guloader | a92dc285c11951b278e4a6de0facff86e30f27cca77d1049d7a11da6dd37eb03

Analysis

max time kernel
300s
max time network
280s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
27/03/2025, 15:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SWIFT.scr
Size

716KB
MD5

c1a83e61f3e5e28fb499b2c204243549
SHA1

08124d6acc7e9f26e99b10f5e909081c788b477a
SHA256

6d4171c68f4f2d1e2f3da572c62247d92cd98684046516cef1bb5a023a538755
SHA512

a0bad0c833d523bc120a7f855f4dbe55226525963ed5d2ef2a811b54738a2accec957e4f2ea8f68bf760ad4b37cc9e741bb735476cbe42ea91df7c930870e034
SSDEEP

12288:LR3BUIpYzX5bjzN1ueIzsbnVzpuRmWczn46l0xFXc3gIwEg:V3GIOjzNnMwVsRmW0nl0Pg73g

Score

10^/10

guloader remcos host-2 collection credential_access discovery downloader rat spyware stealer

Malware Config

Extracted

Family

remcos

Botnet

Host-2

176.65.142.14:6060

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-HM3EZ8
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Guloader family
guloader
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Detected Nirsoft tools 7 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/1452-56-0x0000000000400000-0x000000000047D000-memory.dmp	Nirsoft
behavioral2/memory/6104-66-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/6104-58-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/1452-65-0x0000000000400000-0x000000000047D000-memory.dmp	Nirsoft
behavioral2/memory/3700-64-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/1452-52-0x0000000000400000-0x000000000047D000-memory.dmp	Nirsoft
behavioral2/memory/1452-70-0x0000000000400000-0x000000000047D000-memory.dmp	Nirsoft

NirSoft MailPassView 2 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/6104-66-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral2/memory/6104-58-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 4 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/1452-56-0x0000000000400000-0x000000000047D000-memory.dmp	WebBrowserPassView
behavioral2/memory/1452-65-0x0000000000400000-0x000000000047D000-memory.dmp	WebBrowserPassView
behavioral2/memory/1452-52-0x0000000000400000-0x000000000047D000-memory.dmp	WebBrowserPassView
behavioral2/memory/1452-70-0x0000000000400000-0x000000000047D000-memory.dmp	WebBrowserPassView

Uses browser remote debugging 2 TTPs 15 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
2372	Chrome.exe
1700	Chrome.exe
3840	Chrome.exe
2604	Chrome.exe
2160	Chrome.exe
4768	Chrome.exe
4092	Chrome.exe
536	msedge.exe
2256	Chrome.exe
4704	Chrome.exe
4700	Chrome.exe
5944	msedge.exe
1956	msedge.exe
2864	Chrome.exe
3496	Chrome.exe

Loads dropped DLL 2 IoCs

pid	Process
5704	SWIFT.scr
5704	SWIFT.scr

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	recover.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
31	drive.google.com
32	drive.google.com

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
4348	SWIFT.scr

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
5704	SWIFT.scr
4348	SWIFT.scr

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4348 set thread context of 1452	4348	SWIFT.scr	99
PID 4348 set thread context of 6104	4348	SWIFT.scr	100
PID 4348 set thread context of 3700	4348	SWIFT.scr	101

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5944_130461076\_locales\th\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5944_130461076\_locales\sv\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5944_130461076\_locales\ca\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5944_130461076\_locales\hr\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5944_130461076\_locales\ta\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5944_130461076\_locales\en_GB\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5944_130461076\offscreendocument.html	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5944_130461076\_locales\de\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5944_130461076\_locales\tr\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5944_130461076\_locales\fil\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5944_130461076\_locales\sw\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5944_130461076\_locales\ms\messages.json	msedge.exe
File created	C:\Program Files\msedge_url_fetcher_5944_287255082\GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_90_1_0.crx	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5944_130461076\_locales\fi\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5944_130461076\_locales\lv\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5944_130461076\_locales\ko\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5944_130461076\_locales\pt_BR\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5944_130461076\_locales\nl\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5944_130461076\_locales\iw\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5944_130461076\_locales\be\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5944_130461076\_locales\fr_CA\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5944_130461076\_locales\zh_HK\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5944_130461076\_locales\pa\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5944_130461076\_locales\sl\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5944_130461076\128.png	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5944_130461076\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5944_130461076\_locales\ja\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5944_130461076\_locales\te\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5944_130461076\_locales\ro\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5944_130461076\_locales\fa\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5944_130461076\_locales\ne\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5944_130461076\_locales\en\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5944_130461076\_locales\gu\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5944_130461076\_locales\id\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5944_130461076\_locales\mr\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5944_130461076\_locales\uk\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5944_130461076\_locales\kk\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5944_130461076\_locales\lo\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5944_130461076\_locales\ar\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5944_130461076\_locales\vi\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5944_130461076\_locales\en_CA\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5944_130461076\_locales\sk\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5944_130461076\service_worker_bin_prod.js	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5944_130461076\offscreendocument_main.js	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5944_130461076\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5944_130461076\_locales\es_419\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5944_130461076\_locales\km\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5944_130461076\_locales\af\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5944_130461076\_locales\it\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5944_130461076\_locales\zu\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5944_130461076\_locales\zh_TW\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5944_130461076\_locales\ml\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5944_130461076\_locales\hu\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5944_130461076\_locales\es\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5944_130461076\_locales\hy\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5944_130461076\_locales\az\messages.json	msedge.exe
File opened for modification	C:\Program Files (x86)\Common Files\crepe\satanerne.ini	SWIFT.scr
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5944_130461076\_locales\ka\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5944_130461076\_locales\bg\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5944_130461076\_locales\my\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5944_130461076\_locales\cy\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5944_130461076\_locales\ru\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5944_130461076\page_embed_script.js	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5944_130461076\_locales\pl\messages.json	msedge.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SWIFT.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SWIFT.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	recover.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	recover.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	recover.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	Chrome.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	Chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133875618737543346"	Chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-308834014-1004923324-1191300197-1000\{56C0A5E9-D2B9-401E-B3E1-C4A6AD19DCE3}	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4348	SWIFT.scr
4348	SWIFT.scr
1452	recover.exe
1452	recover.exe
3700	recover.exe
3700	recover.exe
1452	recover.exe
1452	recover.exe
2864	Chrome.exe
2864	Chrome.exe
4348	SWIFT.scr
4348	SWIFT.scr

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
5704	SWIFT.scr
4348	SWIFT.scr
4348	SWIFT.scr
4348	SWIFT.scr

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
5944	msedge.exe
5944	msedge.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	3700	recover.exe
Token: SeShutdownPrivilege	2864	Chrome.exe
Token: SeCreatePagefilePrivilege	2864	Chrome.exe
Token: SeShutdownPrivilege	2864	Chrome.exe
Token: SeCreatePagefilePrivilege	2864	Chrome.exe
Token: SeShutdownPrivilege	2864	Chrome.exe
Token: SeCreatePagefilePrivilege	2864	Chrome.exe
Token: SeShutdownPrivilege	2864	Chrome.exe
Token: SeCreatePagefilePrivilege	2864	Chrome.exe
Token: SeShutdownPrivilege	2864	Chrome.exe
Token: SeCreatePagefilePrivilege	2864	Chrome.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
4348	SWIFT.scr
2864	Chrome.exe
2864	Chrome.exe
5944	msedge.exe
5944	msedge.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
4348	SWIFT.scr

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5704 wrote to memory of 4348	5704	SWIFT.scr	89
PID 5704 wrote to memory of 4348	5704	SWIFT.scr	89
PID 5704 wrote to memory of 4348	5704	SWIFT.scr	89
PID 5704 wrote to memory of 4348	5704	SWIFT.scr	89
PID 2864 wrote to memory of 3572	2864	Chrome.exe	98
PID 2864 wrote to memory of 3572	2864	Chrome.exe	98
PID 4348 wrote to memory of 1452	4348	SWIFT.scr	99
PID 4348 wrote to memory of 1452	4348	SWIFT.scr	99
PID 4348 wrote to memory of 1452	4348	SWIFT.scr	99
PID 4348 wrote to memory of 1452	4348	SWIFT.scr	99
PID 4348 wrote to memory of 6104	4348	SWIFT.scr	100
PID 4348 wrote to memory of 6104	4348	SWIFT.scr	100
PID 4348 wrote to memory of 6104	4348	SWIFT.scr	100
PID 4348 wrote to memory of 6104	4348	SWIFT.scr	100
PID 4348 wrote to memory of 3700	4348	SWIFT.scr	101
PID 4348 wrote to memory of 3700	4348	SWIFT.scr	101
PID 4348 wrote to memory of 3700	4348	SWIFT.scr	101
PID 4348 wrote to memory of 3700	4348	SWIFT.scr	101
PID 2864 wrote to memory of 1588	2864	Chrome.exe	102
PID 2864 wrote to memory of 1588	2864	Chrome.exe	102
PID 2864 wrote to memory of 5372	2864	Chrome.exe	103
PID 2864 wrote to memory of 5372	2864	Chrome.exe	103
PID 2864 wrote to memory of 1588	2864	Chrome.exe	102
PID 2864 wrote to memory of 1588	2864	Chrome.exe	102
PID 2864 wrote to memory of 1588	2864	Chrome.exe	102
PID 2864 wrote to memory of 1588	2864	Chrome.exe	102
PID 2864 wrote to memory of 1588	2864	Chrome.exe	102
PID 2864 wrote to memory of 1588	2864	Chrome.exe	102
PID 2864 wrote to memory of 1588	2864	Chrome.exe	102
PID 2864 wrote to memory of 1588	2864	Chrome.exe	102
PID 2864 wrote to memory of 1588	2864	Chrome.exe	102
PID 2864 wrote to memory of 1588	2864	Chrome.exe	102
PID 2864 wrote to memory of 1588	2864	Chrome.exe	102
PID 2864 wrote to memory of 1588	2864	Chrome.exe	102
PID 2864 wrote to memory of 1588	2864	Chrome.exe	102
PID 2864 wrote to memory of 1588	2864	Chrome.exe	102
PID 2864 wrote to memory of 1588	2864	Chrome.exe	102
PID 2864 wrote to memory of 1588	2864	Chrome.exe	102
PID 2864 wrote to memory of 1588	2864	Chrome.exe	102
PID 2864 wrote to memory of 1588	2864	Chrome.exe	102
PID 2864 wrote to memory of 1588	2864	Chrome.exe	102
PID 2864 wrote to memory of 1588	2864	Chrome.exe	102
PID 2864 wrote to memory of 1588	2864	Chrome.exe	102
PID 2864 wrote to memory of 1588	2864	Chrome.exe	102
PID 2864 wrote to memory of 1588	2864	Chrome.exe	102
PID 2864 wrote to memory of 1588	2864	Chrome.exe	102
PID 2864 wrote to memory of 1588	2864	Chrome.exe	102
PID 2864 wrote to memory of 1588	2864	Chrome.exe	102
PID 2864 wrote to memory of 1588	2864	Chrome.exe	102
PID 2864 wrote to memory of 1588	2864	Chrome.exe	102
PID 2864 wrote to memory of 3216	2864	Chrome.exe	104
PID 2864 wrote to memory of 3216	2864	Chrome.exe	104
PID 2864 wrote to memory of 3216	2864	Chrome.exe	104
PID 2864 wrote to memory of 3216	2864	Chrome.exe	104
PID 2864 wrote to memory of 3216	2864	Chrome.exe	104
PID 2864 wrote to memory of 3216	2864	Chrome.exe	104
PID 2864 wrote to memory of 3216	2864	Chrome.exe	104
PID 2864 wrote to memory of 3216	2864	Chrome.exe	104
PID 2864 wrote to memory of 3216	2864	Chrome.exe	104
PID 2864 wrote to memory of 3216	2864	Chrome.exe	104
PID 2864 wrote to memory of 3216	2864	Chrome.exe	104
PID 2864 wrote to memory of 3216	2864	Chrome.exe	104
PID 2864 wrote to memory of 3216	2864	Chrome.exe	104
PID 2864 wrote to memory of 3216	2864	Chrome.exe	104

C:\Users\Admin\AppData\Local\Temp\SWIFT.scr
"C:\Users\Admin\AppData\Local\Temp\SWIFT.scr" /S
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:5704
- C:\Users\Admin\AppData\Local\Temp\SWIFT.scr
  "C:\Users\Admin\AppData\Local\Temp\SWIFT.scr" /S
  2⤵
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4348
- - C:\Program Files\Google\Chrome\Application\Chrome.exe
    --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --headless --remote-debugging-port=9222 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Checks processor information in registry
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2864
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffae784dcf8,0x7ffae784dd04,0x7ffae784dd10
      4⤵
      PID:3572
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=gpu-process --headless --string-annotations --noerrdialogs --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1988,i,8740262041156012313,12684351101809432264,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=1980 /prefetch:2
      4⤵
      PID:1588
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --noerrdialogs --field-trial-handle=2136,i,8740262041156012313,12684351101809432264,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2132 /prefetch:3
      4⤵
      PID:5372
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --noerrdialogs --field-trial-handle=2548,i,8740262041156012313,12684351101809432264,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2544 /prefetch:8
      4⤵
      PID:3216
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --string-annotations --noerrdialogs --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3256,i,8740262041156012313,12684351101809432264,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3252 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:2160
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --string-annotations --noerrdialogs --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3180,i,8740262041156012313,12684351101809432264,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3068 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:2604
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --field-trial-handle=4704,i,8740262041156012313,12684351101809432264,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4700 /prefetch:8
      4⤵
      PID:5944
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --field-trial-handle=4416,i,8740262041156012313,12684351101809432264,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4728 /prefetch:8
      4⤵
      PID:4068
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --string-annotations --noerrdialogs --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4944,i,8740262041156012313,12684351101809432264,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4940 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:2256
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --string-annotations --noerrdialogs --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4784,i,8740262041156012313,12684351101809432264,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4796 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:1700
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --string-annotations --noerrdialogs --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4740,i,8740262041156012313,12684351101809432264,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4728 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4704
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --string-annotations --noerrdialogs --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5392,i,8740262041156012313,12684351101809432264,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5480 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4768
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --field-trial-handle=4828,i,8740262041156012313,12684351101809432264,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4816 /prefetch:8
      4⤵
      PID:4872
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --string-annotations --noerrdialogs --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=3456,i,8740262041156012313,12684351101809432264,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5676 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4700
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --field-trial-handle=4720,i,8740262041156012313,12684351101809432264,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3480 /prefetch:8
      4⤵
      PID:1084
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --string-annotations --noerrdialogs --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=4752,i,8740262041156012313,12684351101809432264,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4812 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3840
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --field-trial-handle=5064,i,8740262041156012313,12684351101809432264,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4996 /prefetch:8
      4⤵
      PID:5400
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --string-annotations --noerrdialogs --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=5104,i,8740262041156012313,12684351101809432264,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5032 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3496
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --field-trial-handle=3432,i,8740262041156012313,12684351101809432264,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5116 /prefetch:8
      4⤵
      PID:3308
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --string-annotations --noerrdialogs --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=4812,i,8740262041156012313,12684351101809432264,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5812 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:2372
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --string-annotations --noerrdialogs --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=5436,i,8740262041156012313,12684351101809432264,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5848 /prefetch:2
      4⤵
      Uses browser remote debugging
      PID:4092
- - C:\Windows\SysWOW64\recover.exe
    C:\Windows\SysWOW64\recover.exe /stext "C:\Users\Admin\AppData\Local\Temp\iiqsnqvnhdhkynrgfbe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1452
- - C:\Windows\SysWOW64\recover.exe
    C:\Windows\SysWOW64\recover.exe /stext "C:\Users\Admin\AppData\Local\Temp\tkvdoafpdmzpitnkwlroirm"
    3⤵
    - Accesses Microsoft Outlook accounts
    - System Location Discovery: System Language Discovery
    PID:6104
- - C:\Windows\SysWOW64\recover.exe
    C:\Windows\SysWOW64\recover.exe /stext "C:\Users\Admin\AppData\Local\Temp\veavosqjrurclzbofwditehzqc"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3700
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --headless --remote-debugging-port=9222 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Drops file in Program Files directory
    - Checks processor information in registry
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Modifies registry class
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    PID:5944
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x25c,0x260,0x264,0x258,0x26c,0x7ffae6eff208,0x7ffae6eff214,0x7ffae6eff220
      4⤵
      PID:2296
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --noerrdialogs --always-read-main-dll --field-trial-handle=2224,i,13779796405645829881,10596585715209969735,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2220 /prefetch:3
      4⤵
      PID:1044
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --headless --string-annotations --noerrdialogs --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2188,i,13779796405645829881,10596585715209969735,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2180 /prefetch:2
      4⤵
      PID:5908
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --noerrdialogs --always-read-main-dll --field-trial-handle=2804,i,13779796405645829881,10596585715209969735,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2800 /prefetch:8
      4⤵
      PID:5964
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --instant-process --pdf-upsell-enabled --remote-debugging-port=9222 --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3596,i,13779796405645829881,10596585715209969735,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=3592 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:1956
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --pdf-upsell-enabled --remote-debugging-port=9222 --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4316,i,13779796405645829881,10596585715209969735,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=4312 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:536
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --always-read-main-dll --field-trial-handle=4688,i,13779796405645829881,10596585715209969735,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=4728 /prefetch:8
      4⤵
      PID:2620
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --always-read-main-dll --field-trial-handle=4896,i,13779796405645829881,10596585715209969735,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=4908 /prefetch:8
      4⤵
      PID:4576
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --always-read-main-dll --field-trial-handle=4856,i,13779796405645829881,10596585715209969735,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=4852 /prefetch:8
      4⤵
      PID:3164
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --always-read-main-dll --field-trial-handle=5588,i,13779796405645829881,10596585715209969735,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=5584 /prefetch:8
      4⤵
      PID:5460
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --always-read-main-dll --field-trial-handle=5588,i,13779796405645829881,10596585715209969735,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=5584 /prefetch:8
      4⤵
      PID:3656
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --always-read-main-dll --field-trial-handle=5680,i,13779796405645829881,10596585715209969735,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=5632 /prefetch:8
      4⤵
      PID:5032
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --always-read-main-dll --field-trial-handle=5832,i,13779796405645829881,10596585715209969735,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=5828 /prefetch:8
      4⤵
      PID:5656
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --always-read-main-dll --field-trial-handle=5696,i,13779796405645829881,10596585715209969735,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=5704 /prefetch:8
      4⤵
      PID:2500
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --always-read-main-dll --field-trial-handle=5632,i,13779796405645829881,10596585715209969735,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=5720 /prefetch:8
      4⤵
      PID:3432

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:5052

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1688

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:4440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Modify Authentication Process

T1556

Privilege Escalation

Defense Evasion

Modify Authentication Process

T1556

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\chrome_Unpacker_BeginUnzipping5944_130461076\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Filesize
2KB

MD5
f69fa5f104e0d67899baf57e7455dfd7

SHA1
8fe8991d18779840a173068cf287f422db18d73f

SHA256
6b8634a73f1943e182c982af93ef19cd46385ff974e9eb2e710b5cc800289852

SHA512
4c38f0692add1f1973a31fc1d7e76a2382a381572bf6db078314442436aca4b19c88c755754a282d18399aee5c9917046689985577a28a52c055d7ea918e4db8

Download Submit
C:\Users\Admin\AppData\Local\Temp\0e5651e2-d69f-46bd-ae36-e27928026b59.tmp

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\CrashpadMetrics-active.pma

Filesize
1024KB

MD5
b0366599d64b0fc1adb2a712dcd02ee1

SHA1
b7a1c09ccd2846664cab5f76bd80b8e9f107acb0

SHA256
ae1bddb9e2cc97b0c9cd78ef3cd17553be6e5204677bd67e0b8f7fa27007f189

SHA512
d7de6d48285018f8b709c81ca01688126db7893ce9f48829524ee3122aa6f2200c7f78186b5a558d0b1ecf8157ee78a20064b63b45ab89f7aa0835b8409435d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
40B

MD5
8bb6396276eb5aa9eb357dc2ba7114bc

SHA1
80c2f45ad56182657adebe4a10ef4c3e549a1071

SHA256
3f820912e667b056ef81b2940f3709dcb00d6095aa9061cfc7275052d6c54f7c

SHA512
e53d5413b8bcade1623006ae9c1de8c84adc1486f6ede92581350554c5845b4e403f3f5489e5feb860718941d411cda9e8b07444efdab9e9e24a7cc26c392212

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
280B

MD5
df8eecc57d38a058b54d73dd17ad5117

SHA1
d9a3f5e0a49d1eaead5171683913aa81e2752919

SHA256
60334e11cec01abf8905fc039f7cd74637fc612682d0368e6edbadeff1ee6ff2

SHA512
bfa4785ca5825af018b958a232edbffb353407f690fa078426830cf5027cc4a8fb4e0ea7862c47c8a13edf38a13d430523cc10104ab239765d9eef2efdaf9a8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
280B

MD5
782b70be1eadf027f61e3c4d98c767a7

SHA1
2a67b206a625aeca1536c8440bab63e6cd6e44e9

SHA256
59c7747e4e0e71d95218a7cb97db6e881cd346597f1592b572dd681ae736d0cd

SHA512
563265893f177a83e80564c30bbb85d11a8a6e5662607c9ff3644dfeffba464de767e7257e2ec8e66ef24458f04cf4a8499c66b9316ce63d0bc71fddb165da1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
280B

MD5
2577ba5b3d43440c097099f1a32aa48e

SHA1
b401b47a5507453f62567c67d635264befd6e5d4

SHA256
3ce62da46e5d324bf0c418b6e2059ea9151c4eecab4c2c8e6f4430e4fd3ba8d0

SHA512
15524b4ecef84950ba6ea1cc0805c285f41e77669482db3023f1a3d65e98383394c5d67524b155994ce414d2786da08c7d33fd2946f0d7cc40a49cfac5d6def1

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
280B

MD5
fa989e1d043e59e2a3f3615d17657edb

SHA1
2c395e78162793ba7841ec6f7e0aa819ee205028

SHA256
6350a75830b6fc1448b652a38f666a52bf4a34b9c8b44b144c066224ec65ecd0

SHA512
8c05027728c857371be3f5acc170a04f6e88378a62fa69d5aa105adde3118a53229aa2b6579e55f72b475da4c204cea3d38175f1add3a492df0fa22a835fb7a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\throttle_store.dat

Filesize
20B

MD5
9e4e94633b73f4a7680240a0ffd6cd2c

SHA1
e68e02453ce22736169a56fdb59043d33668368f

SHA256
41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304

SHA512
193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\094ae190-fce8-481b-b414-19cffb2c046f.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Cache\Cache_Data\data_1

Filesize
264KB

MD5
a675eec42d7b5101baae3fd440b2e082

SHA1
9b15bf20f704502a8b13a22023a3cd986c29b510

SHA256
015b56a264efe2f133e279550f254daef93553d545cfae08da681139be54b9e8

SHA512
37d998ac04ebf6b11b402ab88b20832df2a735fcfa452f75b039b1fcdf865b649a1fd8da717e2280803b45976b47c2dfc7a9e840f2f1d3081821a1240e487dfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Cache\Cache_Data\index

Filesize
256KB

MD5
3c803c76fd232102db483f6a3ec8266d

SHA1
b56bde1f5d8a8884d23e973ff3e96b79e4aefd2c

SHA256
8b31dd21b436b18e5aa20dfd9c6a1e40ce3ce396fef7c3eff213e4b73dfad511

SHA512
326c42c0a4365169c5680fa802be35fb532cd5f35474d51359ec71ddc062e75b0afe76271cd6b4af1f0ad810648fd64b05f0d388f2729830995af9579e7ed392

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.90.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.90.1_1\_locales\en_US\messages.json

Filesize
1KB

MD5
578215fbb8c12cb7e6cd73fbd16ec994

SHA1
9471d71fa6d82ce1863b74e24237ad4fd9477187

SHA256
102b586b197ea7d6edfeb874b97f95b05d229ea6a92780ea8544c4ff1e6bc5b1

SHA512
e698b1a6a6ed6963182f7d25ac12c6de06c45d14499ddc91e81bdb35474e7ec9071cfebd869b7d129cb2cd127bc1442c75e408e21eb8e5e6906a607a3982b212

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Extensions\jmjflgjpcpepeafmmgdpfkogkghcpiha\1.2.1_0\_metadata\verified_contents.json

Filesize
1KB

MD5
738e757b92939b24cdbbd0efc2601315

SHA1
77058cbafa625aafbea867052136c11ad3332143

SHA256
d23b2ba94ba22bbb681e6362ae5870acd8a3280fa9e7241b86a9e12982968947

SHA512
dca3e12dd5a9f1802db6d11b009fce2b787e79b9f730094367c9f26d1d87af1ea072ff5b10888648fb1231dd83475cf45594bb0c9915b655ee363a3127a5ffc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Extensions\jmjflgjpcpepeafmmgdpfkogkghcpiha\1.2.1_0\content.js

Filesize
9KB

MD5
3d20584f7f6c8eac79e17cca4207fb79

SHA1
3c16dcc27ae52431c8cdd92fbaab0341524d3092

SHA256
0d40a5153cb66b5bde64906ca3ae750494098f68ad0b4d091256939eea243643

SHA512
315d1b4cc2e70c72d7eb7d51e0f304f6e64ac13ae301fd2e46d585243a6c936b2ad35a0964745d291ae9b317c316a29760b9b9782c88cc6a68599db531f87d59

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\GPUCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\GPUCache\data_1

Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\GPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\GPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\GPUCache\index

Filesize
256KB

MD5
a870ffbb9dfa303fdb4a84ad6edcb682

SHA1
e9cb9b68b4c34d0171280563ca69cc5145740ee3

SHA256
9b3f5f2267d6b489f05d803c177e49086b37cfe14f389b85394e95eebc4fbefe

SHA512
f940420a5b0b1ab01f4defe73d9502e4555a426ced35f0d1f2e5b4af019fdf8811e492c854887818d775d5713093c460a2dc820fcc5f02f6a83f289e80bc4691

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\History

Filesize
192KB

MD5
7768fdf855a1e05950ad64cab4c6557e

SHA1
159f30feb806c3c4e2ec62cf34bcddef8bd3e347

SHA256
18e33292b1d8cdfccce557a70e278433a039e23f7b143426c48c4ed0ea96a972

SHA512
af71a414d13bb992876746f74c6343320b557e46a66a75c4a0ec900b8d5798b3136f49bca161bb21173e8eb466e2e52c1851f96df5e68ceded45146a27e8bd5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\Cookies

Filesize
20KB

MD5
a152a4a2dce07f4cccbb907658602cd6

SHA1
a87230c54c0a792c855910eb571d8c2c56bd8d51

SHA256
546c7657a1c30fc7e5c5ecb312137d2d16f90d36ea370f596a6c61e8de0015c6

SHA512
2b55daf642279d5bbf8fc75dc04c69f45ae590bce900eebca2ae756652e37cabeb71443964a0ccd3f14bc75cd51133435530634c85b7452251958e3c1b41c9eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\Cookies

Filesize
20KB

MD5
a156bfab7f06800d5287d4616d6f8733

SHA1
8f365ec4db582dc519774dcbbfcc8001dd37b512

SHA256
e87b3d155c7582d4c1d889308b58f84e8fe90a1581014b21b785d6694bd156cc

SHA512
6c8eeab3ae6fb0d5be7758cca521665b216f31aed1aeeeaf121c99dc9f0192b385de0da36e94f90dd4a9bbbac6be2c5a55d2f284a24ccb7dec2c5302fb9b027c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\Network Persistent State

Filesize
2KB

MD5
498d6cd4819c27482f623da0888229c4

SHA1
9621c12402e99683cf661c9b950181d0e2a90515

SHA256
d06fe8ec3abb2233dc494b97d793b3b797c2e73020d94d192eb6f945682b5d91

SHA512
eb5dd44001165c228124482e83104bca190e71dcc69b1df8d72771a8adaa227ade8324a7378da410bbdef9967768903c5b4eb824eb830f0305a481958b3a3fff

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences

Filesize
7KB

MD5
68461d4b184da637b0081f2157521f7c

SHA1
5d54ad52baa713513c0be0c0943ee9694c3cafe0

SHA256
4e2969d3e4f2f72ed32195dfa72562a1f8e1ba956d8bd5d7874767062c9d3076

SHA512
d89cece30effccaf0473d4dea71ea05b688c46413f7581fe98846f02f2885c79d1122ccb829738b59d88108c794a06760a26dab03c3b4632c8f791129f13a132

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences

Filesize
11KB

MD5
bfb67fed080b75edce7bc030a1cdf267

SHA1
31cb929ee7d2541a39ba5cbaaf8dd63587938c57

SHA256
19c88064035d89d903ce2f34bcffc1096ec4e72f2ac4f061ff70b2f2bc8ed414

SHA512
f2da0c71995cdcb9d5734bf52646253bafc05c43c4b58e04ced18b207896b0e89a9cd5d733a6a9dbb4b0dfce42462e02b8c15f4ccdcb9ab6c16d0732a4aa0db8

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

Filesize
15KB

MD5
59a4eec818ff1d750ed30eb0f882b216

SHA1
787a6f8c1464d2be5d7dcd7e389531d89ff4b15c

SHA256
bac8795b68acbb91bf2e6853b1676af068a2607673a5dc7a6b3ad3b315d116c5

SHA512
c965c26f39ae6e41c43b20dca27f22b65ad92b3e9b415d08e8476b39265e16694ac59d547cf8dfc9ba8585866a93bbe5a469b60bbcf34c69507675d02c2ce94c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

Filesize
15KB

MD5
5f29ad3679232bc5bc369b0b36eb54d4

SHA1
9111b6def819912896de51834f3580f7642ce451

SHA256
75e13cdf6e6bc33665d725e8b8309c927dd11292eafc13de1725cf0220ecc581

SHA512
5f1810619d0e50a9a25283573fb638a9b190b49dcbcb9d572813c21de0c284eb2e40c7ff49867ffb8ed04c40614bc50ee5f1d37cc880004471ccd00e66a71d7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

Filesize
32KB

MD5
eb2fe068a0cdcab66087d371a850cf88

SHA1
77de4ec59774449b3a7ae4d94044e7b9b68e5389

SHA256
d3b5e69cad3347a98ba3719a68cf4713b8da795980b94105e4ff3c767a61a6b0

SHA512
9f4194553820615c5b92f189bb40b4d7a4542f42822f009e1aec33484d7eb9b54c7a20bddf1bfe08bc9ffd339ba69d61e49370bc88435cfd74b6cebac95f3035

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

Filesize
32KB

MD5
5d586e1966e2b4677a35ec3084152295

SHA1
6e5cae1b502a656842525c09aed37b49a2531272

SHA256
4673d48fcf581373d8fed7a90ab2673eb5eb3f4e317e7173980570c7c668560e

SHA512
2b998cc28c19a643246e17fb2ddec353482c64c0650ffda598b976d7edfbb9b8c39ac43ea216002994d259e9d4f418c7dfd7a4d72f4615f62c0dfb3c07c4ba87

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
f71ab58f24c25db15c3c60d09675ea14

SHA1
3bc6ca9de8e69ebe73e52e946cc5c2b9df5ca61b

SHA256
8b6de1f069ec4d13f6dbb48742b60c348cea566de60b613f8513c9ad4144bcc4

SHA512
5fc8f629e9b83b9716d6826c3eb82db874352c80e6e417a872dfc30e525a03d3a6fae259a4fb59ed63dd3479354aa63b38415a4599be4fc9df26277e782e0e81

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57f5d9.TMP

Filesize
48B

MD5
9682d7400308e024db20cc2f164bdbad

SHA1
34733497f4faa1043e54ac7eddc6995ef8f6d1e5

SHA256
3b2fd9cee2b5658cbea99af0244f8166e534dc8e9ab38f162b3a436ca8ed29d3

SHA512
2ba78e8907e018acf65942a222a6960c6e97205163b967e418b7aae34b2d76b2179b67b66c55eabc6fda89f51e5ab02c23b8ced55a76a157b2df22904a7859d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Shared Dictionary\cache\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Shared Dictionary\cache\index-dir\the-real-index

Filesize
48B

MD5
d97baf6fcfc159c38c017ed9b78fdaa7

SHA1
a0b725aabbd7f948f5e8a986277283c1f72b2826

SHA256
c99b5c6ad5a3dd1c7a44bb11ce174b14688bb26eeae514fc8ed9ecfc7c73e0c2

SHA512
b7b9c63b8751c096ebf4d0001f6cd36522989cc95a7cfa391b5b5490a9c655a054c7447da7a7fcddd84a11c2199f6734c9c2332894802314ff18ea528166535d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Shared Dictionary\db

Filesize
44KB

MD5
b581f0ff8f8aa3371ae47b48c95329e8

SHA1
4f588efadf3675f3526cbe762c50eb8e79d9f2e5

SHA256
f8e7cd835195e4eff7855d20676484ca75f7e7e4fe5b13164fc926b365e1dea0

SHA512
e0a79452acb39838afea8ce34e05c7e5cde68f2a786fe4423ddf2588fc6047339e8e4c3140d7e0447f938b2266f52b9ddbdcc0f40c495d833b47b3f27d7996de

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\000003.log

Filesize
40B

MD5
148079685e25097536785f4536af014b

SHA1
c5ff5b1b69487a9dd4d244d11bbafa91708c1a41

SHA256
f096bc366a931fba656bdcd77b24af15a5f29fc53281a727c79f82c608ecfab8

SHA512
c2556034ea51abfbc172eb62ff11f5ac45c317f84f39d4b9e3ddbd0190da6ef7fa03fe63631b97ab806430442974a07f8e81b5f7dc52d9f2fcdc669adca8d91f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\LOG

Filesize
291B

MD5
71724ab3609684773d93ab54ce85e2f4

SHA1
1fcab382b9138c0991b004a16729a7b2ff55d327

SHA256
cddae50165db8b6794b5f9aa044dd5a31a7b7bdb73785809b4ec7a14eb359e07

SHA512
fb49102c205ea60b7b442e2de8325b3ef7efddf16f3046f1ee4292d03d602021f235fa833e2ce259752238b3f9d3278a3153855573782eb2b167d8c01acfe881

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\000003.log

Filesize
2KB

MD5
d8ba3849a4479a214a302a46c136ce1a

SHA1
37cffb7392c1a3268809a308313f089b2e2c0a6a

SHA256
1bb8905da6f5b0202ea5531aa30b122991d42abdc93fc27eb0548d0e7fb36a14

SHA512
6a8d4ef489496441e93bde407cb21053acf0d54bcad8bde9c98f6290168490f6db4d0134c5b7e00c6ea8031fb3a54ad6a0914e829892331935c4b348161f137b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\LOG

Filesize
267B

MD5
db7256ce23430460207045e81de11af8

SHA1
34776c6e91425f3c6a48e7c7a8c0a3494e2ba517

SHA256
6cd6eccdab3232b9a14acde5fde2bfdfa6f78e6a9c9b2f4bea9cbc02b3834eef

SHA512
747d39ad36ceee79c0ec0838391eebe3f1e946f755b1ad3b737c4181fc3425512f9b812b92bedd1f11a60f8320058e7ff66caec1f4726128819b07b44b85c19b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\32.png

Filesize
1KB

MD5
a06bc120408cb7209f3ff0ba4b39d01a

SHA1
7b1df3b761840e87b484603da69837ec705cc082

SHA256
708b95af160bcdc6a17ca93f9b91158944cea75b743b4049a6e6ea299f8c7abf

SHA512
a3869426f4c5af3c225076454b2de0bb0f923eceba687ef7a82ae27b5384c90d03f1e6c1d50efdf8a1e51c1c7ab28ec4742fabe1cf75ef346a31f8037714c1f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\48.png

Filesize
2KB

MD5
eae9011cbfb45db3e8a6a5f5d4f45554

SHA1
6a45d862f6d6658e14a4c925f5a3e25baab6c875

SHA256
9962fe7bd4e81a0dc05e150a0a602db40bdd7dbff114f16adb712b8b749e1898

SHA512
cee11d79da34f767e1aff3771847b8008c0424825102decde2d0d51ea33f9a03262bdabd3938c5948bea95a4fdd46217cb81c1669ff5629e348265a40e30f9c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\64.png

Filesize
3KB

MD5
3c4bbde0c0ec7a7694b78ca833e41ba8

SHA1
e4afa932cecf06e03f59c9b6041ee723e10fcb2d

SHA256
4e0c7afe519c86da175dae1f069379a40694ae49391fdc3c7ccdf5c396e78ade

SHA512
523777c57a8c4d49faed221cbfea7dd589f9c576d2bb9386c6d84e47f5b30762a3012bbd702ea3c51b3f71c48e403b40b297928b94ce36e1a873047d27313006

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\32.png

Filesize
1KB

MD5
60953b3aca67505c2c7ea1a902e84d51

SHA1
5e6a8e04a96e36306c66409edd4775a606f13f54

SHA256
3197a2ac164c5bacb65f02fd9a6eb9c0a533fdf3b24f43043bbe9af65ed6608a

SHA512
2e65ec84471c3f703617171aa32f1a0d6c57d73e1d5c074b92d20d580df78e7ac4eef5ce54ab7defd0027bb38e33c44a6602d3e123a2fd310e514af0f5b38086

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\48.png

Filesize
2KB

MD5
1625c1dd7bab831d8ab5308a1a71d525

SHA1
f1c145985a7c8c18891caaba0f46729bcbd1f63b

SHA256
9bdfc3aa03d4e41b0d83862ce02f9fe7fdb55a492280d86d551b91a24efd47ca

SHA512
75079bcb02482abd10b121d81fe39607dcac17bb3107ca274c549b570bb473260dfdbdd13df769b1745425ac5433a22fd392a2a1d815897e0c2091b787bada8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\64.png

Filesize
2KB

MD5
e6671b804d6013a6706ea598e2d854c5

SHA1
40e4f401fe4afbf7bda49a02fe94f5308868460e

SHA256
57d5cd9fa59f944ffc78ec2a12633a79e2f923124fc50676ffbecaef5021b4a9

SHA512
7b11a47497ae5810ec4c7038ebf8358f03d79126886feb6daffd92d116fd606f530ecced9c3d635c0f57b9f9eb80ed9e8fa4eb98b029f9fd798d9b89ccd279a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Web Applications\Temp\scoped_dir2864_789082752\Icons\128.png

Filesize
5KB

MD5
6a371e7bbf132a71f031772845249b9c

SHA1
36f499f3a2e2bf885019d914a0cc6e8b3e035a79

SHA256
99b19cf47ea4e47b933229e92b87a474fbd5af7936bdf885c2240d0e6f4bdaaa

SHA512
b1fdcd5af84fa476808b8e89794d9df9f8e48b3e7c1a2239deae10832834d01bf311803ac95b3774d781be791b47389310ca866e1a6b497925ca6e2f004555a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Last Version

Filesize
13B

MD5
3e45022839c8def44fd96e24f29a9f4b

SHA1
c798352b5a0860f8edfd5c1589cf6e5842c5c226

SHA256
01a3e5d854762d8fdd01b235ce536fde31bf9a6be0596c295e3cea9aaf40f3dd

SHA512
2888982860091421f89f3d7444cacccb1938ef70fc084d3028d8a29021e6e1d83eaef62108eace2f0d590ed41ece0e443d8b564e9c9a860fc48d766edb1dc3d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

Filesize
80KB

MD5
e724cafff3d789204c3f77a01da1ebc9

SHA1
bb357cfeed58fbc2903e990e09d193b6cff23a3c

SHA256
f75dcca51e049671bd9919157914097b5c151a35713839ec625817ba9fa8140a

SHA512
0568cc4bee8e0e84dca056eb5361a1ce98499fa2082d930fd780d10be58c0173a9640e6075d551214f61ca7bd45293a69002ad3224ae94c99f146bde46291078

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

Filesize
154KB

MD5
06a0081c040c99d832c30c3414826790

SHA1
a6632969eb0406450df6703a028570b6ebab9de9

SHA256
a093582723fd1851d27d132041447ca529a618a286e23195652106cdaa6f4f77

SHA512
1094d8d41771fd3c0d460383dc4475a88fff4dbecfbac59d3b475621fcb590b58db5f10124ad5072a1c8bb5aa61afb8947d38a62637c89a6957aea5fff0e4476

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

Filesize
47KB

MD5
08e3ffb0e5c9e64f923c5211a0cc1b71

SHA1
64d2a3556a6ba2dfecb4574054f7bcda3c0a7cee

SHA256
c576fd03e5bc903f1eee72ef3cf812a3a624d873096c216efe1b7bacbd6038ac

SHA512
6f3e56616c379fb0aaf43c996ac286f3249080f6ac781abfc24701d7deb73938cbe0b6d40ca8c605bbf7ffe30532cfd11d38d64b365f60bf4b0e22f2624d501f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

Filesize
40KB

MD5
9e358e366f0da211664707da98461122

SHA1
639610ad9b32ffc4ea100fc6c94fa46c3aa02892

SHA256
80cffaf8d227770991edb927f10ae3441dc7eebd5b3b7ed404246ce992a97cfb

SHA512
32780b460137dac71955fa1cc298c96e4a62c6758fc0990af96495597d042d99721f8bcd91938e797c9f2d35e32824041a949547dc02ffd8d5dd931b470e5bc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\ShaderCache\index

Filesize
256KB

MD5
63f1d2ef01c70b1a119501c941c4c461

SHA1
d9a12179ce941d29764c1b69cb69a50f7059e479

SHA256
8df61c1e5171f3c872d5001025cca11fd97b2169a7a4ffe416c67f4673e4ae2c

SHA512
ad58f5bec0aa14c25311d821d7e256112032be2063ff00c304ebcaeacef3bb073ef9a3636c6cfaedcec0f506fdb84cba40fc7794b1aed590543ab5445e7e4579

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Variations

Filesize
86B

MD5
961e3604f228b0d10541ebf921500c86

SHA1
6e00570d9f78d9cfebe67d4da5efe546543949a7

SHA256
f7b24f2eb3d5eb0550527490395d2f61c3d2fe74bb9cb345197dad81b58b5fed

SHA512
535f930afd2ef50282715c7e48859cc2d7b354ff4e6c156b94d5a2815f589b33189ffedfcaf4456525283e993087f9f560d84cfcf497d189ab8101510a09c472

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\ee959f48-d9c1-4085-ae89-4c00f9717e1b.tmp

Filesize
37KB

MD5
b1722c0602d27d0ef874a23e251aaa81

SHA1
8158de006ec3e56bbbcb3fe25352e8675b3229eb

SHA256
4dcdae9cbecfd7e50f9ceab3dba2f91f8f6001e1d8a15a7648153fc2b76515b2

SHA512
7659c30d0fa66769808235823961b04a82ce8cf1fe449b7bb87d36dd01f147e71fe04bd1d7a977638ab925ab4ef9d86464512c4399f16a34efe56f5e80aaa398

Download Submit
C:\Users\Admin\AppData\Local\Temp\iiqsnqvnhdhkynrgfbe

Filesize
4KB

MD5
a29bce2a8e6c788fc15c1f2d4da84424

SHA1
46476bad5313f49a41fefa34c89c8b6793780eed

SHA256
565d3209bd3b0d71a8ea0cfae6a3052d52c456ba469da6098e3b9ac6f6b9560e

SHA512
dd8886ef8f3eba18377e3c7b5fc22c5ee756c0548d0fefa9e90aec92a8a77e95a421325702f0d7c7891ec319c832ea4ddd2bcd896e5ef0cefbd613a11e40992b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj7744.tmp\System.dll

Filesize
11KB

MD5
a436db0c473a087eb61ff5c53c34ba27

SHA1
65ea67e424e75f5065132b539c8b2eda88aa0506

SHA256
75ed40311875312617d6711baed0be29fcaee71031ca27a8d308a72b15a51e49

SHA512
908f46a855480af6eacb2fb64de0e60b1e04bbb10b23992e2cf38a4cbebdcd7d3928c4c022d7ad9f7479265a8f426b93eef580afec95570e654c360d62f5e08d

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5944_1066208111\5f131607-b1c9-4c20-b373-30021bc4c7a8.tmp

Filesize
10KB

MD5
78e47dda17341bed7be45dccfd89ac87

SHA1
1afde30e46997452d11e4a2adbbf35cce7a1404f

SHA256
67d161098be68cd24febc0c7b48f515f199dda72f20ae3bbb97fcf2542bb0550

SHA512
9574a66d3756540479dc955c4057144283e09cae11ce11ebce801053bb48e536e67dc823b91895a9e3ee8d3cb27c065d5e9030c39a26cbf3f201348385b418a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5944_1352277269\CRX_INSTALL\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5944_1352277269\CRX_INSTALL\_locales\en_US\messages.json

Filesize
1KB

MD5
64eaeb92cb15bf128429c2354ef22977

SHA1
45ec549acaa1fda7c664d3906835ced6295ee752

SHA256
4f70eca8e28541855a11ec7a4e6b3bc6dd16c672ff9b596ecfb7715bb3b5898c

SHA512
f63ee02159812146eee84c4eb2034edfc2858a287119cc34a8b38c309c1b98953e14ca1ca6304d6b32b715754b15ba1b3aa4b46976631b5944d50581b2f49def

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5944_1352277269\CRX_INSTALL\manifest.json

Filesize
1KB

MD5
2a738ca67be8dd698c70974c9d4bb21b

SHA1
45a4086c876d276954ffce187af2ebe3dc667b5f

SHA256
b08d566a5705247ddc9abf5e970fc93034970b02cf4cb3d5ccc90e1a1f8c816e

SHA512
f72b9190f9f2b1acc52f7fbb920d48797a96e62dfc0659c418edbbc0299dccf1931f6c508b86c940b976016745b9877f88f2ee081d3e3d5dcdcc2cc7e7884492

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\X5A1A60GXS6W08WSF5FK.temp

Filesize
3KB

MD5
e4a595f9819e77a1f9497584b1af43d9

SHA1
59cf78dcf11af54fc2749a103af142bfa9431476

SHA256
64da37fb5c6c940b31c08c6ccd9c306a6356c2d96581ed403190cd0c4653e5bd

SHA512
644921d7cd3772d58a8adf04c70ca0fbe8c9dbe2c8d7dceb8b42b5e50d83a38a8055a3fc6953ee6463b50e335b3bd165a2044026b4df3b63fff3962bdd98b954

Download Submit
memory/1452-52-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1452-70-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1452-56-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1452-65-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/3700-59-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3700-60-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3700-64-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4348-313-0x0000000000480000-0x00000000016D4000-memory.dmp

Filesize
18.3MB

Download
memory/4348-1589-0x0000000000480000-0x00000000016D4000-memory.dmp

Filesize
18.3MB

Download
memory/4348-46-0x0000000035550000-0x0000000035584000-memory.dmp

Filesize
208KB

Download
memory/4348-332-0x00000000774E1000-0x0000000077601000-memory.dmp

Filesize
1.1MB

Download
memory/4348-41-0x0000000035550000-0x0000000035584000-memory.dmp

Filesize
208KB

Download
memory/4348-45-0x0000000035550000-0x0000000035584000-memory.dmp

Filesize
208KB

Download
memory/4348-104-0x0000000035C70000-0x0000000035C89000-memory.dmp

Filesize
100KB

Download
memory/4348-39-0x00000000016E0000-0x0000000004A5D000-memory.dmp

Filesize
51.5MB

Download
memory/4348-103-0x0000000035C70000-0x0000000035C89000-memory.dmp

Filesize
100KB

Download
memory/4348-38-0x00000000774E1000-0x0000000077601000-memory.dmp

Filesize
1.1MB

Download
memory/4348-1602-0x0000000000480000-0x00000000016D4000-memory.dmp

Filesize
18.3MB

Download
memory/4348-1601-0x0000000000480000-0x00000000016D4000-memory.dmp

Filesize
18.3MB

Download
memory/4348-34-0x0000000000480000-0x00000000016D4000-memory.dmp

Filesize
18.3MB

Download
memory/4348-937-0x0000000035550000-0x0000000035584000-memory.dmp

Filesize
208KB

Download
memory/4348-1600-0x0000000000480000-0x00000000016D4000-memory.dmp

Filesize
18.3MB

Download
memory/4348-30-0x0000000000480000-0x00000000016D4000-memory.dmp

Filesize
18.3MB

Download
memory/4348-23-0x0000000077585000-0x0000000077586000-memory.dmp

Filesize
4KB

Download
memory/4348-1596-0x0000000000480000-0x00000000016D4000-memory.dmp

Filesize
18.3MB

Download
memory/4348-22-0x0000000077568000-0x0000000077569000-memory.dmp

Filesize
4KB

Download
memory/4348-1457-0x0000000000480000-0x00000000016D4000-memory.dmp

Filesize
18.3MB

Download
memory/4348-21-0x00000000774E1000-0x0000000077601000-memory.dmp

Filesize
1.1MB

Download
memory/4348-20-0x00000000016E0000-0x0000000004A5D000-memory.dmp

Filesize
51.5MB

Download
memory/4348-101-0x0000000035C70000-0x0000000035C89000-memory.dmp

Filesize
100KB

Download
memory/4348-1595-0x0000000000480000-0x00000000016D4000-memory.dmp

Filesize
18.3MB

Download
memory/4348-1594-0x0000000000480000-0x00000000016D4000-memory.dmp

Filesize
18.3MB

Download
memory/4348-44-0x0000000035550000-0x0000000035584000-memory.dmp

Filesize
208KB

Download
memory/4348-1590-0x0000000000480000-0x00000000016D4000-memory.dmp

Filesize
18.3MB

Download
memory/4348-1591-0x0000000000480000-0x00000000016D4000-memory.dmp

Filesize
18.3MB

Download
memory/4348-1592-0x0000000000480000-0x00000000016D4000-memory.dmp

Filesize
18.3MB

Download
memory/4348-1593-0x0000000000480000-0x00000000016D4000-memory.dmp

Filesize
18.3MB

Download
memory/5704-18-0x00000000774E1000-0x0000000077601000-memory.dmp

Filesize
1.1MB

Download
memory/5704-19-0x0000000010004000-0x0000000010005000-memory.dmp

Filesize
4KB

Download
memory/6104-58-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/6104-66-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/6104-57-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/6104-54-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download