betabot | 790fe3f399f96a9588f57b1221259869bb506a009e79d947cb7ec633698d4243

Analysis

max time kernel
117s
max time network
94s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
28/01/2025, 13:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8940ee6fe6900beb6113cbd48e2f54f81e36b3806bbb6c73ae514982cc98a710.exe
Size

1.2MB
MD5

24c7a082a3712ad00cea6f1bfee81f9c
SHA1

67f06a9982358afdf69163b3fd642c231fa0a9c4
SHA256

8940ee6fe6900beb6113cbd48e2f54f81e36b3806bbb6c73ae514982cc98a710
SHA512

ad9097c842e517fa034e5abecb07851cad0d1e5c0433cc1765bf95ee20869d445290fc71e2d20bf7121f780c3336eb0c2397c20c7e8ee541dbf946061442b783
SSDEEP

24576:q7kybXvovms3JuIfILdzxtJzJOJTe87RMMeQjm:KMZJuIwLdNtJzJOJTJeQS

Score

10^/10

betabot backdoor botnet defense_evasion discovery persistence trojan

Malware Config

Signatures

BetaBot
Beta Bot is a Trojan that infects computers and disables Antivirus.
trojan backdoor botnet betabot
Betabot family
betabot

Modifies firewall policy service 3 TTPs 4 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	explorer.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0"	explorer.exe

UAC bypass 3 TTPs 2 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dd.exe

Disables RegEdit via registry modification 1 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	dd.exe

Disables Task Manager via registry modification
defense_evasion

Downloads MZ/PE file 1 IoCs

flow	pid	Process
156	5052	chrome.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 4 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\9139c97w9gsm.exe	dd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\9139c97w9gsm.exe\DisableExceptionChainValidation	dd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "zlb.exe"	explorer.exe

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorer.exe

Executes dropped EXE 4 IoCs

pid	Process
2216	dd.exe
2224	dd.exe
440	systeminformer-3.2.25011-release-setup.exe
432	SystemInformer.exe

Loads dropped DLL 11 IoCs

pid	Process
432	SystemInformer.exe
432	SystemInformer.exe
432	SystemInformer.exe
432	SystemInformer.exe
432	SystemInformer.exe
432	SystemInformer.exe
432	SystemInformer.exe
432	SystemInformer.exe
432	SystemInformer.exe
432	SystemInformer.exe
432	SystemInformer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\VShost = "C:\\ProgramData\\VShost\\9139c97w9gsm.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\VShost = "\"C:\\ProgramData\\VShost\\9139c97w9gsm.exe\""	explorer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dd.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	explorer.exe

Indicator Removal: Clear Persistence 1 TTPs 1 IoCs

remove IFEO.

defense_evasion

Clear Persistence

T1070.009

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\9139c97w9gsm.exe\DisableExceptionChainValidation	dd.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

pid	Process
2224	dd.exe
4536	explorer.exe
4536	explorer.exe
4536	explorer.exe
4536	explorer.exe
4536	explorer.exe
4536	explorer.exe
4536	explorer.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2216 set thread context of 2224	2216	dd.exe	80

Drops file in Program Files directory 47 IoCs

description	ioc	Process
File created	C:\Program Files\SystemInformer\dbgcore.dll	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\SystemInformer.sys	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\plugins\HardwareDevices.sig	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\plugins\OnlineChecks.sig	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\peview.exe	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\plugins\ExtendedServices.dll	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\x86\plugins\ExtendedTools.sig	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\plugins\ToolStatus.dll	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\plugins\ToolStatus.sig	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\symsrv.dll	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\SystemInformer.sig	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\plugins\ExtendedNotifications.sig	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\plugins\HardwareDevices.dll	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\plugins\OnlineChecks.dll	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\plugins\ExtendedServices.sig	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\plugins\WindowExplorer.dll	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\Resources\CapsList.txt	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\LICENSE.txt	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\ksi.dll	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\ksidyn.bin	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\ksidyn.sig	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\plugins\DotNetTools.sig	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\x86\plugins\ExtendedTools.dll	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\Resources\EtwGuids.txt	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\x86\SystemInformer.exe	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\README.txt	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\SystemInformer.exe	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\plugins\ExtendedTools.dll	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\plugins\ExtendedTools.sig	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\plugins\WindowExplorer.sig	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\plugins\UserNotes.dll	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\x86\plugins\DotNetTools.sig	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\COPYRIGHT.txt	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\peview.sig	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\plugins\DotNetTools.dll	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\plugins\NetworkTools.sig	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\plugins\Updater.dll	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\plugins\ExtendedNotifications.dll	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\plugins\Updater.sig	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\Resources\icon.png	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\x86\SystemInformer.sig	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\x86\plugins\DotNetTools.dll	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\systeminformer-setup.exe	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\dbghelp.dll	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\plugins\NetworkTools.dll	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\plugins\UserNotes.sig	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\Resources\PoolTag.txt	systeminformer-3.2.25011-release-setup.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\systeminformer-3.2.25011-release-setup.exe:Zone.Identifier	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3352	4536	WerFault.exe	81

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systeminformer-3.2.25011-release-setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8940ee6fe6900beb6113cbd48e2f54f81e36b3806bbb6c73ae514982cc98a710.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dd.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	SystemInformer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	SystemInformer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	dd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dd.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	explorer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3"	explorer.exe

Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1"	explorer.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\Main	explorer.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133825452319646837"	chrome.exe

Modifies registry class 40 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\HotKey = "0"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\ShowCmd = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f706806ee260aa0d7449371beb064c986830000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "287309825"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	8940ee6fe6900beb6113cbd48e2f54f81e36b3806bbb6c73ae514982cc98a710.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Key created	\Registry\User\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\NotificationData	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 0c0001008421de39050000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\NodeSlot = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	control.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\WFlags = "0"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 1e00718000000000000000000000e1a40ed25739d211a40b0c50205241530000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\systeminformer-3.2.25011-release-setup.exe:Zone.Identifier	chrome.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2400	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2216	dd.exe
2216	dd.exe
2216	dd.exe
2216	dd.exe
2216	dd.exe
2216	dd.exe
4536	explorer.exe
4536	explorer.exe
4536	explorer.exe
4536	explorer.exe
3444	chrome.exe
3444	chrome.exe
432	SystemInformer.exe
432	SystemInformer.exe
432	SystemInformer.exe
432	SystemInformer.exe
432	SystemInformer.exe
432	SystemInformer.exe
432	SystemInformer.exe
432	SystemInformer.exe
432	SystemInformer.exe
432	SystemInformer.exe
432	SystemInformer.exe
432	SystemInformer.exe
432	SystemInformer.exe
432	SystemInformer.exe
432	SystemInformer.exe
432	SystemInformer.exe
432	SystemInformer.exe
432	SystemInformer.exe
432	SystemInformer.exe
432	SystemInformer.exe
432	SystemInformer.exe
432	SystemInformer.exe
432	SystemInformer.exe
432	SystemInformer.exe
432	SystemInformer.exe
432	SystemInformer.exe
432	SystemInformer.exe
432	SystemInformer.exe
432	SystemInformer.exe
432	SystemInformer.exe
432	SystemInformer.exe
432	SystemInformer.exe
432	SystemInformer.exe
432	SystemInformer.exe
432	SystemInformer.exe
432	SystemInformer.exe
432	SystemInformer.exe
432	SystemInformer.exe
432	SystemInformer.exe
432	SystemInformer.exe
432	SystemInformer.exe
432	SystemInformer.exe
432	SystemInformer.exe
432	SystemInformer.exe
432	SystemInformer.exe
432	SystemInformer.exe
432	SystemInformer.exe
432	SystemInformer.exe
432	SystemInformer.exe
432	SystemInformer.exe
432	SystemInformer.exe
432	SystemInformer.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
2224	dd.exe
2224	dd.exe
4536	explorer.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

pid	Process
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1724	8940ee6fe6900beb6113cbd48e2f54f81e36b3806bbb6c73ae514982cc98a710.exe
Token: SeDebugPrivilege	2216	dd.exe
Token: SeDebugPrivilege	2224	dd.exe
Token: SeRestorePrivilege	2224	dd.exe
Token: SeBackupPrivilege	2224	dd.exe
Token: SeLoadDriverPrivilege	2224	dd.exe
Token: SeCreatePagefilePrivilege	2224	dd.exe
Token: SeShutdownPrivilege	2224	dd.exe
Token: SeTakeOwnershipPrivilege	2224	dd.exe
Token: SeChangeNotifyPrivilege	2224	dd.exe
Token: SeCreateTokenPrivilege	2224	dd.exe
Token: SeMachineAccountPrivilege	2224	dd.exe
Token: SeSecurityPrivilege	2224	dd.exe
Token: SeAssignPrimaryTokenPrivilege	2224	dd.exe
Token: SeCreateGlobalPrivilege	2224	dd.exe
Token: 33	2224	dd.exe
Token: SeDebugPrivilege	4536	explorer.exe
Token: SeRestorePrivilege	4536	explorer.exe
Token: SeBackupPrivilege	4536	explorer.exe
Token: SeLoadDriverPrivilege	4536	explorer.exe
Token: SeCreatePagefilePrivilege	4536	explorer.exe
Token: SeShutdownPrivilege	4536	explorer.exe
Token: SeTakeOwnershipPrivilege	4536	explorer.exe
Token: SeChangeNotifyPrivilege	4536	explorer.exe
Token: SeCreateTokenPrivilege	4536	explorer.exe
Token: SeMachineAccountPrivilege	4536	explorer.exe
Token: SeSecurityPrivilege	4536	explorer.exe
Token: SeAssignPrimaryTokenPrivilege	4536	explorer.exe
Token: SeCreateGlobalPrivilege	4536	explorer.exe
Token: 33	4536	explorer.exe
Token: SeShutdownPrivilege	1084	control.exe
Token: SeCreatePagefilePrivilege	1084	control.exe
Token: SeShutdownPrivilege	3444	chrome.exe
Token: SeCreatePagefilePrivilege	3444	chrome.exe
Token: SeShutdownPrivilege	3444	chrome.exe
Token: SeCreatePagefilePrivilege	3444	chrome.exe
Token: SeShutdownPrivilege	3444	chrome.exe
Token: SeCreatePagefilePrivilege	3444	chrome.exe
Token: SeShutdownPrivilege	3444	chrome.exe
Token: SeCreatePagefilePrivilege	3444	chrome.exe
Token: SeShutdownPrivilege	3444	chrome.exe
Token: SeCreatePagefilePrivilege	3444	chrome.exe
Token: SeShutdownPrivilege	3444	chrome.exe
Token: SeCreatePagefilePrivilege	3444	chrome.exe
Token: SeShutdownPrivilege	3444	chrome.exe
Token: SeCreatePagefilePrivilege	3444	chrome.exe
Token: SeShutdownPrivilege	3444	chrome.exe
Token: SeCreatePagefilePrivilege	3444	chrome.exe
Token: SeShutdownPrivilege	3444	chrome.exe
Token: SeCreatePagefilePrivilege	3444	chrome.exe
Token: SeShutdownPrivilege	3444	chrome.exe
Token: SeCreatePagefilePrivilege	3444	chrome.exe
Token: SeShutdownPrivilege	3444	chrome.exe
Token: SeCreatePagefilePrivilege	3444	chrome.exe
Token: SeShutdownPrivilege	3444	chrome.exe
Token: SeCreatePagefilePrivilege	3444	chrome.exe
Token: SeShutdownPrivilege	3444	chrome.exe
Token: SeCreatePagefilePrivilege	3444	chrome.exe
Token: SeShutdownPrivilege	3444	chrome.exe
Token: SeCreatePagefilePrivilege	3444	chrome.exe
Token: SeShutdownPrivilege	3444	chrome.exe
Token: SeCreatePagefilePrivilege	3444	chrome.exe
Token: SeShutdownPrivilege	3444	chrome.exe
Token: SeCreatePagefilePrivilege	3444	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2400	explorer.exe
2400	explorer.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 2216	1724	8940ee6fe6900beb6113cbd48e2f54f81e36b3806bbb6c73ae514982cc98a710.exe	78
PID 1724 wrote to memory of 2216	1724	8940ee6fe6900beb6113cbd48e2f54f81e36b3806bbb6c73ae514982cc98a710.exe	78
PID 1724 wrote to memory of 2216	1724	8940ee6fe6900beb6113cbd48e2f54f81e36b3806bbb6c73ae514982cc98a710.exe	78
PID 2216 wrote to memory of 2224	2216	dd.exe	80
PID 2216 wrote to memory of 2224	2216	dd.exe	80
PID 2216 wrote to memory of 2224	2216	dd.exe	80
PID 2216 wrote to memory of 2224	2216	dd.exe	80
PID 2216 wrote to memory of 2224	2216	dd.exe	80
PID 2216 wrote to memory of 2224	2216	dd.exe	80
PID 2216 wrote to memory of 2224	2216	dd.exe	80
PID 2216 wrote to memory of 2224	2216	dd.exe	80
PID 2216 wrote to memory of 2224	2216	dd.exe	80
PID 2216 wrote to memory of 2224	2216	dd.exe	80
PID 2224 wrote to memory of 4536	2224	dd.exe	81
PID 2224 wrote to memory of 4536	2224	dd.exe	81
PID 2224 wrote to memory of 4536	2224	dd.exe	81
PID 4536 wrote to memory of 2988	4536	explorer.exe	84
PID 4536 wrote to memory of 2988	4536	explorer.exe	84
PID 2400 wrote to memory of 2264	2400	explorer.exe	91
PID 2400 wrote to memory of 2264	2400	explorer.exe	91
PID 3444 wrote to memory of 4804	3444	chrome.exe	95
PID 3444 wrote to memory of 4804	3444	chrome.exe	95
PID 3444 wrote to memory of 804	3444	chrome.exe	96
PID 3444 wrote to memory of 804	3444	chrome.exe	96
PID 3444 wrote to memory of 804	3444	chrome.exe	96
PID 3444 wrote to memory of 804	3444	chrome.exe	96
PID 3444 wrote to memory of 804	3444	chrome.exe	96
PID 3444 wrote to memory of 804	3444	chrome.exe	96
PID 3444 wrote to memory of 804	3444	chrome.exe	96
PID 3444 wrote to memory of 804	3444	chrome.exe	96
PID 3444 wrote to memory of 804	3444	chrome.exe	96
PID 3444 wrote to memory of 804	3444	chrome.exe	96
PID 3444 wrote to memory of 804	3444	chrome.exe	96
PID 3444 wrote to memory of 804	3444	chrome.exe	96
PID 3444 wrote to memory of 804	3444	chrome.exe	96
PID 3444 wrote to memory of 804	3444	chrome.exe	96
PID 3444 wrote to memory of 804	3444	chrome.exe	96
PID 3444 wrote to memory of 804	3444	chrome.exe	96
PID 3444 wrote to memory of 804	3444	chrome.exe	96
PID 3444 wrote to memory of 804	3444	chrome.exe	96
PID 3444 wrote to memory of 804	3444	chrome.exe	96
PID 3444 wrote to memory of 804	3444	chrome.exe	96
PID 3444 wrote to memory of 804	3444	chrome.exe	96
PID 3444 wrote to memory of 804	3444	chrome.exe	96
PID 3444 wrote to memory of 804	3444	chrome.exe	96
PID 3444 wrote to memory of 804	3444	chrome.exe	96
PID 3444 wrote to memory of 804	3444	chrome.exe	96
PID 3444 wrote to memory of 804	3444	chrome.exe	96
PID 3444 wrote to memory of 804	3444	chrome.exe	96
PID 3444 wrote to memory of 804	3444	chrome.exe	96
PID 3444 wrote to memory of 804	3444	chrome.exe	96
PID 3444 wrote to memory of 804	3444	chrome.exe	96
PID 3444 wrote to memory of 5052	3444	chrome.exe	97
PID 3444 wrote to memory of 5052	3444	chrome.exe	97
PID 3444 wrote to memory of 3268	3444	chrome.exe	98
PID 3444 wrote to memory of 3268	3444	chrome.exe	98
PID 3444 wrote to memory of 3268	3444	chrome.exe	98
PID 3444 wrote to memory of 3268	3444	chrome.exe	98
PID 3444 wrote to memory of 3268	3444	chrome.exe	98
PID 3444 wrote to memory of 3268	3444	chrome.exe	98
PID 3444 wrote to memory of 3268	3444	chrome.exe	98
PID 3444 wrote to memory of 3268	3444	chrome.exe	98
PID 3444 wrote to memory of 3268	3444	chrome.exe	98
PID 3444 wrote to memory of 3268	3444	chrome.exe	98

System policy modification 1 TTPs 2 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dd.exe

C:\Users\Admin\AppData\Local\Temp\8940ee6fe6900beb6113cbd48e2f54f81e36b3806bbb6c73ae514982cc98a710.exe
"C:\Users\Admin\AppData\Local\Temp\8940ee6fe6900beb6113cbd48e2f54f81e36b3806bbb6c73ae514982cc98a710.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Users\Admin\Pictures\dd.exe
  "C:\Users\Admin\Pictures\dd.exe"
  2⤵
  - UAC bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2216
- - C:\Users\Admin\Pictures\dd.exe
    "C:\Users\Admin\Pictures\dd.exe"
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Indicator Removal: Clear Persistence
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2224
  - - C:\Windows\SysWOW64\explorer.exe
      C:\Windows\SysWOW64\explorer.exe
      4⤵
      Modifies firewall policy service
      Event Triggered Execution: Image File Execution Options Injection
      Checks BIOS information in registry
      Adds Run key to start application
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Enumerates system info in registry
      Modifies Internet Explorer Protected Mode
      Modifies Internet Explorer Protected Mode Banner
      Modifies Internet Explorer settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4536
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 1148
        5⤵
        Program crash
        
        PID:3352

C:\Windows\system32\control.exe
"C:\Windows\system32\control.exe" /name Microsoft.AdministrativeTools
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1084

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:2988

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
1⤵
- Drops desktop.ini file(s)
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /7
  2⤵
  PID:2264

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:3284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4536 -ip 4536
1⤵
PID:4548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc74a2cc40,0x7ffc74a2cc4c,0x7ffc74a2cc58
  2⤵
  PID:4804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1720,i,14355394916332797276,9998032434440596710,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1748 /prefetch:2
  2⤵
  PID:804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2112,i,14355394916332797276,9998032434440596710,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2124 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  PID:5052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2216,i,14355394916332797276,9998032434440596710,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2224 /prefetch:8
  2⤵
  PID:3268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3104,i,14355394916332797276,9998032434440596710,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3124 /prefetch:1
  2⤵
  PID:3980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3128,i,14355394916332797276,9998032434440596710,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:1560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4468,i,14355394916332797276,9998032434440596710,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4440 /prefetch:1
  2⤵
  PID:1372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4624,i,14355394916332797276,9998032434440596710,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4828 /prefetch:8
  2⤵
  PID:2592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4832,i,14355394916332797276,9998032434440596710,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4596 /prefetch:8
  2⤵
  PID:4216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4852,i,14355394916332797276,9998032434440596710,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5084 /prefetch:1
  2⤵
  PID:3076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=3344,i,14355394916332797276,9998032434440596710,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3432 /prefetch:1
  2⤵
  PID:4604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=3548,i,14355394916332797276,9998032434440596710,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5156,i,14355394916332797276,9998032434440596710,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4596 /prefetch:1
  2⤵
  PID:4872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5196,i,14355394916332797276,9998032434440596710,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5192 /prefetch:1
  2⤵
  PID:908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5388,i,14355394916332797276,9998032434440596710,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5404 /prefetch:1
  2⤵
  PID:4248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5380,i,14355394916332797276,9998032434440596710,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5516 /prefetch:1
  2⤵
  PID:4080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5664,i,14355394916332797276,9998032434440596710,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5788 /prefetch:1
  2⤵
  PID:2736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6036,i,14355394916332797276,9998032434440596710,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6064 /prefetch:8
  2⤵
  PID:1448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6056,i,14355394916332797276,9998032434440596710,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6212 /prefetch:8
  2⤵
  PID:2352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=6348,i,14355394916332797276,9998032434440596710,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6224 /prefetch:1
  2⤵
  PID:5376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=6068,i,14355394916332797276,9998032434440596710,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6228 /prefetch:1
  2⤵
  PID:5480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=6064,i,14355394916332797276,9998032434440596710,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6316 /prefetch:1
  2⤵
  PID:5708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=6496,i,14355394916332797276,9998032434440596710,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6540 /prefetch:1
  2⤵
  PID:5828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5848,i,14355394916332797276,9998032434440596710,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6688 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:6096
- C:\Users\Admin\Downloads\systeminformer-3.2.25011-release-setup.exe
  "C:\Users\Admin\Downloads\systeminformer-3.2.25011-release-setup.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:440
- - C:\Program Files\SystemInformer\SystemInformer.exe
    "C:\Program Files\SystemInformer\SystemInformer.exe" -channel release
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=5680,i,14355394916332797276,9998032434440596710,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5188 /prefetch:1
  2⤵
  PID:5928

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1640

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2832

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

Clear Persistence

T1070.009

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\SystemInformer\SystemInformer.exe

Filesize
3.3MB

MD5
c21b9f52e195471f3978df692c46c714

SHA1
f64ab91451fd761b690d070a007b72c309447304

SHA256
0684d5382c346850eb2378caaa73606671ca579dda624c3d4d042ad514a50b32

SHA512
c995a8ad39a1f77d808359554f35f7df7ce8f0382c1aa6cda731bd645bd1c46ea4ab0b56fe7818bb9249d007fb695dc40f84680cd2c5f9c26ba5ac54b34c5b22

Download Submit
C:\Program Files\SystemInformer\plugins\DotNetTools.dll

Filesize
197KB

MD5
9e7c936f72caa3b7dfae0257368a2c64

SHA1
57983264011f7b905d4cbcb401aa5a67c5b2c8a7

SHA256
87ec8a69759dd320fdcab90266623593db49cb20313181553a2ecf3a1cab0715

SHA512
a9aaf9eeead9e951a44f6af83e9e106f1dbcf1a2d211ad575d12509690555f91deda8430e5812d13b750f895ec9f6336b6a88822919e22e32cb90ecad3a6e3c8

Download Submit
C:\Program Files\SystemInformer\plugins\ExtendedNotifications.dll

Filesize
148KB

MD5
0a13f312b2adac92056fef7e50406095

SHA1
dc1527bff0e4eb71b2396706b3c91b3604d6b9a6

SHA256
bcf2ab73e375aa67db089de7bcf49c718dd5da915c5e9d79f97ef6bc1437198f

SHA512
53cdcf158d43050c7e2106cb8cc1554bf3bf4e3bf81e56112f685a564ec27b90039788dfb43b3b469ddd875ccaab2c1bd89ed70e2765a6545d49efa2579d0011

Download Submit
C:\Program Files\SystemInformer\plugins\ExtendedServices.dll

Filesize
197KB

MD5
ef110f47f5b2eaa7fb338d8689f0b214

SHA1
657efcd1abea5ffc4e13ab4c188277a24d87cfde

SHA256
26c4d8447aa6e2e7eb6bc45a3ce724b12d9e9fac868b5607270440f9df41d928

SHA512
f59940236e58d221ea68fe611a041a14b23ab7a70b67863d3db1192d26e64ca1d0d0bfbdb5225cf3e74bf1e66637b133e77dfd379540d520889ede7f1f761f9b

Download Submit
C:\Program Files\SystemInformer\plugins\ExtendedTools.dll

Filesize
2.0MB

MD5
7ec2a164acabb32de4af0c551cdae844

SHA1
2b494bb02986a860f1b444d2738ee5f7ef239cfa

SHA256
373a7c6ad487971ba02e415f4b13d73dd94d63e6569e581f64df5d3f2e13fbf0

SHA512
31b256d8e087e0e1d2dda7553ba6de9af89e2459bdff4651bed3b8db214c20fd5b535ae6bb12f4d9eeb8ca645f6e95604478521947c3d2e98c078fe8eb0b6681

Download Submit
C:\Program Files\SystemInformer\plugins\HardwareDevices.dll

Filesize
346KB

MD5
91c13a046afaa86c4068e4a78eb8950f

SHA1
816ae864bc592c92923c93ceb06f12582c084d2d

SHA256
57306fe197c9dea97b9daae7028ec048c411ebfe9d1d9e473b967ed24ca1b8a5

SHA512
1c02cf9be70990377ef508ade9510b9952f766b615e25184f200f8dc6242e98161dc0a29a347f78eae452396acfdad24804c61f7a0ad712ae6d9eb9d72ae1bdf

Download Submit
C:\Program Files\SystemInformer\plugins\NetworkTools.dll

Filesize
741KB

MD5
58aef8e09368bbf80395f2d47c946105

SHA1
29f245fdd68443f36fc231feb411a160b8136401

SHA256
3fa9007708ac969e2797072cafa1da41373fed463a56b0cef27719a9da192187

SHA512
b4a1234f3d8c332849bd6c5eece93f919702b91489605725756b3db675fffdedf38cf8e943f6a3d82e415cb5f0f5055f2f09fd6e83bc0d899a3ce1f79031752a

Download Submit
C:\Program Files\SystemInformer\plugins\OnlineChecks.dll

Filesize
197KB

MD5
7436a74c4ef6417899decc3fa315d37d

SHA1
564e70e4508023082b9b979b91f2cea4f52b9743

SHA256
360c36e87659d74c694a7b323ea8399d59cc892577adb5650ae34e8fae8bc4c5

SHA512
bbea43456d9133da7423478e116323262a74a04d27ce4563ad435fba185106733ca49cecd6a76c33bdc2459a962fe6d0915efa659c9672915ef04485d6ed0119

Download Submit
C:\Program Files\SystemInformer\plugins\ToolStatus.dll

Filesize
402KB

MD5
4d8846a2fb261450833b504e39ed1530

SHA1
57562d69582db784982b7b7eb37fad2b8eea086a

SHA256
9faf58681a6daac5a7438b4e6960f98e3a051b0c15c7466729eceaf4acdbb2ed

SHA512
750b423016d76e8f34466b0585841cf098d5099d3cf6063b638be635c66e0078afd76f4773027c8c778f8d54d77c6b6b7cc77dbdd2582272ba5b9509df825040

Download Submit
C:\Program Files\SystemInformer\plugins\Updater.dll

Filesize
177KB

MD5
47bd5acc2a658c3d4f2479b823023e84

SHA1
14d6a6e3012ae42462f44ded048d7ac04e141355

SHA256
c18a881ec91ce13fdf69bcb7c12db2101dd7abeb62258ae9294aab24a3d4d2be

SHA512
0ce0f17a1e771aa5b67c050d9d93601de62cd50ae3dbf7b377ab28894c762a3ba1b106acd96dff2dff8584e4045d8d1bc4eff246150a909ddc4baf0336bedfeb

Download Submit
C:\Program Files\SystemInformer\plugins\UserNotes.dll

Filesize
185KB

MD5
d128690a552ca701bb9a81f49eee2e02

SHA1
ca40fb0c972886a157e4d188842d7e292b6482d2

SHA256
f63accb8ebc244e1dec4451674b8f2a61261f50fc3997fc2919c5037e998afe9

SHA512
1f2df3092d25281e16bd4997a19e9db2fe0f3ddebfc41b22de5db76fa1071fab7d54df168fcd9f7eb37da0982ef20734889b0a1067c3246330f50b1fde725c60

Download Submit
C:\Program Files\SystemInformer\plugins\WindowExplorer.dll

Filesize
205KB

MD5
8f7dc18997561957256adb821e70f0d0

SHA1
4e46de5c75fb8412adedae520e4412d767465ee9

SHA256
3d3140e0a0d8cc188583f304465e26b2e083110781a28b6cf7c93724ffd29fa6

SHA512
a9f32ad0c0ee3153c9540ff21043f970efaaa30655cff29a4216ea2d8a986b0b09fe33bdbea1f0e9fed8c64b795e05021d4d2b31ade064dba2567389301fb516

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
def60e29498fb8bfa1bfbf79dfaf261a

SHA1
480ac245eb7b542aea6f359f41df1b317acd0543

SHA256
e268693cbd31bba092a5086ceb082df77cb818684d33c5e4959a438a1e5454fc

SHA512
0986f994e6c6de3b9ad5d6685828dd60d64b99080de3718cfeda6718bb0be7161563411e328ff6fa8b57eb363e37a2e89bcd19d1584d1aded81adfd14fa18fc6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000011

Filesize
24KB

MD5
344ee6eaad74df6b72dec90b1b888aab

SHA1
490e2d92c7f8f3934c14e6c467d8409194bb2c9a

SHA256
a3cf4861c7d0c966f0ed6564f6aad6b28cbd3421a9ca4f60e2246848d249f196

SHA512
2a9a9162d610376512a8fae2cf9eb7e5146cc44c8ebde7a12e9a3985da1718c62ae517c25b00de7c0269efab61b4850a0becfbf04382a25730dbe9cf59825a62

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000013

Filesize
41KB

MD5
b968f9e5faab98f27b0dc2a426057a4c

SHA1
987cae3e1b61beeb768563d96a57b9d673306ba5

SHA256
2be7c4562ecb9783cd56aab28bfad2929c4222d095369fd58fa9df08c9673709

SHA512
ff62c87c466aaba5517d737ecdde5bd5031e3cf998281f6966862269e492cd7c910a5784dd857deda53e6df83aeeaccdd12288fe712ebdb8ed2ae5048f659cb1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000014

Filesize
71KB

MD5
f462d8d8233afd2231a6601acfaacee3

SHA1
29c38db098b677490416220f4372daddc151df8f

SHA256
f3fe410699db1fb3cadbf196bce24c188b7306dc0bb1534f844b9d568b81441d

SHA512
ce4a442858dc8cf3aa4ab75e09ef979524a7ad72943d99c0c30af65042d8a506dac35cd366e9a98b9948c951775a90e8058df3c00973d20c24cd58625ab83bac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000015

Filesize
24KB

MD5
5366c57b20a86f1956780da5e26aac90

SHA1
927dca34817d3c42d9647a846854dad3cbcdb533

SHA256
f254eb93b015455a3c89aaf970631bc989fe2bd387f79e871b514992359651aa

SHA512
15d7127970436f2510344600f3acecc19c39a05f8e82c8a7950095386382b2e2da55883a5a9faa97b84452e67315b9ac1693b6592274c8c1c35c813dfeb543a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001a

Filesize
18KB

MD5
283899e6a1c2a646c9d805c6d4fe2139

SHA1
76c2a76d17b5b6f09832d97ccf5181566c6c9f26

SHA256
2f185408c9203003ec7b0712420f83d56b6b979aed21ca43c844a0479ad96e7b

SHA512
63e42253fdb0794a7e528fc8ac92e944c25c59b63df22f1e06acac47e47c9b6efb49b77582cfa006fc45789e87dd9d62f7a90c0c28bfb7fb4dda7ab76ea71feb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001b

Filesize
19KB

MD5
680ef1ad7c0a429925904f42c690b60b

SHA1
b330de9c76576567c454df8b99db1b695a41705d

SHA256
241a54171e7e0c871716b4e6fd4f3f9eef99726f9b971aa5edb604982b0d7882

SHA512
aa6649cfb919defded00a2e2b53a52eb9814912767154a58e6e3e6cce7e1002d988b6b26110622170973a1a62078adece59783f0dfc40005c389154210af0fe0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001c

Filesize
20KB

MD5
87e8230a9ca3f0c5ccfa56f70276e2f2

SHA1
eb116c8fd20cb2f85b7a942c7dae3b0ed6d27fe7

SHA256
e18d7214e7d3d47d913c0436f5308b9296ca3c6cd34059bf9cbf03126bafafe9

SHA512
37690a81a9e48b157298080746aa94289a4c721c762b826329e70b41ba475bb0261d048f9ab8e7301e43305c5ebf53246c20da8cd001130bf156e8b3bd38b9b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001d

Filesize
53KB

MD5
2663493bfbcbd8e023fab8129867d89b

SHA1
e6bad7a230e0815cab571304c1713910e3cd4ad4

SHA256
a5e08698bc0a432b222e4d9c5b8d10e4b5f8eb779ddd4f1f3286b0c17b7b8ec3

SHA512
c78eb36149e5a90f61587ef6bd3c5b94d57166055a7b67d3e3ba1d2279e9a3f1b1e8b76f8efba0d1d538631fb51a9d08cd62eaa40417174a4fcac9868655a0c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001e

Filesize
16KB

MD5
97fba863b3dce860edc3fba34bc4e0b0

SHA1
37dd7a177c9a8972fc207adec755f4cba3819e2d

SHA256
30faf362fe4e15d2b1a4420f491982d454106d9a4fe8bbd8691350e501cc1bad

SHA512
be11fb7c14d8c447eb06237a5e160888d9f6cb304ce4b654ea6c21a0c69018be623791c7453e22c3d1da0e93adccd563405159bfa1eb42b6b37a87535c2a001f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001f

Filesize
33KB

MD5
ce4d0e0dfbffb52d6a9fb1b8c330e4a5

SHA1
a1e98d2263dbb733543ed4b7fe37e733dc7738e7

SHA256
5814abf3c6ca99f2a7ae3d431354d3d89d4b84ebc3338ed4f57d97e702f254f4

SHA512
ccff79df0b2370e68c43c5e5ffcce0d184ac9222e5659054af3218eab70c7b5d0db5ba5019b0b2a0b3eea08db529d2ff875fd2b62cc8bb885212a502057dacef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000020

Filesize
18KB

MD5
ce4c7d1372a2686ca61a83a53cc53481

SHA1
1fb11b54ce19ae72cd5cc13c0fe28c9f6389a9c7

SHA256
326a1140babd8fbdde8633873c0fd56acb5bd4550f9b285a13d0a1bdc3810ac4

SHA512
79d4f9b24dc9d4b4897b4df65e3a28960bdf64c72f04d0ac565b73c18b5b8b38f6235ad9f28f2c24b698946c56084d7cd9050fce48a78a8c4ff1bafd7d2da7fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000021

Filesize
113KB

MD5
c4f67d97acbdf68adb109861857dc489

SHA1
0f83b7a665baf7a27ccd12fc5ca701874bd65d2b

SHA256
b1fbbbb32a7abceb16201f54fd50e7aaa39f9e2ce710276cf131e9f68e415d9c

SHA512
13e44163f74d414a5075b2405e4b25a9cd2c50b2e09f8b381823d8cb35581f342022639a2710122070741408cb62dfbe77738fddeaeb517b58ac78b57ac5e4b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000024

Filesize
129KB

MD5
b13fc7fe2ff32bdc8f2fe5a528d29d55

SHA1
6b5c3982fef6fe82d8f90dcdca7a8bad036d73f1

SHA256
f33938c58bccacb988c769c83425ab7b2505fabe356e4e4c5fa3d97be92629e9

SHA512
223a3e63d9444696bf0c6099717172332ec832c5381dd42e128648f69040e3702a81eafdcd49b8574bd1126c15e5cab3d8aba45ce51ad3e76948a229a71fd4e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000025

Filesize
16KB

MD5
15e99cbba91068813f0b006eb092d46a

SHA1
5dda189459e186aba8bde39ad10620b88df4575a

SHA256
4c3cbecae2ad561a91bcb112c907050f66e90428e77b27bf1b1c9d8a3ef0ef50

SHA512
d8fd2a5be58526bae6de1ffd046301ac88df394f3f7d26e7b5a11b09bff6b66565b1fa6b47d590419f123ff29121f9a3aaf589ec4fdfcc2cad3a91dc9f059459

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000028

Filesize
52KB

MD5
43a48882e9629ee6acf6812bb41818de

SHA1
9f14f5ec8feb589998630a3a60efb30cef718c3f

SHA256
93c1820fa8e76b006658723eb6b09debe9fdd538f6467f592ec69ddca51b57c7

SHA512
ce10743186a1282a6442f0c1f1324de167226df2023685ead949723d41caba3fb4e96169780112a8b477de3f8ae8706c5741d3603c013ca188d163cd08c548b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00002a

Filesize
29KB

MD5
79ffcf947dd8385536d2cfcdd8fcce04

SHA1
a9a43ccbbb01d15a39fac57fa05290835d81468a

SHA256
ffc11b830ad653e7a9d4257c7cd7a8056db5e7d7e89439b8fd67d1207b1729bf

SHA512
3dc82ecb2abc8c567434666a9162cc188de669927c3dada6392d8bd97d5e746f1ed350e1a02ec016ee2b1dc8a9cc5c71c553f2ef1293d6793800c276560859a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00002d

Filesize
66KB

MD5
f53b6d474350dce73f4fdc90c7b04899

SHA1
b06ca246301a6aea038956d48b48e842d893c05a

SHA256
28442a56b016bfade0e368929138aaaadfc36156734e8ec7a6325b3e58fddc25

SHA512
7f275614052ebae8876ad28fc5d48e4f63ed9ebc610ed981f81377ea3ba4c49a2031ff771deb12adabcf33d4789ba35354c1e52524c067a9e7ce078703683f1e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00003e

Filesize
20KB

MD5
47dc65492ce82ca6490241a545bab45c

SHA1
809c24b668e2383016f8ff2ff4270c028917be6a

SHA256
f1afc64f56109bcfdc6b4a657fb60d5a49455737fbc5c97995d890ba1696b33e

SHA512
403f8cf0a1a4bf704c14bc767340e70b746afd22d7c645817aef1a3b6240327574bdd3a89226a5c534f40adf241e83ada064e385c7c956cc8437bb650452816c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
e13c43d4899e1db225de3e2cdc7e9bee

SHA1
2e9e896cfdd54bf1668d18f3dab8cdd72d8e0dd7

SHA256
bbc0a17ce08963fd4d9abf757d1f8a9fe20e235d8397f9b8f12807338f19b649

SHA512
ad1fb46b5f7263d5df502fae9d4d2e6cc004be8765eb921d6bf0b2273b0ee1fe4c1068b22a2eaf94a0187e440a2e47cee06f1d5764547dec3b5155b52598957b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
90d98274ea20e6e4843cb54e4eb8abda

SHA1
4051e26a1dd94d2cff94d56dd2e1257c5682ea64

SHA256
d18ff56b8b96acaeb611c4d95e4991726e2132b3221a3344286073c5224c2f3d

SHA512
65f2c18a760b392def5cba3fb8a7ecf0f49c861078a947e1e01d06563fbb53ff426ae3eeefa90776f932519ca08216fb291a7216850bd1e826cff37ba2388c30

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
17KB

MD5
cf3c0b1094c52fcf17e111b548823d78

SHA1
64eec1ccd09bc80c2c339e44355250cd3c938e4a

SHA256
e0006943c70367e14134dc867e46fe04b77ae2ed963590bec23debed33d831ab

SHA512
c133d21932d2c18ae56c138a1942265f0d35e39913939650c451b5de11843f824f41f9693a3c2a347aca4f8d64bc4fc596885ed8a654863703834880749572b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
59d554f293c21c3c9300b3218c600d79

SHA1
4e7ffc7527677c0a821d959e85ccf7520c771015

SHA256
4af85ea6c8b90068c981d4dfd2a5d23ca3f7ed517b9fda436949f41c372a27ff

SHA512
f3df43e3820550d6a99ed9d7f0477e800a2ba242f73812449b50e83d260770f2d03ef54c9c4a875c2edc191444e4582cedf7410e250b5606fcf1915216276b03

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
31ef5d2090e337ad0a617377f91ce5fa

SHA1
ed03d33e93c876dd5e684813301b1d02c8b0c079

SHA256
2e3a6eda081b52159e68dccb31e2bf5ae7b4f0ab06d4be0ba92471a174e7b871

SHA512
a47b0402bebbba5e57298eaf310a883ce40720feddaf30ea906007940e34356ed87a2c9d1c81bb66d2c80c4356e4ada0aa7942749c5e7d6f1ead6f8c6cd82869

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
99d83265e4264815745682005e886424

SHA1
eba9628ba5ebe7fb00a160001b1d5fa9653bf27b

SHA256
058af20208e9e868152d3db4e5ba27cab4701a8aaa3058e4a887e92b3a49ea2d

SHA512
92c07a2f06635ddf810ff2e09a7d19afcb4770236e535c621b6178470fb24d75adc62c13c14ba35aaecb76c29d99d39fefd08fc67cf761f72126826544ff0334

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
7dec7e6c71fb53b173272cda66758086

SHA1
79df00f1e70e798a3d3d1c9199dbfe00bd273543

SHA256
267c208d25c6d01f43bf5f4423257b6b277a88722dab285e1a399b58113c4fd2

SHA512
13411fce95072dc761602edec2a3242a9ec487f83cfd87b21f71f1dcdbc29435b7f32ff50c60ba9e0e9dbae3c37e0d5a31244b1dccef48491ee6995fdef0e7e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
03c091b7b6603f4d3d2ec1e5b0085997

SHA1
a7040b391bd5987c4b42134db809756385e6f153

SHA256
f7ee95dcdc6976f85169e8b8c671df50ea46b23f4874fd8247b3348d73b69551

SHA512
3f3baf792c011a8e7080c226336cc664722228803d40d0fcbd6e58c7fda3a9e6561d1ebcd72daf2969760a55dd958ea737926e21160cd25c8a8cc04bbce5d0ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
043bbc18da534c30eb53114baa309403

SHA1
8fe84f0d2c468229444e70f6abd311023fe42744

SHA256
3ae97c2d720386038e1e0eae60f9cf34682498dbf74f9499d17c1b3c739223ea

SHA512
e7233dcc47738c4b44e87791e604fb7c03eec00d511db578e5099a112512b0092615727e1870bfc4edd2408340c7e2301898efc1301b885a31b0971046d70d3d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c86ae1846159f4827f7622c94f474d81

SHA1
10146cdbce3dedf14be18d1ca4b7ae00c93b1485

SHA256
319be54f37e5ed57b80154330f4be4ad5cbe0092298e29a8f0a0d56d1191613e

SHA512
ecc9b2914016b91b8b583f253f21ef7b1b8fd6fec37e6712f9e2f7bca44b5459107bb0edbcf39a8c114e229a32d5874574fe04929e44ce32920e013590d5226b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
a94d4f7b64908d968810153ab4080fb5

SHA1
d1e0ae687c1f8c45c1a0278997c397e01bf2abe5

SHA256
677ff153f5bcca140f872f7976f6fd8d05cc5cb3238db42f790245d28679c6c6

SHA512
200f4214d5853082f53b379af680009e790d7cea877aed028192ad6a5059fe03f8e095080f1dc4d29e00ecaf7226d70ca88ad4a6866279f8bc51b6f145afc1d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
1195f23d7b2c247f8e0e6d3e068a88c1

SHA1
7ccc35fb446a6e6a112b38a6b8c1da9425c336c0

SHA256
8d14059079d921a19f63c124e0bcb4a07111ea9baf6c110f083a5054ffd2ac93

SHA512
25efdb87288b08117e206ba4538ec1846b939563d2d70ebc67493f7e49efd06281a8576bb2df113fc3fa57351521a9adfaf9930f2b76d9cef5df6438ef56ac8d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
f047266f2fdb7d93f601df9c33c0f711

SHA1
3923a2b0ef70a47ead99b03137ba44f0c06953ee

SHA256
4cfb7edcf1678a0983d5efe158387dd3df154799307ce59bba64fbbac9b6b278

SHA512
ed3d556f62538e4bff40d8c0dee8cbc938d2087df288c39df02fb69d32d3ab66638829e77daf005a969580064ad99946dcb558e3f651805ef6748a755b70ac00

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
233KB

MD5
1cbbef19b38c680840b31a46d85b55a2

SHA1
80ffcdc76ee99157af85842b5b16e47bc6443572

SHA256
5b0cb3b54d5ffdff43c0ed0291faa139538a2e35004341ccb2e3083e2cc97945

SHA512
b05a567e96eb87d5021e825b9e12b232409e69a2fbbffa2af78f8568dc78e03614dfd5415d1ed9ee7a708f9e4d082a3adf1c0ea8239294835e46ded470ee1f1d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
233KB

MD5
d845143ddf8cc7a07e4b731dd2d93d9a

SHA1
c9a8f2f9bcd1e670f4d1c12634e29e8aa511c081

SHA256
4c1c9913127e5c7cefcdb7f492309a48a867822504d664ed1726c35a3c97a195

SHA512
6f20edf4c6a1ab5ee9411743813b579b26f46b752cb129b32d430af455bc4985cc5d4cce64f399db6ecd63921cf23e5235ca2a0a3f4f0d1839f3d6bc974a3147

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
233KB

MD5
a4eef3aee39f1b13b2e891295fc974f9

SHA1
ebb93e3a965a002722172fc2f45fe9e788ce337d

SHA256
a97e1d362fb93b0fefcf303a76196544216bb97f0d6f6335a8b9b9bab40bfb26

SHA512
8d234fdd455bbd6da9167cf5c6222ee45c8e9aa1e3f44e0dbe3f191a574b4c2146c5baa9f62d0868ba7f3e4a7076da2b500c9542208fb65199f4d49b1cf3ec48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
14KB

MD5
4d31e850738601c6d80c8c2990876de6

SHA1
755a14cb8ce961b135b84fcaab9924c726f2c0ee

SHA256
372e1273f7ea12ac3ef599366f93613f8d7be7e1a527a72a2e65f58bdf6e848f

SHA512
e20189f4ad9ddeae13aced9064c8a5053ad63c0b5ad8bc624ba132301a3eec373352bae85fe5f41e1aa8531b45caf750fbbdebb7e33dfa0e9ec9d660ce2052fd

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\36e6f957-b81a-41be-9850-74fd152826ce.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini

Filesize
143B

MD5
756cd85c9ddda5c313618ebb0193528d

SHA1
d81f609a57b1280810e94d207fe05f9b3d02ea0a

SHA256
8b0de067490220e29439b21aff0e956956eb2cbcd7947019ac7578536c0a3941

SHA512
440201f6032de51dc583beceb912200e405f49dbccfa75fe1ab622edd27d3f66edf888865ae9c131bb07bafe69c8bb98045f191421854955ef5c594db3bd4230

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 196458.crdownload

Filesize
22.6MB

MD5
979b20755ddf86eddb3e2892003a2ca6

SHA1
3a0b6f9ee4ee12872e733948465be5ece5b25629

SHA256
7612d5e44a5a392ab9f0d1b5b8a79bda3cdbe19848e8ee9ec23909aaf3daad45

SHA512
3238f77f7810460cb7cdfe7692892879c28e14ccd95969e80cf83d1dff320c8354173a87503b893b7095b99ee81c61e195004ad5f5e6a28e09e3e9c1fc080d44

Download Submit
C:\Users\Admin\Downloads\systeminformer-3.2.25011-release-setup.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Pictures\dd.exe

Filesize
233KB

MD5
34ddf5905488a9b275df4c58aaf5d847

SHA1
5bb563413be0c957692aa91fdaf86a6e60cba22a

SHA256
d5adec27977bf202eb056c2eb8f36115d398cc0536ca38b16bf7514623a5c069

SHA512
b3c11b7f4046392f58802c0c0c09041a29478942064ac2834bc0f18cc564549be58101bdf499159021aed0c65e0bd7140ff43bad33520ae549076de8dea891b7

Download Submit
C:\Users\Admin\Pictures\세이클x 번개녀 원나잇 홈런 시리즈 3탄 - 몸매 죽이는 E컵 자연산 슴가 현직 모델녀.mp4_20160810_215820.611.jpg

Filesize
93KB

MD5
992e7555ccbc6b82af6ab64cad41cdd0

SHA1
773616e3f157bddbcde7026b3d2d0b65f3809602

SHA256
8deed2818ffed9549644eea1aa5bed8807a5a1ca9e9b76b15a566d827ae25efa

SHA512
e28f12e19060a83a4799e0b2f72ae4c970b90b9442a0a0e28f902be5a920d8a7d08acd96d040d0ba580929401221ebfd69218f5ef13340de5a0ca253dd1eb656

Download Submit
memory/1724-1-0x0000000074C00000-0x00000000751B1000-memory.dmp

Filesize
5.7MB

Download
memory/1724-2-0x0000000074C00000-0x00000000751B1000-memory.dmp

Filesize
5.7MB

Download
memory/1724-3-0x0000000074C00000-0x00000000751B1000-memory.dmp

Filesize
5.7MB

Download
memory/1724-4-0x0000000074C00000-0x00000000751B1000-memory.dmp

Filesize
5.7MB

Download
memory/1724-31-0x0000000074C00000-0x00000000751B1000-memory.dmp

Filesize
5.7MB

Download
memory/1724-0-0x0000000074C01000-0x0000000074C02000-memory.dmp

Filesize
4KB

Download
memory/2216-49-0x0000000074C00000-0x00000000751B1000-memory.dmp

Filesize
5.7MB

Download
memory/2216-48-0x0000000074C00000-0x00000000751B1000-memory.dmp

Filesize
5.7MB

Download
memory/2216-32-0x0000000074C00000-0x00000000751B1000-memory.dmp

Filesize
5.7MB

Download
memory/2216-33-0x0000000074C00000-0x00000000751B1000-memory.dmp

Filesize
5.7MB

Download
memory/2216-44-0x0000000074C00000-0x00000000751B1000-memory.dmp

Filesize
5.7MB

Download
memory/2224-50-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2224-38-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2224-34-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2224-37-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2224-36-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2224-42-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2224-35-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2224-43-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2224-46-0x00000000010F0000-0x0000000001156000-memory.dmp

Filesize
408KB

Download
memory/2988-56-0x0000000003030000-0x00000000030D4000-memory.dmp

Filesize
656KB

Download
memory/2988-65-0x0000000003030000-0x00000000030D4000-memory.dmp

Filesize
656KB

Download
memory/2988-64-0x0000000003030000-0x00000000030D4000-memory.dmp

Filesize
656KB

Download
memory/4536-51-0x00000000005C0000-0x00000000009ED000-memory.dmp

Filesize
4.2MB

Download
memory/4536-63-0x00000000005C0000-0x00000000009EC000-memory.dmp

Filesize
4.2MB

Download
memory/4536-54-0x0000000000CF0000-0x0000000000D94000-memory.dmp

Filesize
656KB

Download
memory/4536-52-0x00000000005C0000-0x00000000009ED000-memory.dmp

Filesize
4.2MB

Download