached/Driver.exe -Name Attributes -Value ([System.IO.FileAttributes]::Hidden)
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4528
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
    Powershell.exe -Command "& {Start-Process PowerShell.exe -WindowStyle Hidden -ArgumentList '-Command "Start-Process -FilePath "C:\Users\Admin\AppData\Local\Temp\/LocalTempCached/Driver.exe""' -Verb RunAs}"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2008
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Start-Process -FilePath C:\Users\Admin\AppData\Local\Temp\/LocalTempCached/Driver.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3628
    - - C:\Users\Admin\AppData\Local\Temp\LocalTempCached\Driver.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LocalTempCached\Driver.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3304
      - C:\Users\Admin\AppData\Local\Temp\LocalTempCached\Driver.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LocalTempCached\Driver.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2200
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3304 -s 824
        6⤵
        Program crash
        
        PID:4892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3304 -ip 3304
1⤵
PID:580

C:\Users\Admin\Desktop\Neuer Ordner\Setup.exe
"C:\Users\Admin\Desktop\Neuer Ordner\Setup.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:4392
- C:\Users\Admin\Desktop\Neuer Ordner\jre\bin\javaw.exe
  "C:\Users\Admin\Desktop\Neuer Ordner\jre\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "lib\.;lib\..;lib\activation.jar;lib\antlr4-runtime.jar;lib\asm-all.jar;lib\commons-email.jar;lib\connector-api.jar;lib\dn-compiled-module.jar;lib\dn-php-sdk.jar;lib\dyn4j.jar;lib\gson.jar;lib\HikariCP-java6.jar;lib\javassist-GA.jar;lib\jaybird-jdk18.jar;lib\jfoenix.jar;lib\jkeymaster.jar;lib\jna.jar;lib\jphp-app-framework.jar;lib\jphp-core.jar;lib\jphp-desktop-ext.jar;lib\jphp-desktop-hotkey-ext.jar;lib\jphp-game-ext.jar;lib\jphp-gui-ext.jar;lib\jphp-gui-jfoenix-ext.jar;lib\jphp-json-ext.jar;lib\jphp-jsoup-ext.jar;lib\jphp-mail-ext.jar;lib\jphp-runtime.jar;lib\jphp-sql-ext.jar;lib\jphp-systemtray-ext.jar;lib\jphp-xml-ext.jar;lib\jphp-zend-ext.jar;lib\jphp-zip-ext.jar;lib\jsoup.jar;lib\mail.jar;lib\mysql-connector-java.jar;lib\postgresql.jre7.jar;lib\slf4j-api.jar;lib\slf4j-simple.jar;lib\sqlite-jdbc.jar;lib\zt-zip.jar" org.develnext.jphp.ext.javafx.FXLauncher
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4516
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
    Powershell.exe -Command "& {Start-Process PowerShell.exe -WindowStyle Hidden -ArgumentList '-Command "Add-MpPreference -Force -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\/LocalTempCached""' -Verb RunAs}"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4888
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -Force -ExclusionPath C:\Users\Admin\AppData\Local\Temp\/LocalTempCached"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4652
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
    Powershell.exe -Command "& {Start-Process PowerShell.exe -WindowStyle Hidden -ArgumentList '-Command "Set-MpPreference -Force -DisableBehaviorMonitoring $true"' -Verb RunAs}"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2340
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -Force -DisableBehaviorMonitoring $true
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2416
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
    Powershell.exe -Command "& {Start-Process PowerShell.exe -WindowStyle Hidden -ArgumentList '-Command "Set-ItemProperty -Path "C:\Users\Admin\AppData\Local\Temp\/LocalTempCached/Driver.exe" -Name Attributes -Value ([System.IO.FileAttributes]::Hidden)"' -Verb RunAs}"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:228
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-ItemProperty -Path C:\Users\Admin\AppData\Local\Temp\/LocalTempCached/Driver.exe -Name Attributes -Value ([System.IO.FileAttributes]::Hidden)
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1656
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
    Powershell.exe -Command "& {Start-Process PowerShell.exe -WindowStyle Hidden -ArgumentList '-Command "Start-Process -FilePath "C:\Users\Admin\AppData\Local\Temp\/LocalTempCached/Driver.exe""' -Verb RunAs}"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3884
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Start-Process -FilePath C:\Users\Admin\AppData\Local\Temp\/LocalTempCached/Driver.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1716
    - - C:\Users\Admin\AppData\Local\Temp\LocalTempCached\Driver.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LocalTempCached\Driver.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2992
      - C:\Users\Admin\AppData\Local\Temp\LocalTempCached\Driver.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LocalTempCached\Driver.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3060
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 800
        6⤵
        Program crash
        
        PID:5100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2992 -ip 2992
1⤵
PID:4764

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:1428

C:\Windows\System32\ljh0xx.exe
"C:\Windows\System32\ljh0xx.exe"
1⤵
PID:4108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
ae15cb14f62455efa1e5648106e49dfc

SHA1
f28375be820d6961091c121a69a199dd540204a7

SHA256
1167d1a1f5053b82eed17d0a56d2ed20ca68da4924b4473e248c2ceb27715f7a

SHA512
8ee54acfe87936080e163508805f32165f4b385f9ac250b8f23182a117e6f60430cc2448e47a4242e418756a572d871bf818990c1ea2b85a073d594de431178a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History

Filesize
160KB

MD5
72c599ed5f51553bed253d9bae5e0e34

SHA1
ee4fdd122d7204fc7167781cf29e40808518ccfa

SHA256
456f1450a51ad0d0c50b312a2ec56b718c2a1afd0808b7528b10496927fc5d3e

SHA512
b0ee647587725b41ea536e3800279dc43fceafa31c52b25d742bafb8412e02f0719377c9e0db3d3adda4f4b02410a7e774531477c776fbc2eab1034be0e20cf9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

Filesize
20KB

MD5
63bbd577f16e4d0c72420cb6e80dd53d

SHA1
33d715e489a2c31629e60354b4789fdf0b9891e0

SHA256
554a9b56096750f5340280266da49d6382f212f5f39fdc5f2ce07c0f5a5847e1

SHA512
161eb099ab661c8cf3b48f5af6fc9521ac6c9700d04c7ea13923c253feb7df1d70d3dba6885b63b711920611c4a313b6370c6ddb01bec0ead411ca69eb1782ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
6a9137c3d06e10e0d34380dac9dd9ad8

SHA1
6108e3fba7549c07efb1e6516ed9609fb3f95834

SHA256
db0afd8426f78d38230407db86c772a515a8da400f1c216baf45323b6ad5b0a4

SHA512
2551ea6b697edb09d3f8af19620c914ef17c8749edcb28f831295cdd9d55b34db62c0d14ea521d3b10b9e18dca11c55bd473e77c1be13dbb33807f978e882919

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
ec8f03116d7b53ec427320aee5f172c5

SHA1
184ef3e6d8a5345175320c87b05685fcf26aeeb4

SHA256
487fbde363fe6818592f769d09018d8210381ff767ce6bd6167312e53b7f2b89

SHA512
dac2e0d10e33da4f7832a944a4b4421afcbb0691ed1bd78b79c2bde2704ad06e5098313c9e3d333f99a87ef7119f1ee24c9b48bd851429098ad9ace0d3e89ee6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
84078bfb5d689044b2226ecdcc532559

SHA1
e4e645771b1123c04b8dfe53fbfcf9c6ae7f451e

SHA256
25149fa811ffa2f8439dfcab4d0e98c8b994880b90f9393194583c5b45f1cf76

SHA512
1cc3af020c2bcce7801c63b48ada6af1d12fb36cce8643f90eac70c40e27f0dfec53a37677105bdffeb704863b9c4a8d36dd1f06ef181deaff8d8da8cfcb75d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
ebd3a4490708bf38b69b2b7a5fb53d20

SHA1
5c54b53a5ab1046857e16d8a5934c87ebeb09c3b

SHA256
495bb5bfb9e5f3ee2d4f29cb41de98675e325d87d8b4018baf48d57a2ca575c5

SHA512
f81300d0c719573556e5eeae99cbecdcaa183b236045182a4c35637b2f953580cfd8e5be41e144c2de8408411c38781fd30f6364019cb287b9a709c073b1a6d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3fad9557e9a3bf552f588022c6523752

SHA1
143e7d66ba3e51b06716be27b3e3d135138f299e

SHA256
aa1b96b7b18d2d2986b9945f31e054a336a5ba3ff39c06961e0782417b5d6721

SHA512
89b4ca9954c6ee0b17e092c2e350f5a4ee96de0f5c70b334fbda9f069af2d0aff6dc86decf0ef2246e0ebac6a1d28c6f37050e94fea5f788b35418976bdf4965

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
abaef8afe87350817c85d938fdb0324e

SHA1
50226b0cbde4db9f266fb2adf8ec7b6a79ce69ba

SHA256
f8cba79da3e78e7b9f3aa4f0bfee491c667f2b79c0a1a4a346e8df315183ab38

SHA512
8171df575d87b27a81d1890266d1951a675129b1913f95ecdb4570ce72643b02214bbc52b676db63f7b08cd599ce9e294194295b712df330be16a561eaac3bce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
052e4023384592abd25bc6b47caee84f

SHA1
f68d3c620f0bc5b34ab46899da9bcd138868da85

SHA256
ef13023c64b5e15fabecd8dac14e294794303fe1a0736a522fc7284c0c0b0361

SHA512
8bd87769587764699e96f9112c896002a507fdcfbd54b7b214a27f642062d3e673d42e22c1d7d300819f6deec6bb30d5b16dd9fa7822d388e0f732995730f13e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3761fd7098cdb1fbfc12b508c968e468

SHA1
97d9256da922c68c821ca84e4b1ec4c3d933e0cb

SHA256
b0c816b52485d42c5b254cf06dab5b52edab8dcd35fd8b69cf37af19de49d2af

SHA512
efb97c41f41dd699a68db02d1a8e4ae378b18186d74e30b1cebf906e9863158d406dc4f42f2e2a430cb1ed646016d83283e745d0eafe62175583a6a5b4e676d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a9295b9f1860c5154e1dd5cd536c959d

SHA1
11ed6692460ee89d118af816d3d6e695fae228c9

SHA256
0f58a60263744136f75bda34b846da1f72bf7f3efe73730789d2d3afde4739b5

SHA512
7312f36e60cd5f1d4332012709456f1dd25bbe82cf05498770f9b3921412720a07535beee62fa165d8fc4f175e836ae0c104ead54a9aefa665bc3ed3675028e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
144fcf133d414a48fd9e0e966ce3a023

SHA1
1832472e29c49807d2a3a8d44a6afa08dedf76a9

SHA256
3099fb3a47509f33feef1eb5265c713433a5690056c43f8ee1aeb58caad7a997

SHA512
ea5050cf22b0125aac55e4eaac90be2eb16fea59414bbf44cddc14654400077382269330d7d638f6dab3fe0394320ba8261914e709a0b7254ab33b8a2209aba8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2a3ea34c568830b51d58a1410fd6aa32

SHA1
9226ab46c5be2d5bfb598f09fcb1dbcf6d3ba5fe

SHA256
2c73ebeee5d1a60b69587540f2fa1b030b877cbd6e26503dac1340d57879c282

SHA512
48f6ccb5560c099bb6cdc17818088302c8092f68164919ce38f3eb2f383a1718216aae0e42a759c238490a63f2dfda6b7c32513d212366defdcb36d76bc98b44

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6d0260f059462cb58a99b2bcf4681d44

SHA1
5ebf1918a7d3fd420031f9e331c7317c93859424

SHA256
323cb1971560c5e3066be1746106172238249dbffe42b187300b6ed01064c063

SHA512
49ce22649cea188d729aab12ef6a1a28f89203292310a1f8775f86c5238fc90b8bdb2b64ede4aab7ac323724b36d28c5b4b041e197ec1f6018999247d86b3174

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0f56b0ae9fb55f21c478667944ef058c

SHA1
91db8dc8183f205d737d56a405ccec6c9e9f6015

SHA256
9f3582d29811e75dd4dfcafa1a5e1ba1bbebda3a6ff397b4392cb877e83cae2b

SHA512
4685d108c0e859b7d59772b59ba59f30281a27d4ec2d1d0d3f59bd8768f0279ead8b9afbebf856dfa864893ff3608053c89957d1e31437232fe2b327244ac9bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
aa5d06b3f4bda1034b3750f28fb1c9e8

SHA1
0cfbf9fa864eff95b154fb6623b63d6047d10e19

SHA256
0c4a133782ecc4b49bf4bfa87ac51603bbc1dc227756653c893f899f5357c596

SHA512
e967d5901905d615765bebb97527202abb6b09410d9b7c9999dfa08dff3bbcde5992fb172e5c2be68985e94b46b64ea91105daf4cca22a1d318ae4a1469eb101

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b9a2f0f3e8fac437144cacbe118da04f

SHA1
8493a6f8261a707b3b87bff747af09aaaa16e58d

SHA256
b96cfed77e1d440e9fe8b8b832640459e5672a6bb6934c533a633cbb530e6cf6

SHA512
e83560c0a023d8543b7b3870f5da89a37da7a2267db55ff9e8c024779f07d475f40d1d6f863cb75addb92fb245c631bb834c9f6376ebeedd30849a38172418d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7911e001ddb5770951e6a83468fba715

SHA1
bf4d74e938540b01dd51cde0b3e237483812acb9

SHA256
21077099df5eaaeda5fbc79a5dda55550aa7a258e9839bf4b9eb2c52c75b1d19

SHA512
aa1cf2f496c894e73852a6a342c4a55b011b6e76bec3f26ccc62c1ffb35c7fb25fcfbd53ce995f805361b9d40eaac5b6ee8ed2771a780b31575d4d9ff8911f15

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
511f9767d29248adeaa331743dc6f244

SHA1
87f12717a09c589f60af101ed1ff1cfbaf58b39f

SHA256
90b686c2d947fedc8501efe6b11fe222b01beac33fda46b503dc3f4a4d84eea2

SHA512
66c00f7869f9977c2b3ebc832ca4964cde07ec845ae0ebcc46fcc3ad6a3687bf984c5804d8e7706d15a76ced0d99e7ea10847e445370f016d18dea66e1b4cbeb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5de97a8f0361ed2cf938db1afc44c7a2

SHA1
005074fdff522e776aa07ee8d40945e9812c66d8

SHA256
49635c2d2e487a7ce3b9e291da19ab160c54630f4de0381f10babc43b5e814e1

SHA512
56e4c307ae3841c53261aaf96a359f068305119cd63f1fad92e4f9831ab3e0b8464c786a7d8934dcad1c0b8407511aefe7ab492021bc4f908f49248c56cf65d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8c3dfcc01bddb4dd8503f36b3556ac0c

SHA1
f0d5eec865c756632ace83268b68858723b0c36d

SHA256
968e858276fe3615c7df6622c1f782aae1a03e59a03343850c12a5adcb2ab6d9

SHA512
da091feedcd50cf8f5aecacd228fe9a9c0ffeb3ec3ad426346c7dff3113f9aee06b97feb360550838fd12bbefc37a55030246168fcab155c86de1e1bb0ad33eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version

Filesize
14B

MD5
ef48733031b712ca7027624fff3ab208

SHA1
da4f3812e6afc4b90d2185f4709dfbb6b47714fa

SHA256
c9ce8dbbe51a4131073db3d6ceef1e11eaca6308ad88a86125f221102d2cee99

SHA512
ce3a5a429e3796977a8019f47806b8c0671b597ead642fcbfbe3144e2b8112d35a9f2250896b7f215d237d0d19c5966caf3fe674165a6d50e14cb2b88c892029

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
cb52746f9be572a6edc9fb6226c3025d

SHA1
c29b6fad9995ca42d19dff578087a6cc99c06790

SHA256
e2a2cb8ea3270e70a1f2a9c008e86f7d93fa7b6aa472eee7f2d93694db6dc359

SHA512
ee2607883a8a0a77519766f88b73fff263a682362d8ce1d9f6d5d88a6b4ce97c2f6e549815173ed5a60b7b90b5b7ae5f8f8d534dc38b50dd42e6ee0f922b2f07

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
a890f6151e76f51fcc2b386d50237709

SHA1
d573a9c6d0ad1a240ef664385080f0c7019c750d

SHA256
bc52f6023cf9ca0eeb4735310e1820be35507c045905f1401e874acdcc277b21

SHA512
3eff351f1beca2dfbc458c1f178609f6e5bcc0dc60cdaf1213518f974d5597cb61a5b88e6d45d74cbfd819759bccc1f61899fdb6565c83f29fdb1dd24e7d500d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
5315900105942deb090a358a315b06fe

SHA1
22fe5d2e1617c31afbafb91c117508d41ef0ce44

SHA256
e8bd7d8d1d0437c71aceb032f9fb08dd1147f41c048540254971cc60e95d6cd7

SHA512
77e8d15b8c34a1cb01dbee7147987e2cc25c747e0f80d254714a93937a6d2fe08cb5a772cf85ceb8fec56415bfa853234a003173718c4229ba8cfcf2ce6335a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
04d4584bd136c208ea117e932e4a879c

SHA1
57ad1427f6fd615d82ad136bb2bee25163f3b917

SHA256
79f3c62bf6322542de655176e55925920d016116ab0c259e23817fdf65de7132

SHA512
1c8205d27b611eab3829b4edfc2b86939e6abfc8305e4507e533e28fcaa2ace99849fac75bdda6809dc0788ed6acf9de6c75be453ce12924b905412526e9ded1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
ae0485450eeb273bac182913fb6defa0

SHA1
d819cf13431d3f45345ad821ba432e1452675dd5

SHA256
0f514816782cf9c0e70f75d0f79cef86624577875f9e2e9ad116d7419a453c05

SHA512
4ace785b8fed7510c080a532904db6604c62d8c8885854103ebf2ab68aaf3c6350cf58890fc226e236ca4e6cbad07ab382aaaf1ac07b422d3af57131a015fb86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
39ffe1bcca674f295d2f820b0b8750eb

SHA1
a0ae4f698cbeef0bdb6ef062e8f0e0bb591af6df

SHA256
e93ba4663c51e7768d96c0dac61b62ceb55ccbffd64336dd44c9b4e0a63ec3cc

SHA512
b4e0805612c9ad489e719c1bfd82892e9b3da20279359375585feb32ded16859a33db5e9da0f663cb0ff5b1b98e28baf57a538369ba6cb90406617d37eee1d2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
3bcc790ec03764e9eb749b89ec65383b

SHA1
56aa85f3987cb42ed42357392c4b62759151902f

SHA256
ba74fc7756556a62eefbae300f2942ff4995e5a7357d444444f017310289754c

SHA512
db4d7972065b2e58048f0b6eedd3a8a7f8bf77d87fdc0989623b212492d4979cdea053f0756d4f7b60e7775c04a4f05559be922e816daf0dae5c9bad4fab847f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
63f419d14409066edbb2edff37dc551a

SHA1
be2fd217e4407d697b9d548109623544c8497775

SHA256
1cf9329a0bd8c6a123269b74346186f98bd704957a33c43c2af41ffc3ad33a28

SHA512
a72c8790be03cb8262fbddb135f8c8024047de6735a7d817443cf5ce97b68937615694d435e9590fd987391ae1ef58bd2e3066a98222435878324bb69fede20a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
ef4bf6e01d22e216533d85328fbe7797

SHA1
19c2badf8d48fb5b6037fd6d0f9f9bdb949bed9a

SHA256
dc8014a682382649bbb6f990e3a5c0b1252c0e7185447f76e1eec9d5c2383d14

SHA512
5f7cd7627105d68e79e8b76c4f11ff596d2fe740d1787205f428e270de7a9ed4b73213992714ca3d7bee1d1924a83415075cc430508004d03cb2a5885aed7481

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
167cda8221f244271b7a2e6ef19cfef1

SHA1
d87e92af20084c81a08be87e808c8d3f8088f4c5

SHA256
ce8c672c984d2f687f10515394e4a2e249418781e2f34bb772322bfdd88e4126

SHA512
01d3a7b244ec54441a3089abf61b4648e7ebf361a041702d2f795c9c79a53a20c594c760280bbe91a3e77e692ef5a96ea2458d900f9470935a5f1824f33dc1d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
96fce33ef3c647fffb1bb8e476f8bf91

SHA1
61f42a8b1c11b582734c8a9faa975fc66fa33fc5

SHA256
3e23c4fb9f782418c022be171fe40702c747342096200f5b29259d6428561ce3

SHA512
d33e8db2fe45c187e4308ff0253642d10a0df006647a8eb0f2872573e09d23b973425a13242e6092e4fb1909691621c0cbcb7729c326055cf0f0d733c51ac4e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
2ab050fb08c25df555e164da9b3731bf

SHA1
0f353d65f3496a73280ec722969f81e24fb53756

SHA256
554798e5df82bf9b34d72cdd33d5898ec139687fd481367a0c95e0682ac6262a

SHA512
3a8c60c887ded8975d836820c9b6317a7113f48d34e1263676428841a86da6405ee60c884cd50526b3e4ec1b84bc16a3d9a35f41133891b60fca17688750756d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
0657e36456a4a9af22bffb75f999e487

SHA1
0bf72c7a353a2a39f75ac077ed345f59c70c8e6e

SHA256
b33e91076814c583bbdd187cc543a1677133d2bd338f4b4aa3dc81f6424a0168

SHA512
babd6fb92812accd82589c80b6eb0b2008b35ac040dbc6c510861ec401c8cf62c6221a8af24206e1c39b3e27789098fddff9cf9f0022b6e08da6137aa5090e2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\LocalTempCached\Driver.exe

Filesize
386KB

MD5
606a3535b74b75f329e6f9fcba0bb116

SHA1
500739ded3a8c803745faddc98aadd90718c980a

SHA256
3b95a7f024fb22d439834b2e5423d018ff4f2a3fc9d177e4dfecdbace4700704

SHA512
96728296598ef03fe4021d9b4cc0d0eebb2f788fff1d3d3c46a4b9c340c8b2c27562151048686593f7dda51a834a7ace5bb23eb101539e69e6bd1ca5eca0a2d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lqkkt2gv.ifh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-4050598569-1597076380-177084960-1000\83aa4cc77f591dfc2374580bbd95f6ba_cca0d105-8260-4611-8c12-bd85a7208b9f

Filesize
45B

MD5
c8366ae350e7019aefc9d1e6e6a498c6

SHA1
5731d8a3e6568a5f2dfbbc87e3db9637df280b61

SHA256
11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

SHA512
33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

Download Submit
memory/228-781-0x0000000006D90000-0x0000000006DDC000-memory.dmp

Filesize
304KB

Download
memory/228-766-0x0000000006080000-0x00000000063D4000-memory.dmp

Filesize
3.3MB

Download
memory/1036-462-0x0000000006190000-0x00000000061DC000-memory.dmp

Filesize
304KB

Download
memory/1496-397-0x000000006E610000-0x000000006E65C000-memory.dmp

Filesize
304KB

Download
memory/1656-796-0x0000000006B30000-0x0000000006B7C000-memory.dmp

Filesize
304KB

Download
memory/1656-794-0x0000000006300000-0x0000000006654000-memory.dmp

Filesize
3.3MB

Download
memory/2008-442-0x0000000005ED0000-0x0000000006224000-memory.dmp

Filesize
3.3MB

Download
memory/2200-522-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2200-505-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2200-507-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2200-523-0x0000000003760000-0x0000000003765000-memory.dmp

Filesize
20KB

Download
memory/2200-524-0x0000000003760000-0x0000000003765000-memory.dmp

Filesize
20KB

Download
memory/2340-671-0x0000000006BA0000-0x0000000006BEC000-memory.dmp

Filesize
304KB

Download
memory/2416-705-0x0000000071530000-0x000000007157C000-memory.dmp

Filesize
304KB

Download
memory/2416-723-0x00000000076A0000-0x00000000076B1000-memory.dmp

Filesize
68KB

Download
memory/2416-734-0x0000000007740000-0x0000000007754000-memory.dmp

Filesize
80KB

Download
memory/2592-301-0x0000000006190000-0x00000000064E4000-memory.dmp

Filesize
3.3MB

Download
memory/2996-125-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3304-503-0x00000000006B0000-0x0000000000714000-memory.dmp

Filesize
400KB

Download
memory/3560-336-0x00000000054D0000-0x0000000005824000-memory.dmp

Filesize
3.3MB

Download
memory/3560-388-0x00000000075E0000-0x0000000007C5A000-memory.dmp

Filesize
6.5MB

Download
memory/3560-417-0x00000000072A0000-0x00000000072A8000-memory.dmp

Filesize
32KB

Download
memory/3560-416-0x00000000072B0000-0x00000000072CA000-memory.dmp

Filesize
104KB

Download
memory/3560-415-0x0000000007270000-0x0000000007284000-memory.dmp

Filesize
80KB

Download
memory/3560-414-0x0000000007210000-0x000000000721E000-memory.dmp

Filesize
56KB

Download
memory/3560-411-0x00000000071D0000-0x00000000071E1000-memory.dmp

Filesize
68KB

Download
memory/3560-353-0x000000006E610000-0x000000006E65C000-memory.dmp

Filesize
304KB

Download
memory/3560-352-0x0000000006E30000-0x0000000006E62000-memory.dmp

Filesize
200KB

Download
memory/3560-363-0x0000000006DF0000-0x0000000006E0E000-memory.dmp

Filesize
120KB

Download
memory/3560-364-0x0000000006E70000-0x0000000006F13000-memory.dmp

Filesize
652KB

Download
memory/3560-407-0x0000000007220000-0x000000000726A000-memory.dmp

Filesize
296KB

Download
memory/3560-396-0x0000000007010000-0x000000000701A000-memory.dmp

Filesize
40KB

Download
memory/3628-497-0x0000000007120000-0x000000000716C000-memory.dmp

Filesize
304KB

Download
memory/3628-477-0x0000000006440000-0x0000000006794000-memory.dmp

Filesize
3.3MB

Download
memory/4440-276-0x0000000005EE0000-0x0000000005F2C000-memory.dmp

Filesize
304KB

Download
memory/4440-281-0x0000000006EA0000-0x0000000006F36000-memory.dmp

Filesize
600KB

Download
memory/4440-256-0x0000000005670000-0x0000000005692000-memory.dmp

Filesize
136KB

Download
memory/4440-270-0x0000000005D60000-0x0000000005E64000-memory.dmp

Filesize
1.0MB

Download
memory/4440-272-0x0000000005EB0000-0x0000000005ECE000-memory.dmp

Filesize
120KB

Download
memory/4440-257-0x0000000005710000-0x0000000005776000-memory.dmp

Filesize
408KB

Download
memory/4440-268-0x00000000058F0000-0x0000000005C44000-memory.dmp

Filesize
3.3MB

Download
memory/4440-269-0x00000000056C0000-0x00000000056D0000-memory.dmp

Filesize
64KB

Download
memory/4440-282-0x00000000063C0000-0x00000000063DA000-memory.dmp

Filesize
104KB

Download
memory/4440-283-0x0000000006430000-0x0000000006452000-memory.dmp

Filesize
136KB

Download
memory/4440-255-0x0000000004C30000-0x0000000004CB6000-memory.dmp

Filesize
536KB

Download
memory/4440-284-0x00000000074F0000-0x0000000007A94000-memory.dmp

Filesize
5.6MB

Download
memory/4440-263-0x0000000005780000-0x00000000057E6000-memory.dmp

Filesize
408KB

Download
memory/4440-253-0x0000000004EB0000-0x00000000054D8000-memory.dmp

Filesize
6.2MB

Download
memory/4440-252-0x00000000026F0000-0x0000000002726000-memory.dmp

Filesize
216KB

Download
memory/4500-224-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download
memory/4500-440-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download
memory/4500-441-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download
memory/4500-437-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download
memory/4500-428-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download
memory/4500-473-0x00000000025E8000-0x00000000025F0000-memory.dmp

Filesize
32KB

Download
memory/4500-472-0x00000000025E0000-0x00000000025E8000-memory.dmp

Filesize
32KB

Download
memory/4500-471-0x00000000025D8000-0x00000000025E0000-memory.dmp

Filesize
32KB

Download
memory/4500-470-0x00000000025D0000-0x00000000025D8000-memory.dmp

Filesize
32KB

Download
memory/4500-469-0x00000000025C8000-0x00000000025D0000-memory.dmp

Filesize
32KB

Download
memory/4500-468-0x00000000025C0000-0x00000000025C8000-memory.dmp

Filesize
32KB

Download
memory/4500-467-0x00000000025B8000-0x00000000025C0000-memory.dmp

Filesize
32KB

Download
memory/4500-466-0x0000000002548000-0x0000000002550000-memory.dmp

Filesize
32KB

Download
memory/4500-465-0x00000000025B0000-0x00000000025B8000-memory.dmp

Filesize
32KB

Download
memory/4500-464-0x0000000002560000-0x0000000002568000-memory.dmp

Filesize
32KB

Download
memory/4500-463-0x0000000002558000-0x0000000002560000-memory.dmp

Filesize
32KB

Download
memory/4500-427-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download
memory/4500-423-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download
memory/4500-422-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download
memory/4500-412-0x00000000025E8000-0x00000000025F0000-memory.dmp

Filesize
32KB

Download
memory/4500-375-0x00000000025E0000-0x00000000025E8000-memory.dmp

Filesize
32KB

Download
memory/4500-367-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download
memory/4500-369-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download
memory/4500-351-0x00000000025D8000-0x00000000025E0000-memory.dmp

Filesize
32KB

Download
memory/4500-327-0x00000000025D0000-0x00000000025D8000-memory.dmp

Filesize
32KB

Download
memory/4500-306-0x00000000025C8000-0x00000000025D0000-memory.dmp

Filesize
32KB

Download
memory/4500-303-0x00000000025C0000-0x00000000025C8000-memory.dmp

Filesize
32KB

Download
memory/4500-280-0x00000000025B8000-0x00000000025C0000-memory.dmp

Filesize
32KB

Download
memory/4500-250-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download
memory/4500-239-0x00000000025B0000-0x00000000025B8000-memory.dmp

Filesize
32KB

Download
memory/4500-242-0x0000000002548000-0x0000000002550000-memory.dmp

Filesize
32KB

Download
memory/4500-214-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download
memory/4500-213-0x0000000002560000-0x0000000002568000-memory.dmp

Filesize
32KB

Download
memory/4500-207-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download
memory/4500-176-0x0000000002558000-0x0000000002560000-memory.dmp

Filesize
32KB

Download
memory/4500-177-0x00000000025E8000-0x00000000025F0000-memory.dmp

Filesize
32KB

Download
memory/4500-175-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download
memory/4500-170-0x0000000002510000-0x0000000002538000-memory.dmp

Filesize
160KB

Download
memory/4500-171-0x00000000025E0000-0x00000000025E8000-memory.dmp

Filesize
32KB

Download
memory/4500-168-0x00000000025D8000-0x00000000025E0000-memory.dmp

Filesize
32KB

Download
memory/4500-166-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download
memory/4500-165-0x00000000025D0000-0x00000000025D8000-memory.dmp

Filesize
32KB

Download
memory/4500-163-0x00000000025C8000-0x00000000025D0000-memory.dmp

Filesize
32KB

Download
memory/4500-161-0x00000000025C0000-0x00000000025C8000-memory.dmp

Filesize
32KB

Download
memory/4500-159-0x00000000025B8000-0x00000000025C0000-memory.dmp

Filesize
32KB

Download
memory/4500-153-0x00000000025B0000-0x00000000025B8000-memory.dmp

Filesize
32KB

Download
memory/4500-154-0x00000000025A8000-0x00000000025B0000-memory.dmp

Filesize
32KB

Download
memory/4500-155-0x0000000002548000-0x0000000002550000-memory.dmp

Filesize
32KB

Download
memory/4500-156-0x0000000002550000-0x0000000002558000-memory.dmp

Filesize
32KB

Download
memory/4500-138-0x0000000002560000-0x0000000002568000-memory.dmp

Filesize
32KB

Download
memory/4500-135-0x0000000002558000-0x0000000002560000-memory.dmp

Filesize
32KB

Download
memory/4500-131-0x0000000002510000-0x0000000002538000-memory.dmp

Filesize
160KB

Download
memory/4652-694-0x0000000071530000-0x000000007157C000-memory.dmp

Filesize
304KB

Download
memory/4652-704-0x0000000007A10000-0x0000000007AB3000-memory.dmp

Filesize
652KB

Download
memory/4888-650-0x0000000005AB0000-0x0000000005E04000-memory.dmp

Filesize
3.3MB

Download