chaos | 3730e9cba4a93bc985ef7cd2368ccbf5eccd4724f514b38b20e320e5553dd08d

Resubmissions

25/03/2025, 13:12

250325-qfl42aznw9 10

25/03/2025, 13:09

25/03/2025, 13:05

25/03/2025, 13:01

25/03/2025, 12:55

25/03/2025, 12:51

05/02/2025, 11:16

16/07/2024, 08:54

Analysis

max time kernel
120s
max time network
131s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
25/03/2025, 13:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6bda9faf719bb7a55e822667d909086193d323d8fa06b1a3d62437fcf6a9e24b.exe
Size

71KB
MD5

8f033c07f57f8ce2e62e3a327f423d55
SHA1

57ac411652d7b1d9accaa8a1af5f4b6a45ef7448
SHA256

6bda9faf719bb7a55e822667d909086193d323d8fa06b1a3d62437fcf6a9e24b
SHA512

f3712e7d5d55b27a4c20de07cce136e6d58ce62fa146d29b34dece6248e4456139703c50df10cb318346311cfeee0a8449d49163e821744efcde3ecfe8b880df
SSDEEP

768:zncoLkaCbCq2l52DbnoPV0Yglwlu1y7e7th3BuItxn:QoLkaCb12l0DbCV6Wqyixn

Score

10^/10

chaos defense_evasion discovery evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\Restore_Files.html

Ransom Note

<img src='https://odkrywcyplanet.pl/wp-content/uploads/2020/05/galaktyka-Cosmos-Redshift-7.jpg' alt='' width='235' height='167' /> A S T R A L O C K E R 2.0   What happened? ---------------------------------------------- All Your files has been succesfully encrypted due to security problem with Your PC. All Your backups are deleted, or encrypted. Can I recover my files? ---------------------------------------------- Sure! But You need special decryptor for that. If You want to recover Your files, you need to cooperate. What can I do to get my files back? ---------------------------------------------- You can buy my decryption software, this software will allow you to recover all of your data and remove the ransomware from your computer. The price for the software is about 50$ (USD). Payment can be made in Monero, or Bitcoin (Cryptocurrency) only. What guarantees? ---------------------------------------------- I value my reputation. If i do not do my work and liabilities, nobody will pay me. This is not in my interests. All my decryption software is perfectly tested and will decrypt your data. How do I pay, where do I get Monero or Bitcoin? ---------------------------------------------- Purchasing Monero or Bitcoin varies by country, it's best to do a quick google search yourself to learn how to buy Monero or Bitcoin. You need to pay 50$ in Bitcoin or Monero. You can buy Bitcoin here: https://localbitcoins.com/ Where i can pay? ---------------------------------------------- Monero Address: 48CEU93NRDqCmH3qfksLRLeQJ9mjbFCUXEyZkStiRDWtDodmAtd7voHF1sHa17MgmoYmMoErrJstV6nC1DqYoKxT38r6TUh Bitcoin Addres: bc1qpawwquwas0gd88u66hgxp222p52madqp5lk5xw Contact ---------------------------------------------- After payment contact: [email protected] and send Your personal ID with transaction ID (if you are paying with Bitcoin) Warning! If you report these emails, they may be suspended and NOBODY gets help. It is in Your INTEREST to get the decryptor. Your personal ID is: ID12_Yashma 1)Don't change the extension of the files. You will harm the files. 2)Don't move encrypted files. 3)Don't try to recover files by Yourself. This is impossible. Your files are encrypted with Curve25519 encryption algorithm, You can't decrypt files without private key. 4)Don't report to authoritaries. If You do it, key will be deleted, and Your files will be encrypted forever. 5)The price will be lower if you email me within 24 hours after encrypting your files.

Emails

/>[email protected]<br

Signatures

Chaos
Ransomware family first seen in June 2021.
ransomware chaos

Chaos Ransomware 2 IoCs

resource	yara_rule
behavioral25/memory/1304-1-0x0000000000070000-0x0000000000088000-memory.dmp	family_chaos
behavioral25/files/0x001a00000002b162-9.dat	family_chaos

Chaos family
chaos
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
1544	bcdedit.exe
5348	bcdedit.exe

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
4232	wbadmin.exe

Disables Task Manager via registry modification
defense_evasion

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Restore_Files.html	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
1464	svchost.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	svchost.exe

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	svchost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	svchost.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	svchost.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	svchost.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-167299615-4170584903-1843289874-1000\desktop.ini	svchost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	svchost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	svchost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	svchost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	svchost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	svchost.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2064_772911919\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2064_772911919\_metadata\verified_contents.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2064_772911919\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2064_1415012270\LICENSE	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2064_1415012270\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2064_772911919\LICENSE	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2064_772911919\sets.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2064_1415012270\keys.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2064_1415012270\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2064_1415012270\_metadata\verified_contents.json	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	vds.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
4352	vssadmin.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133873814113545459"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-167299615-4170584903-1843289874-1000\{C9CBD257-9D03-45B6-83C4-B5CC9712E1E3}	msedge.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1304	6bda9faf719bb7a55e822667d909086193d323d8fa06b1a3d62437fcf6a9e24b.exe
1464	svchost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
1304	6bda9faf719bb7a55e822667d909086193d323d8fa06b1a3d62437fcf6a9e24b.exe
1304	6bda9faf719bb7a55e822667d909086193d323d8fa06b1a3d62437fcf6a9e24b.exe
1304	6bda9faf719bb7a55e822667d909086193d323d8fa06b1a3d62437fcf6a9e24b.exe
1304	6bda9faf719bb7a55e822667d909086193d323d8fa06b1a3d62437fcf6a9e24b.exe
1304	6bda9faf719bb7a55e822667d909086193d323d8fa06b1a3d62437fcf6a9e24b.exe
1304	6bda9faf719bb7a55e822667d909086193d323d8fa06b1a3d62437fcf6a9e24b.exe
1304	6bda9faf719bb7a55e822667d909086193d323d8fa06b1a3d62437fcf6a9e24b.exe
1304	6bda9faf719bb7a55e822667d909086193d323d8fa06b1a3d62437fcf6a9e24b.exe
1304	6bda9faf719bb7a55e822667d909086193d323d8fa06b1a3d62437fcf6a9e24b.exe
1304	6bda9faf719bb7a55e822667d909086193d323d8fa06b1a3d62437fcf6a9e24b.exe
1304	6bda9faf719bb7a55e822667d909086193d323d8fa06b1a3d62437fcf6a9e24b.exe
1304	6bda9faf719bb7a55e822667d909086193d323d8fa06b1a3d62437fcf6a9e24b.exe
1304	6bda9faf719bb7a55e822667d909086193d323d8fa06b1a3d62437fcf6a9e24b.exe
1304	6bda9faf719bb7a55e822667d909086193d323d8fa06b1a3d62437fcf6a9e24b.exe
1304	6bda9faf719bb7a55e822667d909086193d323d8fa06b1a3d62437fcf6a9e24b.exe
1304	6bda9faf719bb7a55e822667d909086193d323d8fa06b1a3d62437fcf6a9e24b.exe
1304	6bda9faf719bb7a55e822667d909086193d323d8fa06b1a3d62437fcf6a9e24b.exe
1304	6bda9faf719bb7a55e822667d909086193d323d8fa06b1a3d62437fcf6a9e24b.exe
1464	svchost.exe
1464	svchost.exe
1464	svchost.exe
1464	svchost.exe
1464	svchost.exe
1464	svchost.exe
1464	svchost.exe
1464	svchost.exe
1464	svchost.exe
1464	svchost.exe
1464	svchost.exe
1464	svchost.exe
1464	svchost.exe
1464	svchost.exe
1464	svchost.exe
1464	svchost.exe
1464	svchost.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeDebugPrivilege	1304	6bda9faf719bb7a55e822667d909086193d323d8fa06b1a3d62437fcf6a9e24b.exe
Token: SeDebugPrivilege	1464	svchost.exe
Token: SeBackupPrivilege	4376	vssvc.exe
Token: SeRestorePrivilege	4376	vssvc.exe
Token: SeAuditPrivilege	4376	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2372	WMIC.exe
Token: SeSecurityPrivilege	2372	WMIC.exe
Token: SeTakeOwnershipPrivilege	2372	WMIC.exe
Token: SeLoadDriverPrivilege	2372	WMIC.exe
Token: SeSystemProfilePrivilege	2372	WMIC.exe
Token: SeSystemtimePrivilege	2372	WMIC.exe
Token: SeProfSingleProcessPrivilege	2372	WMIC.exe
Token: SeIncBasePriorityPrivilege	2372	WMIC.exe
Token: SeCreatePagefilePrivilege	2372	WMIC.exe
Token: SeBackupPrivilege	2372	WMIC.exe
Token: SeRestorePrivilege	2372	WMIC.exe
Token: SeShutdownPrivilege	2372	WMIC.exe
Token: SeDebugPrivilege	2372	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2372	WMIC.exe
Token: SeRemoteShutdownPrivilege	2372	WMIC.exe
Token: SeUndockPrivilege	2372	WMIC.exe
Token: SeManageVolumePrivilege	2372	WMIC.exe
Token: 33	2372	WMIC.exe
Token: 34	2372	WMIC.exe
Token: 35	2372	WMIC.exe
Token: 36	2372	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2372	WMIC.exe
Token: SeSecurityPrivilege	2372	WMIC.exe
Token: SeTakeOwnershipPrivilege	2372	WMIC.exe
Token: SeLoadDriverPrivilege	2372	WMIC.exe
Token: SeSystemProfilePrivilege	2372	WMIC.exe
Token: SeSystemtimePrivilege	2372	WMIC.exe
Token: SeProfSingleProcessPrivilege	2372	WMIC.exe
Token: SeIncBasePriorityPrivilege	2372	WMIC.exe
Token: SeCreatePagefilePrivilege	2372	WMIC.exe
Token: SeBackupPrivilege	2372	WMIC.exe
Token: SeRestorePrivilege	2372	WMIC.exe
Token: SeShutdownPrivilege	2372	WMIC.exe
Token: SeDebugPrivilege	2372	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2372	WMIC.exe
Token: SeRemoteShutdownPrivilege	2372	WMIC.exe
Token: SeUndockPrivilege	2372	WMIC.exe
Token: SeManageVolumePrivilege	2372	WMIC.exe
Token: 33	2372	WMIC.exe
Token: 34	2372	WMIC.exe
Token: 35	2372	WMIC.exe
Token: 36	2372	WMIC.exe
Token: SeBackupPrivilege	5632	wbengine.exe
Token: SeRestorePrivilege	5632	wbengine.exe
Token: SeSecurityPrivilege	5632	wbengine.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2064	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1304 wrote to memory of 1464	1304	6bda9faf719bb7a55e822667d909086193d323d8fa06b1a3d62437fcf6a9e24b.exe	78
PID 1304 wrote to memory of 1464	1304	6bda9faf719bb7a55e822667d909086193d323d8fa06b1a3d62437fcf6a9e24b.exe	78
PID 1464 wrote to memory of 4900	1464	svchost.exe	79
PID 1464 wrote to memory of 4900	1464	svchost.exe	79
PID 4900 wrote to memory of 4352	4900	cmd.exe	81
PID 4900 wrote to memory of 4352	4900	cmd.exe	81
PID 4900 wrote to memory of 2372	4900	cmd.exe	84
PID 4900 wrote to memory of 2372	4900	cmd.exe	84
PID 1464 wrote to memory of 2456	1464	svchost.exe	86
PID 1464 wrote to memory of 2456	1464	svchost.exe	86
PID 2456 wrote to memory of 1544	2456	cmd.exe	88
PID 2456 wrote to memory of 1544	2456	cmd.exe	88
PID 2456 wrote to memory of 5348	2456	cmd.exe	89
PID 2456 wrote to memory of 5348	2456	cmd.exe	89
PID 1464 wrote to memory of 4980	1464	svchost.exe	90
PID 1464 wrote to memory of 4980	1464	svchost.exe	90
PID 4980 wrote to memory of 4232	4980	cmd.exe	92
PID 4980 wrote to memory of 4232	4980	cmd.exe	92
PID 1464 wrote to memory of 2064	1464	svchost.exe	98
PID 1464 wrote to memory of 2064	1464	svchost.exe	98
PID 2064 wrote to memory of 752	2064	msedge.exe	99
PID 2064 wrote to memory of 752	2064	msedge.exe	99
PID 2064 wrote to memory of 1496	2064	msedge.exe	100
PID 2064 wrote to memory of 1496	2064	msedge.exe	100
PID 2064 wrote to memory of 2808	2064	msedge.exe	101
PID 2064 wrote to memory of 2808	2064	msedge.exe	101
PID 2064 wrote to memory of 2808	2064	msedge.exe	101
PID 2064 wrote to memory of 2808	2064	msedge.exe	101
PID 2064 wrote to memory of 2808	2064	msedge.exe	101
PID 2064 wrote to memory of 2808	2064	msedge.exe	101
PID 2064 wrote to memory of 2808	2064	msedge.exe	101
PID 2064 wrote to memory of 2808	2064	msedge.exe	101
PID 2064 wrote to memory of 2808	2064	msedge.exe	101
PID 2064 wrote to memory of 2808	2064	msedge.exe	101
PID 2064 wrote to memory of 2808	2064	msedge.exe	101
PID 2064 wrote to memory of 2808	2064	msedge.exe	101
PID 2064 wrote to memory of 2808	2064	msedge.exe	101
PID 2064 wrote to memory of 2808	2064	msedge.exe	101
PID 2064 wrote to memory of 2808	2064	msedge.exe	101
PID 2064 wrote to memory of 2808	2064	msedge.exe	101
PID 2064 wrote to memory of 2808	2064	msedge.exe	101
PID 2064 wrote to memory of 2808	2064	msedge.exe	101
PID 2064 wrote to memory of 2808	2064	msedge.exe	101
PID 2064 wrote to memory of 2808	2064	msedge.exe	101
PID 2064 wrote to memory of 2808	2064	msedge.exe	101
PID 2064 wrote to memory of 2808	2064	msedge.exe	101
PID 2064 wrote to memory of 2808	2064	msedge.exe	101
PID 2064 wrote to memory of 2808	2064	msedge.exe	101
PID 2064 wrote to memory of 2808	2064	msedge.exe	101
PID 2064 wrote to memory of 2808	2064	msedge.exe	101
PID 2064 wrote to memory of 2808	2064	msedge.exe	101
PID 2064 wrote to memory of 2808	2064	msedge.exe	101
PID 2064 wrote to memory of 2808	2064	msedge.exe	101
PID 2064 wrote to memory of 2808	2064	msedge.exe	101
PID 2064 wrote to memory of 2808	2064	msedge.exe	101
PID 2064 wrote to memory of 2808	2064	msedge.exe	101
PID 2064 wrote to memory of 2808	2064	msedge.exe	101
PID 2064 wrote to memory of 2808	2064	msedge.exe	101
PID 2064 wrote to memory of 2808	2064	msedge.exe	101
PID 2064 wrote to memory of 2808	2064	msedge.exe	101
PID 2064 wrote to memory of 2808	2064	msedge.exe	101
PID 2064 wrote to memory of 2808	2064	msedge.exe	101
PID 2064 wrote to memory of 2808	2064	msedge.exe	101
PID 2064 wrote to memory of 2808	2064	msedge.exe	101

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\6bda9faf719bb7a55e822667d909086193d323d8fa06b1a3d62437fcf6a9e24b.exe
"C:\Users\Admin\AppData\Local\Temp\6bda9faf719bb7a55e822667d909086193d323d8fa06b1a3d62437fcf6a9e24b.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1304
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1464
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4900
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:4352
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2372
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2456
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      Modifies boot configuration data using bcdedit
      PID:1544
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} recoveryenabled no
      4⤵
      Modifies boot configuration data using bcdedit
      PID:5348
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4980
  - - C:\Windows\system32\wbadmin.exe
      wbadmin delete catalog -quiet
      4⤵
      Deletes backup catalog
      PID:4232
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Roaming\Restore_Files.html
    3⤵
    - Drops file in Windows directory
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Modifies registry class
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2064
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2e0,0x308,0x7ffc0851f208,0x7ffc0851f214,0x7ffc0851f220
      4⤵
      PID:752
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1724,i,17939006084584358091,3986769207560432616,262144 --variations-seed-version --mojo-platform-channel-handle=2116 /prefetch:11
      4⤵
      PID:1496
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2084,i,17939006084584358091,3986769207560432616,262144 --variations-seed-version --mojo-platform-channel-handle=1732 /prefetch:2
      4⤵
      PID:2808
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2548,i,17939006084584358091,3986769207560432616,262144 --variations-seed-version --mojo-platform-channel-handle=2536 /prefetch:13
      4⤵
      PID:5944
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3480,i,17939006084584358091,3986769207560432616,262144 --variations-seed-version --mojo-platform-channel-handle=3488 /prefetch:1
      4⤵
      PID:2276
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3492,i,17939006084584358091,3986769207560432616,262144 --variations-seed-version --mojo-platform-channel-handle=3704 /prefetch:1
      4⤵
      PID:2452
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5040,i,17939006084584358091,3986769207560432616,262144 --variations-seed-version --mojo-platform-channel-handle=5108 /prefetch:14
      4⤵
      PID:6052
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5044,i,17939006084584358091,3986769207560432616,262144 --variations-seed-version --mojo-platform-channel-handle=5124 /prefetch:14
      4⤵
      PID:448
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5572,i,17939006084584358091,3986769207560432616,262144 --variations-seed-version --mojo-platform-channel-handle=5536 /prefetch:14
      4⤵
      PID:5000
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5860,i,17939006084584358091,3986769207560432616,262144 --variations-seed-version --mojo-platform-channel-handle=5884 /prefetch:14
      4⤵
      PID:5096
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5860,i,17939006084584358091,3986769207560432616,262144 --variations-seed-version --mojo-platform-channel-handle=5884 /prefetch:14
      4⤵
      PID:3568
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5976,i,17939006084584358091,3986769207560432616,262144 --variations-seed-version --mojo-platform-channel-handle=6008 /prefetch:14
      4⤵
      PID:4808
    - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\cookie_exporter.exe
        
        cookie_exporter.exe --cookie-json=1136
        5⤵
        
        PID:5732
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=732,i,17939006084584358091,3986769207560432616,262144 --variations-seed-version --mojo-platform-channel-handle=5592 /prefetch:14
      4⤵
      PID:5048
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4212,i,17939006084584358091,3986769207560432616,262144 --variations-seed-version --mojo-platform-channel-handle=6164 /prefetch:14
      4⤵
      PID:2372
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5536,i,17939006084584358091,3986769207560432616,262144 --variations-seed-version --mojo-platform-channel-handle=4904 /prefetch:14
      4⤵
      PID:4612
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5192,i,17939006084584358091,3986769207560432616,262144 --variations-seed-version --mojo-platform-channel-handle=5196 /prefetch:14
      4⤵
      PID:4928
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5128,i,17939006084584358091,3986769207560432616,262144 --variations-seed-version --mojo-platform-channel-handle=5360 /prefetch:14
      4⤵
      PID:5748
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6100,i,17939006084584358091,3986769207560432616,262144 --variations-seed-version --mojo-platform-channel-handle=4932 /prefetch:14
      4⤵
      PID:880

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4376

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5632

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:3168

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:3364

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:5224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\Restore_Files.html

Filesize
3KB

MD5
cf0cc6e9f7b71141a348d2f8a9cc800f

SHA1
bd198c4263359f42901ee30c3c24fc0ee8b2bd9e

SHA256
5a78197d3cd89269832678d0a59244b21fb0d6a8a87c2a080f68975e9c2febb9

SHA512
4dd5ff23ba3401ffc050e34dd83f37aeef6e4e24ff29809309ddd40ffce4b4b9cab2764f53dbf843c4cf870e37590ece34c98d7bce9f50b193f632a3b1db38de

Download Submit
C:\Users\Admin\2012_x86_0_vcRuntimeMinimum_x86.log

Filesize
1B

MD5
d1457b72c3fb323a2671125aef3eab5d

SHA1
5bab61eb53176449e25c2c82f172b82cb13ffb9d

SHA256
8a8de823d5ed3e12746a62ef169bcf372be0ca44f0a1236abc35df05d96928e1

SHA512
ca63c07ad35d8c9fb0c92d6146759b122d4ec5d3f67ebe2f30ddb69f9e6c9fd3bf31a5e408b08f1d4d9cd68120cced9e57f010bef3cde97653fed5470da7d1a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\6bda9faf719bb7a55e822667d909086193d323d8fa06b1a3d62437fcf6a9e24b.exe.log

Filesize
1KB

MD5
b4e91d2e5f40d5e2586a86cf3bb4df24

SHA1
31920b3a41aa4400d4a0230a7622848789b38672

SHA256
5d8af3c7519874ed42a0d74ee559ae30d9cc6930aef213079347e2b47092c210

SHA512
968751b79a98961f145de48d425ea820fd1875bae79a725adf35fc8f4706c103ee0c7babd4838166d8a0dda9fbce3728c0265a04c4b37f335ec4eaa110a2b319

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
e5f3655796637b7d0f4a8ed402e119ea

SHA1
3baaf516676664d46727759914745776a166016a

SHA256
22d91a4321390a9445110f04d5600f49f03604a2d7ecadd10c663248295c88dd

SHA512
2125899d678c926c9f85ad81892f8ee91aa0a74e4c533bcb6e48675ebf0eccbe0db17998f3e3ab961cf3beb8fef7f950588398c5868327aa2d33f81bde797ebe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
40e2018187b61af5be8caf035fb72882

SHA1
72a0b7bcb454b6b727bf90da35879b3e9a70621e

SHA256
b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5

SHA512
a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
b81e19984b4edf2f348a9a1dfb091b34

SHA1
ce29b3d1547de68797bc5b8dd51c7ef67c9dc7ee

SHA256
cf9197d19ab390031172bf6820e744d45188435f217c672ca5de6fd5752260e4

SHA512
d68360a6e22f7c250ade1e9c8b42fa261e95ebd6e53e0d533fd62b2b7501202e97777185887b34f11fbef9947bc443edc072def91e03285a2d84e4adff20d4fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
6cc028d840c60b7d8b7da3e6f64b9d18

SHA1
2107121c6c3916979ea2225a370c6c6c29a9c744

SHA256
608f4835e83f3d178d2e027fcc8504f72aa01c53c7b1b3f37e843a447bf598e8

SHA512
1619a93da4b5dd9648b636ed0f13fcdf99ac674f1e23f2f367f659c28748f92467f4a74154353ee93b0e11f78423103ee6c3e1b8518fcd0efd1b010022d77dc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
37KB

MD5
067953d8d075ddbea0b0f1e7dfba8d6a

SHA1
5cd4e4b3c88700a4989ba2b773c4d1bbf4d27b79

SHA256
a0fa88107474b526173f23320f6985abf833ddcd0bf4df9ba36f128a34ce3d6d

SHA512
14c96fc42121b4f837fef5aed474508a0cd5c509f6bf5514e3d64f6fedd0338fd71b3e1bf644455d417704d46751b160f7b33e9b92fb13db7488d137b0bbef3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
22KB

MD5
145c759d8e7b53ece8b4a205d1216686

SHA1
ee089f63a0ce78976a9fcc9af3f13c370f2a5bc1

SHA256
79bd5f4590bb2ae2141bc784b4499dc128cecf6ec5636d79ffd4e349f95b3a38

SHA512
f7fea4ca7fc48f2a1e2e40aa31b95feae64c10a8204d8e04a96d015e79a676564e63dc22b2a778e53c287b18f57dc24abc9d3ac09db39feb0614cd101d1801e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
23KB

MD5
f824be8e8674c4223b0de6acd25f81d9

SHA1
c2ed73a657749653f64de9884acd05a1bf171c26

SHA256
e5a18a39c06b5ce3848f94e28c7a9b8a5cf2b225d570b88c88050e11d004bb89

SHA512
4e8663f7cbcdc8fa946ba07963d2f109fc227a721f4e3605f5f8a3db43b3954a8004028beaf961c750adb44ba3b012494bf60dd2b0c6d43da9aea3f7af126b3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
896B

MD5
e13b13667f8bfcb15b11edc92b799510

SHA1
753fb07f2bfe7b1506679d108e1acf724984dc1a

SHA256
b3ed4b27bd826da10ac268f5173c843c61fdf486a4bd9a5f5b1e809e0f10f65a

SHA512
028916bbe490611b02fe4ffa514623f35ec848b4a88153f524fe14331780e4d428e857a23d6c4e50c0d200d0a2915130896811884c3a1e0b2458815ef182d481

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
465B

MD5
49f0f20d1989194f3e2925c21d07cb36

SHA1
75497a2d1aa70dfae5749e6b1c65f1b30395b31d

SHA256
116de3f05b377e5d869dbe0ad31e42484b72f01e91041938936a696dc1009392

SHA512
f8c0adbb2eb13235806ae6672e2ef1f9908bc32db0effaed0fe87344778283724d31938fd1dc4c96e929fc5de0aa9f25e1199ff9b091a3c72651998c99ebcf34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig

Filesize
19KB

MD5
41c1930548d8b99ff1dbb64ba7fecb3d

SHA1
d8acfeaf7c74e2b289be37687f886f50c01d4f2f

SHA256
16cee17a989167242dd7ee2755721e357dd23bcfcb61f5789cc19deafe7ca502

SHA512
a684d61324c71ac15f3a907788ab2150f61e7e2b2bf13ca08c14e9822b22336d0d45d9ff2a2a145aa7321d28d6b71408f9515131f8a1bd9f4927b105e6471b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
0ba1cb9a264fc27116a0edf31b732adb

SHA1
c6558e5a33005141fddec2108d556b079ecc0f77

SHA256
d1e4de1ed66504f9fa8be6c689cfb4191d3164e4f5c210c760f27c3a68b9e50a

SHA512
d38a87505a683c784de9e82cbf48423e273226414821fe9524a534d169b9ffc842d5d40255a88bc13451002f3ace7181d63797552ff5549758717a98f3de0252

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
41KB

MD5
0c0f32ea81de3ab2a1acf144111df781

SHA1
e148200efb2b84ee71d0bd5024b44bc57e76adc6

SHA256
43901d5aa51ef88ba9b833e4d3f726817e4528f31fc4c1ad8efb1d2ebe7c1926

SHA512
1047ebead6ab5626e98001a3d966db97193c8931972840df331acea487bf92b904a535b8cf6fc48e4270243c21c870450b8fc9ae5f15d6c1b436d3f065a8ed8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
50KB

MD5
c92e7d16840ac668a2842d59d47867c3

SHA1
430b10b7f22498ca8d428310c048f363e1587d41

SHA256
c4a6b2ef7b2d38431118e94891d7c2ee053e47172366e1109ca47a76ff05822f

SHA512
cf093fb0064f207250bb6bab398bba8b09fa1de43d80d33285fbaff6580a9df8cfa8f2c07ddb1ebc97fa4fb8af9fdbb11e262b80978c967e162bc6f1bca8d244

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\TrustTokenKeyCommitments\2025.1.17.1\keys.json

Filesize
6KB

MD5
bef4f9f856321c6dccb47a61f605e823

SHA1
8e60af5b17ed70db0505d7e1647a8bc9f7612939

SHA256
fd1847df25032c4eef34e045ba0333f9bd3cb38c14344f1c01b48f61f0cfd5c5

SHA512
bdec3e243a6f39bfea4130c85b162ea00a4974c6057cd06a05348ac54517201bbf595fcc7c22a4ab2c16212c6009f58df7445c40c82722ab4fa1c8d49d39755c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\File Explorer.lnk..hacked

Filesize
768B

MD5
06e1311e635d018ea534d083bc8d8ea5

SHA1
6a38d7064efcebe75c0c24572be19cc2924ad952

SHA256
646eb8d4986ec3bea1d336424a87100d8683452a4d74d082b7fc069a6d714094

SHA512
25d701b6ed1e176769b6c369cc0e845dfba4572a549fa0cba9f87dedd3c3f4761b6d014f51c44ee2d6a5144536f533929fa1cc95b28cd62a625e8b8ebb4fe2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Firefox.lnk..hacked

Filesize
1KB

MD5
30620b9c0a98580c8d245b012075219b

SHA1
33a603cd758110553a1de67fe0bfda35d88730bf

SHA256
29516cc41292217b3ffe0b8bec521fc6c4af977e16b8cde74faf9027417f6178

SHA512
bf35879ec9d25aa6423958390c39789bbe8f0c46280efaf56a3e0fb27394fd32f8f133b1d3f48a763f06cd9ab413637d75446e20e75a52e036167b2356a91216

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk..hacked

Filesize
2KB

MD5
3ca50c890ed91d74b2a99445568803f0

SHA1
3b53a3d4da274aed700263abaf50e7a1ef66d56f

SHA256
1c648db83b56a8770f8b97d6aa23e99c04d1003b7f66998afdd3a03504c249ae

SHA512
4f52963080b9ebfc845ca7916b0468eff23a0998bba0c61dbf1fe3215f087769c1c2f67b1b38814ab370427407063b1a88859a7df109ce4c504e2661d206dea4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools.lnk..hacked

Filesize
1KB

MD5
02e2dc79c2bfda00483a8b1d651af699

SHA1
d1f22b111ae5e82670af81fea0d53ab237f51a0b

SHA256
c7f1cf99b8c660777cdcdf881948f74382c59ad219ff8e6f210459e75c157d81

SHA512
20cddffa45b30744e414c3acf497bceff029a5383ca222ad55d26df163625e5dc07e6b88ae7a40738a4cae2730b93ffd08b6d1383b9a13e2c4e0787585cced93

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\File Explorer.lnk..hacked

Filesize
768B

MD5
d753286b96ba71ec10ca21f808372d2e

SHA1
7674f908958e4a7c06017b7f558daf30247479f7

SHA256
52fbce93bc318aa7ef9195446f5f113a439f9880efd123fb9e8fca0b4a3b1ece

SHA512
df1f830b197b213b7b4a8c2b3788fbbf91e745b7b47a008ffca15a33c05c3fc3722b64abe5ebd9dd968354075b9c5839b2f49f334d8c73fc8ff6ee460164df24

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk..hacked

Filesize
2KB

MD5
7e2c83053c7c177553890b128728aca9

SHA1
63a6fe89d91958b90182e830336fecd0b9e073a7

SHA256
ebb7aa44b6830373445f625e40c977435508ed06714a8b190300fa5faaab649f

SHA512
57694e94a3fde218a0c8b4d443688840a57fed31d3885fe07e10fc82f1e6904758cdc350b8296f61f7cff41eb356b51b91700ab8eda9fd1fd2724260a86ad686

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
71KB

MD5
8f033c07f57f8ce2e62e3a327f423d55

SHA1
57ac411652d7b1d9accaa8a1af5f4b6a45ef7448

SHA256
6bda9faf719bb7a55e822667d909086193d323d8fa06b1a3d62437fcf6a9e24b

SHA512
f3712e7d5d55b27a4c20de07cce136e6d58ce62fa146d29b34dece6248e4456139703c50df10cb318346311cfeee0a8449d49163e821744efcde3ecfe8b880df

Download Submit
C:\Users\Admin\Desktop\DisablePush.mpeg..hacked

Filesize
393KB

MD5
a97f66a952254b1b1d3bbb22ad669778

SHA1
9637a871f43786a62a939bbdd0427c855f1cc70b

SHA256
248589f7580948f56bf0c410896c658d54ec8841d1566b19492ca0a57f4a9039

SHA512
54a94a9551b49c7a13a0488a6385cf49df67e668a732902fb7cb95891cb1a81bfe0afc687278315aab922fbbbd90f55c1eb3be40e0c2aeeeb5e539142cf7407e

Download Submit
C:\Users\Admin\Desktop\EnableUnprotect.rtf..hacked

Filesize
339KB

MD5
adf094666a7ee7ed302a52bb9b45e98d

SHA1
3ef7f6fe88d930c8207e137a31647a825e0a35aa

SHA256
566b7a5f997f73bee469773fcd108a37b675268f6124ce501fde78696715ba8f

SHA512
77306b1117d21031f4e4fa5a14d4436a8fe46b0127fd68ab8006a6b8d8c3347ddf00b67758d6c4e5a584375804f0d9f27631de4196e0642ba0f38972d0867806

Download Submit
C:\Users\Admin\Desktop\FindReceive.docx..hacked

Filesize
718KB

MD5
200055c3fa061040cafa58804c207608

SHA1
8a4847b74f9074ba987a9070f7f42e1c09d3cd61

SHA256
659fed079fada44605d2e3cb7031e269c74a65dd3a99b40f7731b06eb4930969

SHA512
85903ef4ca088396e76f7912ce211c2c6aefa86e5c73f0e6e3c094cada22d9a7fcc6f9a047dfb0c38b122e9eab9c25572e21cb496cea2440a7117f483ce9f86e

Download Submit
C:\Users\Admin\Desktop\HideSplit.dot..hacked

Filesize
420KB

MD5
4c168a43b98c73aef0e1f5c151c560d5

SHA1
bb29cb85535bc5708a3bfd453f998205b46f1f06

SHA256
68fd5d32cfce033a5a3a4cfb37e81f9e4d8dda52516a1ce4551817850bbb3109

SHA512
b303012cbffffe0ffe94928a9f6743e264ee26579041bae24297ae27a9fd71d893aa0ec3aff55f4000638d1cfe3f23a45a40fd7267b7e5e06f9eebc62c9f2251

Download Submit
C:\Users\Admin\Desktop\ImportGrant.docx..hacked

Filesize
14KB

MD5
95790db5d65a9827c927cf9d1992e31d

SHA1
4716efbc379813e79460ab688d6269102a995ae7

SHA256
e0992d513b934488e993945eeabac36d835a12f933e174f2e7057bcc94c8746e

SHA512
a7be547262514b6f15847ad46e6bbc7c17b7bdc69b9aca59125fff74da761c2e9cd53b2f0506067a52942f3fcaec6f6beb3b58d7fa3e7c2fe3a709219707cd08

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk..hacked

Filesize
2KB

MD5
69440d71f6b39da89be04330ccbfc5d7

SHA1
d2d9672163d11d1b3f61c3ba6b08ebe4de527ea1

SHA256
2337487886a34f636199a75d35c46a21d4d443cf5f0aaa701c14a51a88f5ca8e

SHA512
dfbd782e4aaca8836d27ef542236d6eb7a3b92b56ed9b96fb4243d21eecb7d263acd5f6c60459457877b8f7bceb94096cffe3645700eaf028995bc507ab4b5f2

Download Submit
C:\Users\Admin\Desktop\RepairOut.mp4..hacked

Filesize
881KB

MD5
2f41580635edd48ba03cb5466ae384ae

SHA1
b31e67ab0afb519f5b1780107e81ecd65708bbe7

SHA256
8a2f217aa2d9df7cff3de74331d2ae87106f362ee41b9b46d7cc106a9bef01ad

SHA512
2ff1b5635762551899e9c765d7ef9cf93418df2985b6c8665c602bb83d651a11a06f4671435668071437a85a1b819b02965cf532e1d39830065593fb8361257c

Download Submit
C:\Users\Admin\Desktop\ResetRepair.xltx..hacked

Filesize
312KB

MD5
b8e4e6579bbe75086125c29630afbdaf

SHA1
d1a534459bb3e05b6a1c03506369c36f3d28efa2

SHA256
afb3712a6857ef44f755ce7a158f9f604d8891f2e720b27f37b618962e4276b9

SHA512
6366628839846c8d22a8f94ae1849db194f3a028f12fe27656fb77220ff553acacf84a2080adfc290f4b2375036cccae44ad70448cfc489cc8232816b0a4b10f

Download Submit
C:\Users\Admin\Desktop\SwitchRename.jpg..hacked

Filesize
610KB

MD5
69ec4e0c184a95d61bc727cebcdbed05

SHA1
a703b27836007023ce986d1b6279f1f425b40459

SHA256
47fc889d31d4680abe5add3d9f2f120e23cfa9472d384a13df7f93a8032f31ff

SHA512
12819356d32d314913b4b3cfcf8850b694b18eaf96db53c7942492a8d627855cc3ccfd8faddb24756bc048640eb86cfa1262fccd488a2fd178037f25d3feeac6

Download Submit
C:\Users\Admin\Desktop\UninstallSet.xps..hacked

Filesize
555KB

MD5
c38a083ce6e2c4b669703d9b03b3ad2d

SHA1
bfc0e78dcd05cd939906fbb426e2456adf2e0f41

SHA256
f692d738b163fd1606a66b240a01ac9169dc70e06b1f68fa8cb98e58bc2fabe0

SHA512
f1a1260f6351434bb3a90d1ca1b2ca1d051092ec86dd2b84ea90e0427945da1c7708e56fe5dd87c1a3dd6f99f0c48b32c719141b8afa7eb4e222521839eca176

Download Submit
C:\Users\Admin\Desktop\UnlockPop.mht..hacked

Filesize
637KB

MD5
91f9b509932355baa6e0ae09092e0664

SHA1
ebab937eaf4f8d9d2c3ea2a675b236440ca6d1aa

SHA256
6dcbc9eb4c53c86d207eb3b8af66176395f59c2c535dcd4db2f4c89dee262588

SHA512
1f733c1fc7aa6ee0456c73c75fe1a7a074d8309248763d5d46c6b1a26a1820f6c91df4e78d0aae804c1e3ae923eceea53e2c6e274c35a421c51027963a0a03a0

Download Submit
C:\Users\Public\Desktop\Acrobat Reader DC.lnk..hacked

Filesize
2KB

MD5
5dca6ba4763cf5f50ad024add4dfa036

SHA1
9e676d5b6953b2e0f9a87d3c59af6324661c7309

SHA256
76a6f8008668b61dfad1b6819459c2386e4af408880f44b0cd49e8c00b467a4d

SHA512
22a7366d07caea662a418ac85893ffbf74615c95b6491c85103505698c9148052ef169ea1f6d2578b1ba4272324bc7b0ba4baa928766817ac42df2ad9609ff70

Download Submit
C:\Users\Public\Desktop\Firefox.lnk..hacked

Filesize
1KB

MD5
2bdd2c5e964fc8f93af6ba667456d682

SHA1
04c01b0a45e7ffc82f0f4425b74ee1f8348e74ca

SHA256
a0af2a1072c617da6ca074986bf17e32184e38e00faa136160a3c5d46fd8a825

SHA512
55b06e5caa1900fb8c4dfd6e42716e740d074887025661ee741f7f2fb3d126f09f3a07f53b6c848c5f581392804c609d7924a760e0d500fdeba957e27c0ac4c7

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk..hacked

Filesize
2KB

MD5
6a3f29297104aa4e245f08a284fadb4a

SHA1
6c8a65631cae41529de744bcc41b34687412770e

SHA256
9d564c53384af76da43304e77da4cb4eda8d07178da3bfd0ee262b2944c25c32

SHA512
116a919cdd9ea8da4a412ec451cc6750ea8433cd9213064caac396afdcf09f83807abd64ed5ce5aab4bf48bf27fc25b8cd5bbfdcebb2ba45f68b8015622124bb

Download Submit
C:\Users\Public\Desktop\Microsoft Edge.lnk..hacked

Filesize
2KB

MD5
10e5498932a1a05423a4091554942b87

SHA1
3d98e8f4e5fcf7e4542030ed9c269895c8f57008

SHA256
69681a2e5b4315090c7ff5c5059d7b47a44288cf194b0d4ff4c51a2de20c27a0

SHA512
a1542ddfe64cfc2f2380ffdac61f858442a04041738f6c3a9f93d1ee5f9076ec0e208663b11aee1cb34666a8f82ed834b172f7f9aa48b7ff3ea539df00c9202c

Download Submit
C:\Users\Public\Desktop\VLC media player.lnk..hacked

Filesize
1KB

MD5
2393441e67041f72dc6637865342c474

SHA1
1ec21ff6ba5a43e45324225a12aaa3f0abec6e62

SHA256
75e9ef6dd304d6971a060bf26b148d75375be7c63b6be86452cc5b77b9e7fbf0

SHA512
af36047f6d888fd91bcfb4b249c1cdddf1ecb913a2906f424fdf5253c8b6bd6144242adf5d7e0f58d9a91e0fd12417504c02671ceeaa24f2b6bfacda0314fe7b

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2064_1415012270\manifest.json

Filesize
79B

MD5
7f4b594a35d631af0e37fea02df71e72

SHA1
f7bc71621ea0c176ca1ab0a3c9fe52dbca116f57

SHA256
530882d7f535ae57a4906ca735b119c9e36480cbb780c7e8ad37c9c8fdf3d9b1

SHA512
bf3f92f5023f0fbad88526d919252a98db6d167e9ca3e15b94f7d71ded38a2cfb0409f57ef24708284ddd965bda2d3207cd99c008b1c9c8c93705fd66ac86360

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2064_772911919\LICENSE

Filesize
1KB

MD5
ee002cb9e51bb8dfa89640a406a1090a

SHA1
49ee3ad535947d8821ffdeb67ffc9bc37d1ebbb2

SHA256
3dbd2c90050b652d63656481c3e5871c52261575292db77d4ea63419f187a55b

SHA512
d1fdcc436b8ca8c68d4dc7077f84f803a535bf2ce31d9eb5d0c466b62d6567b2c59974995060403ed757e92245db07e70c6bddbf1c3519fed300cc5b9bf9177c

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2064_772911919\manifest.json

Filesize
85B

MD5
c3419069a1c30140b77045aba38f12cf

SHA1
11920f0c1e55cadc7d2893d1eebb268b3459762a

SHA256
db9a702209807ba039871e542e8356219f342a8d9c9ca34bcd9a86727f4a3a0f

SHA512
c5e95a4e9f5919cb14f4127539c4353a55c5f68062bf6f95e1843b6690cebed3c93170badb2412b7fb9f109a620385b0ae74783227d6813f26ff8c29074758a1

Download Submit
memory/1304-3-0x00007FFBFB6E3000-0x00007FFBFB6E5000-memory.dmp

Filesize
8KB

Download
memory/1304-4-0x00007FFBFB6E0000-0x00007FFBFC1A2000-memory.dmp

Filesize
10.8MB

Download
memory/1304-2-0x00007FFBFB6E0000-0x00007FFBFC1A2000-memory.dmp

Filesize
10.8MB

Download
memory/1304-0-0x00007FFBFB6E3000-0x00007FFBFB6E5000-memory.dmp

Filesize
8KB

Download
memory/1304-18-0x00007FFBFB6E0000-0x00007FFBFC1A2000-memory.dmp

Filesize
10.8MB

Download
memory/1304-1-0x0000000000070000-0x0000000000088000-memory.dmp

Filesize
96KB

Download
memory/1464-1382-0x00007FFBFB6E0000-0x00007FFBFC1A2000-memory.dmp

Filesize
10.8MB

Download
memory/1464-17-0x00007FFBFB6E0000-0x00007FFBFC1A2000-memory.dmp

Filesize
10.8MB

Download