vidar | b6e7e1ddaceee8c401056c0bd2e552c3545f6906b7de4b62ab3a239e5b01dfa7

Analysis

max time kernel
127s
max time network
141s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250314-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
30/03/2025, 18:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample.ps1
Size

3KB
MD5

21c010cf4481df82d7e5e4a0b4260793
SHA1

d2ae87b41aa4e951c3a3131ce7ebc8969948ed97
SHA256

b6e7e1ddaceee8c401056c0bd2e552c3545f6906b7de4b62ab3a239e5b01dfa7
SHA512

8f97b34ecda980b0a738d98a99a28ba6f6ceafe65ae97f41b0fc8561a919796e729429507a18e9fe0ef79feb6ee892afb29fc325615c920d72111f3649b3bf5f

Score

10^/10

vidar 00cb84c6bd4caac4bdfc1131beae4df7 credential_access defense_evasion discovery execution persistence spyware stealer

Malware Config

Extracted

Family

vidar

Version

13.3

Botnet

00cb84c6bd4caac4bdfc1131beae4df7

https://t.me/lw25chm

https://steamcommunity.com/profiles/76561199839170361

Attributes

user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/132.0.0.0 Safari/537.36 OPR/117.0.0.0

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://jacrcell.com/joomla/crypted.exe

exe.dropper

https://installsh.pages.dev/config.ps1

Signatures

Detect Vidar Stealer 57 IoCs

stealer

resource	yara_rule
behavioral3/memory/4872-50-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral3/memory/4872-51-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral3/memory/4872-52-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral3/memory/4872-60-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral3/memory/4872-62-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral3/memory/4872-63-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral3/memory/4872-65-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral3/memory/4872-66-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral3/memory/4872-67-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral3/memory/4872-68-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral3/memory/4872-70-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral3/memory/4872-69-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral3/memory/4872-87-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral3/memory/4872-409-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral3/memory/4872-410-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral3/memory/4872-411-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral3/memory/4872-412-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral3/memory/4872-413-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral3/memory/4872-414-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral3/memory/4872-415-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral3/memory/4872-416-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral3/memory/4872-417-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral3/memory/4872-419-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral3/memory/4872-615-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral3/memory/4872-647-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral3/memory/4872-648-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral3/memory/4872-649-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral3/memory/4872-654-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral3/memory/4872-655-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral3/memory/4872-656-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral3/memory/4872-657-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral3/memory/4872-658-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral3/memory/4872-659-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral3/memory/4872-660-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral3/memory/4872-661-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral3/memory/4872-663-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral3/memory/4872-664-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral3/memory/4872-665-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral3/memory/4872-666-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral3/memory/4872-667-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral3/memory/4872-668-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral3/memory/4872-669-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral3/memory/4872-670-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral3/memory/4872-671-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral3/memory/3052-728-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral3/memory/3052-733-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral3/memory/3052-734-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral3/memory/3052-735-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral3/memory/3052-736-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral3/memory/3052-737-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral3/memory/3052-738-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral3/memory/3052-739-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral3/memory/3052-742-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral3/memory/3052-743-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral3/memory/3052-1102-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral3/memory/3052-1104-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral3/memory/3052-1103-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Blocklisted process makes network request 4 IoCs

flow	pid	Process
8	3004	powershell.exe
218	3004	powershell.exe
220	4024	powershell.exe
364	4024	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4024	powershell.exe
3004	powershell.exe

Downloads MZ/PE file 2 IoCs

flow	pid	Process
220	4024	powershell.exe
8	3004	powershell.exe

Uses browser remote debugging 2 TTPs 16 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
348	chrome.exe
5360	chrome.exe
1248	msedge.exe
5876	chrome.exe
3436	chrome.exe
2920	chrome.exe
1740	msedge.exe
4396	msedge.exe
4392	msedge.exe
5784	chrome.exe
4564	chrome.exe
2808	msedge.exe
2976	chrome.exe
5668	chrome.exe
3948	msedge.exe
3528	chrome.exe

Executes dropped EXE 2 IoCs

pid	Process
4768	updater.exe
5800	updater.exe

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate.ps1 = "powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File \"C:\\Users\\Admin\\AppData\\Roaming\\UpdateCache\\WindowsUpdate.ps1\""	powershell.exe

Hide Artifacts: Hidden Window 1 TTPs 1 IoCs

Windows that would typically be displayed when an application carries out an operation can be hidden.

defense_evasion

Hidden Window

T1564.003

pid	Process
5936	cmd.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4768 set thread context of 4872	4768	updater.exe	91
PID 5800 set thread context of 3052	5800	updater.exe	132

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	msedge.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	msedge.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSBuild.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSBuild.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSBuild.exe

Delays execution with timeout.exe 2 IoCs

defense_evasion

pid	Process
3028	timeout.exe
4764	timeout.exe

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133878342249444903"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	powershell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	powershell.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
3004	powershell.exe
3004	powershell.exe
4872	MSBuild.exe
4872	MSBuild.exe
4872	MSBuild.exe
4872	MSBuild.exe
3436	chrome.exe
3436	chrome.exe
4872	MSBuild.exe
4872	MSBuild.exe
4872	MSBuild.exe
4872	MSBuild.exe
4872	MSBuild.exe
4872	MSBuild.exe
4872	MSBuild.exe
4872	MSBuild.exe
4024	powershell.exe
4024	powershell.exe
3052	MSBuild.exe
3052	MSBuild.exe
3052	MSBuild.exe
3052	MSBuild.exe
2976	chrome.exe
2976	chrome.exe
3052	MSBuild.exe
3052	MSBuild.exe
3052	MSBuild.exe
3052	MSBuild.exe
3052	MSBuild.exe
3052	MSBuild.exe
3052	MSBuild.exe
3052	MSBuild.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3948	msedge.exe
3948	msedge.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
1740	msedge.exe
1740	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3004	powershell.exe
Token: SeIncreaseQuotaPrivilege	3004	powershell.exe
Token: SeSecurityPrivilege	3004	powershell.exe
Token: SeTakeOwnershipPrivilege	3004	powershell.exe
Token: SeLoadDriverPrivilege	3004	powershell.exe
Token: SeSystemProfilePrivilege	3004	powershell.exe
Token: SeSystemtimePrivilege	3004	powershell.exe
Token: SeProfSingleProcessPrivilege	3004	powershell.exe
Token: SeIncBasePriorityPrivilege	3004	powershell.exe
Token: SeCreatePagefilePrivilege	3004	powershell.exe
Token: SeBackupPrivilege	3004	powershell.exe
Token: SeRestorePrivilege	3004	powershell.exe
Token: SeShutdownPrivilege	3004	powershell.exe
Token: SeDebugPrivilege	3004	powershell.exe
Token: SeSystemEnvironmentPrivilege	3004	powershell.exe
Token: SeRemoteShutdownPrivilege	3004	powershell.exe
Token: SeUndockPrivilege	3004	powershell.exe
Token: SeManageVolumePrivilege	3004	powershell.exe
Token: 33	3004	powershell.exe
Token: 34	3004	powershell.exe
Token: 35	3004	powershell.exe
Token: 36	3004	powershell.exe
Token: SeIncreaseQuotaPrivilege	3004	powershell.exe
Token: SeSecurityPrivilege	3004	powershell.exe
Token: SeTakeOwnershipPrivilege	3004	powershell.exe
Token: SeLoadDriverPrivilege	3004	powershell.exe
Token: SeSystemProfilePrivilege	3004	powershell.exe
Token: SeSystemtimePrivilege	3004	powershell.exe
Token: SeProfSingleProcessPrivilege	3004	powershell.exe
Token: SeIncBasePriorityPrivilege	3004	powershell.exe
Token: SeCreatePagefilePrivilege	3004	powershell.exe
Token: SeBackupPrivilege	3004	powershell.exe
Token: SeRestorePrivilege	3004	powershell.exe
Token: SeShutdownPrivilege	3004	powershell.exe
Token: SeDebugPrivilege	3004	powershell.exe
Token: SeSystemEnvironmentPrivilege	3004	powershell.exe
Token: SeRemoteShutdownPrivilege	3004	powershell.exe
Token: SeUndockPrivilege	3004	powershell.exe
Token: SeManageVolumePrivilege	3004	powershell.exe
Token: 33	3004	powershell.exe
Token: 34	3004	powershell.exe
Token: 35	3004	powershell.exe
Token: 36	3004	powershell.exe
Token: SeShutdownPrivilege	3436	chrome.exe
Token: SeCreatePagefilePrivilege	3436	chrome.exe
Token: SeShutdownPrivilege	3436	chrome.exe
Token: SeCreatePagefilePrivilege	3436	chrome.exe
Token: SeShutdownPrivilege	3436	chrome.exe
Token: SeCreatePagefilePrivilege	3436	chrome.exe
Token: SeShutdownPrivilege	3436	chrome.exe
Token: SeCreatePagefilePrivilege	3436	chrome.exe
Token: SeShutdownPrivilege	3436	chrome.exe
Token: SeCreatePagefilePrivilege	3436	chrome.exe
Token: SeShutdownPrivilege	3436	chrome.exe
Token: SeCreatePagefilePrivilege	3436	chrome.exe
Token: SeShutdownPrivilege	3436	chrome.exe
Token: SeCreatePagefilePrivilege	3436	chrome.exe
Token: SeDebugPrivilege	4024	powershell.exe
Token: SeIncreaseQuotaPrivilege	4024	powershell.exe
Token: SeSecurityPrivilege	4024	powershell.exe
Token: SeTakeOwnershipPrivilege	4024	powershell.exe
Token: SeLoadDriverPrivilege	4024	powershell.exe
Token: SeSystemProfilePrivilege	4024	powershell.exe
Token: SeSystemtimePrivilege	4024	powershell.exe

Suspicious use of FindShellTrayWindow 54 IoCs

pid	Process
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3948	msedge.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
2976	chrome.exe
1740	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 4768	3004	powershell.exe	88
PID 3004 wrote to memory of 4768	3004	powershell.exe	88
PID 4768 wrote to memory of 4860	4768	updater.exe	89
PID 4768 wrote to memory of 4860	4768	updater.exe	89
PID 4768 wrote to memory of 4860	4768	updater.exe	89
PID 4768 wrote to memory of 4868	4768	updater.exe	90
PID 4768 wrote to memory of 4868	4768	updater.exe	90
PID 4768 wrote to memory of 4868	4768	updater.exe	90
PID 4768 wrote to memory of 4872	4768	updater.exe	91
PID 4768 wrote to memory of 4872	4768	updater.exe	91
PID 4768 wrote to memory of 4872	4768	updater.exe	91
PID 4768 wrote to memory of 4872	4768	updater.exe	91
PID 4768 wrote to memory of 4872	4768	updater.exe	91
PID 4768 wrote to memory of 4872	4768	updater.exe	91
PID 4768 wrote to memory of 4872	4768	updater.exe	91
PID 4768 wrote to memory of 4872	4768	updater.exe	91
PID 4768 wrote to memory of 4872	4768	updater.exe	91
PID 4768 wrote to memory of 4872	4768	updater.exe	91
PID 4768 wrote to memory of 4872	4768	updater.exe	91
PID 4768 wrote to memory of 4872	4768	updater.exe	91
PID 4872 wrote to memory of 3436	4872	MSBuild.exe	94
PID 4872 wrote to memory of 3436	4872	MSBuild.exe	94
PID 3436 wrote to memory of 5020	3436	chrome.exe	95
PID 3436 wrote to memory of 5020	3436	chrome.exe	95
PID 3436 wrote to memory of 1088	3436	chrome.exe	97
PID 3436 wrote to memory of 1088	3436	chrome.exe	97
PID 3436 wrote to memory of 1088	3436	chrome.exe	97
PID 3436 wrote to memory of 1088	3436	chrome.exe	97
PID 3436 wrote to memory of 1088	3436	chrome.exe	97
PID 3436 wrote to memory of 1088	3436	chrome.exe	97
PID 3436 wrote to memory of 1088	3436	chrome.exe	97
PID 3436 wrote to memory of 1088	3436	chrome.exe	97
PID 3436 wrote to memory of 1088	3436	chrome.exe	97
PID 3436 wrote to memory of 1088	3436	chrome.exe	97
PID 3436 wrote to memory of 1088	3436	chrome.exe	97
PID 3436 wrote to memory of 1088	3436	chrome.exe	97
PID 3436 wrote to memory of 1088	3436	chrome.exe	97
PID 3436 wrote to memory of 1088	3436	chrome.exe	97
PID 3436 wrote to memory of 1088	3436	chrome.exe	97
PID 3436 wrote to memory of 1088	3436	chrome.exe	97
PID 3436 wrote to memory of 1088	3436	chrome.exe	97
PID 3436 wrote to memory of 1088	3436	chrome.exe	97
PID 3436 wrote to memory of 1088	3436	chrome.exe	97
PID 3436 wrote to memory of 1088	3436	chrome.exe	97
PID 3436 wrote to memory of 1088	3436	chrome.exe	97
PID 3436 wrote to memory of 1088	3436	chrome.exe	97
PID 3436 wrote to memory of 1088	3436	chrome.exe	97
PID 3436 wrote to memory of 1088	3436	chrome.exe	97
PID 3436 wrote to memory of 1088	3436	chrome.exe	97
PID 3436 wrote to memory of 1088	3436	chrome.exe	97
PID 3436 wrote to memory of 1088	3436	chrome.exe	97
PID 3436 wrote to memory of 1088	3436	chrome.exe	97
PID 3436 wrote to memory of 1088	3436	chrome.exe	97
PID 3436 wrote to memory of 1088	3436	chrome.exe	97
PID 3436 wrote to memory of 4940	3436	chrome.exe	98
PID 3436 wrote to memory of 4940	3436	chrome.exe	98
PID 3436 wrote to memory of 3084	3436	chrome.exe	99
PID 3436 wrote to memory of 3084	3436	chrome.exe	99
PID 3436 wrote to memory of 3084	3436	chrome.exe	99
PID 3436 wrote to memory of 3084	3436	chrome.exe	99
PID 3436 wrote to memory of 3084	3436	chrome.exe	99
PID 3436 wrote to memory of 3084	3436	chrome.exe	99
PID 3436 wrote to memory of 3084	3436	chrome.exe	99
PID 3436 wrote to memory of 3084	3436	chrome.exe	99

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\sample.ps1
1⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Downloads MZ/PE file
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Users\Admin\AppData\Local\3b402a48-baf4-4897-a233-fee131499fa7\updater.exe
  "C:\Users\Admin\AppData\Local\3b402a48-baf4-4897-a233-fee131499fa7\updater.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4768
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:4860
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:4868
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4872
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      Drops file in Windows directory
      Checks processor information in registry
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:3436
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ff87df7dcf8,0x7ff87df7dd04,0x7ff87df7dd10
        5⤵
        
        PID:5020
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1972,i,17721777949096728263,750744816538639301,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=1976 /prefetch:2
        5⤵
        
        PID:1088
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1616,i,17721777949096728263,750744816538639301,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2528 /prefetch:3
        5⤵
        
        PID:4940
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2316,i,17721777949096728263,750744816538639301,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2548 /prefetch:8
        5⤵
        
        PID:3084
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3252,i,17721777949096728263,750744816538639301,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3264 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:5784
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3288,i,17721777949096728263,750744816538639301,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3300 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:5360
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4388,i,17721777949096728263,750744816538639301,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4412 /prefetch:2
        5⤵
        Uses browser remote debugging
        
        PID:4564
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4692,i,17721777949096728263,750744816538639301,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4720 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:2920
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3232,i,17721777949096728263,750744816538639301,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4608 /prefetch:8
        5⤵
        
        PID:2172
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4432,i,17721777949096728263,750744816538639301,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4704 /prefetch:8
        5⤵
        
        PID:4244
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5340,i,17721777949096728263,750744816538639301,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5336 /prefetch:8
        5⤵
        
        PID:3292
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5384,i,17721777949096728263,750744816538639301,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5368 /prefetch:8
        5⤵
        
        PID:1476
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5600,i,17721777949096728263,750744816538639301,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5348 /prefetch:8
        5⤵
        
        PID:4552
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5380,i,17721777949096728263,750744816538639301,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5700 /prefetch:8
        5⤵
        
        PID:5836
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5348,i,17721777949096728263,750744816538639301,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5328 /prefetch:8
        5⤵
        
        PID:3140
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5720,i,17721777949096728263,750744816538639301,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5740 /prefetch:8
        5⤵
        
        PID:1728
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      Drops file in Windows directory
      Enumerates system info in registry
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      PID:3948
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x264,0x268,0x26c,0x260,0x274,0x7ff87e3ff208,0x7ff87e3ff214,0x7ff87e3ff220
        5⤵
        
        PID:1452
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1892,i,1498844495282120517,6687019767454304283,262144 --variations-seed-version --mojo-platform-channel-handle=2600 /prefetch:3
        5⤵
        
        PID:4124
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2572,i,1498844495282120517,6687019767454304283,262144 --variations-seed-version --mojo-platform-channel-handle=2568 /prefetch:2
        5⤵
        
        PID:4460
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2180,i,1498844495282120517,6687019767454304283,262144 --variations-seed-version --mojo-platform-channel-handle=2608 /prefetch:8
        5⤵
        
        PID:3048
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3460,i,1498844495282120517,6687019767454304283,262144 --variations-seed-version --mojo-platform-channel-handle=3548 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:2808
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3468,i,1498844495282120517,6687019767454304283,262144 --variations-seed-version --mojo-platform-channel-handle=3556 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:1248
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\asr90" & exit
      4⤵
      System Location Discovery: System Language Discovery
      PID:2100
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 11
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:3028

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:2856

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:956

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:6008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\UpdateCache\WindowsUpdate.ps1"
1⤵
- Hide Artifacts: Hidden Window
PID:5936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\UpdateCache\WindowsUpdate.ps1"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Downloads MZ/PE file
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4024
- - C:\Users\Admin\AppData\Local\942478e2-d50b-4e3b-a952-afc3e319a38c\updater.exe
    "C:\Users\Admin\AppData\Local\942478e2-d50b-4e3b-a952-afc3e319a38c\updater.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:5800
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:3052
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        5⤵
        Uses browser remote debugging
        Drops file in Windows directory
        Checks processor information in registry
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        
        PID:2976
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ff87ff1dcf8,0x7ff87ff1dd04,0x7ff87ff1dd10
        6⤵
        
        PID:1424
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1980,i,46688787240721515,514457009494885260,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2140 /prefetch:3
        6⤵
        
        PID:888
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2112,i,46688787240721515,514457009494885260,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2108 /prefetch:2
        6⤵
        
        PID:4184
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2312,i,46688787240721515,514457009494885260,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2324 /prefetch:8
        6⤵
        
        PID:4428
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3268,i,46688787240721515,514457009494885260,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3304 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:5876
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3276,i,46688787240721515,514457009494885260,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3500 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:3528
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4272,i,46688787240721515,514457009494885260,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4332 /prefetch:2
        6⤵
        Uses browser remote debugging
        
        PID:5668
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3880,i,46688787240721515,514457009494885260,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4620 /prefetch:8
        6⤵
        
        PID:1056
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4544,i,46688787240721515,514457009494885260,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4796 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:348
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4956,i,46688787240721515,514457009494885260,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4968 /prefetch:8
        6⤵
        
        PID:6052
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5316,i,46688787240721515,514457009494885260,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5324 /prefetch:8
        6⤵
        
        PID:2324
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5532,i,46688787240721515,514457009494885260,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5548 /prefetch:8
        6⤵
        
        PID:4480
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5616,i,46688787240721515,514457009494885260,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5576 /prefetch:8
        6⤵
        
        PID:4584
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5568,i,46688787240721515,514457009494885260,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5592 /prefetch:8
        6⤵
        
        PID:4904
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5404,i,46688787240721515,514457009494885260,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5840 /prefetch:8
        6⤵
        
        PID:4964
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5584,i,46688787240721515,514457009494885260,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5828 /prefetch:8
        6⤵
        
        PID:240
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
        5⤵
        Uses browser remote debugging
        Drops file in Windows directory
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        
        PID:1740
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x264,0x268,0x26c,0x260,0x274,0x7ff88039f208,0x7ff88039f214,0x7ff88039f220
        6⤵
        
        PID:3676
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1920,i,1692167547232544382,7744031523180028047,262144 --variations-seed-version --mojo-platform-channel-handle=2196 /prefetch:3
        6⤵
        
        PID:4288
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2168,i,1692167547232544382,7744031523180028047,262144 --variations-seed-version --mojo-platform-channel-handle=2164 /prefetch:2
        6⤵
        
        PID:5444
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2504,i,1692167547232544382,7744031523180028047,262144 --variations-seed-version --mojo-platform-channel-handle=2476 /prefetch:8
        6⤵
        
        PID:3616
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3500,i,1692167547232544382,7744031523180028047,262144 --variations-seed-version --mojo-platform-channel-handle=3588 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:4392
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3508,i,1692167547232544382,7744031523180028047,262144 --variations-seed-version --mojo-platform-channel-handle=3592 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:4396
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\e37gd" & exit
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2972
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 11
        6⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:4764

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:4596

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Modify Authentication Process

T1556

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Window

T1564.003

Modify Authentication Process

T1556

Modify Registry

T1112

Credential Access

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
734B

MD5
e192462f281446b5d1500d474fbacc4b

SHA1
5ed0044ac937193b78f9878ad7bac5c9ff7534ff

SHA256
f1ba9f1b63c447682ebf9de956d0da2a027b1b779abef9522d347d3479139a60

SHA512
cc69a761a4e8e1d4bf6585aa8e3e5a7dfed610f540a6d43a288ebb35b16e669874ed5d2b06756ee4f30854f6465c84ee423502fc5b67ee9e7758a2dab41b31d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D40B29EF2AAB638A6E53A219BE0F7862_7CC1BE4083661CE8C617B0F6CF027C04

Filesize
346B

MD5
5b258e8d665ed707ae7a11c6c6c4b2fa

SHA1
fdcd580b8b051e01f1fd104bb16e331057486120

SHA256
56264a7b7b59136dbaf57a076106b075e1772dd64864df600a041db0a3fb646b

SHA512
a183b3dfc7f884cf0094a3674663418144b3548f5fcc3d39768618598f1f932b82a3e0c09df2782051b2d3bb7a398d85f49ae38765f3acca6e7f8f8a5666a7ee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
d0c7de94bd578fdeaa5ae29cfc5389df

SHA1
007400445ab09cc5dbc8bd748e0444ac28f511ab

SHA256
7b01385265c239be9f21816bcd80afda29255d61d9da6b30a8c6442798e9a2ba

SHA512
9a2b947d17b7a7125b37a6907f9c6beef23c6322f1f9eabe1c26913ae294f365f5cc96bca04061fb40dc570078f56a9a7e5c2b8873f10455f8ca7004c8ed307b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D40B29EF2AAB638A6E53A219BE0F7862_7CC1BE4083661CE8C617B0F6CF027C04

Filesize
544B

MD5
42988a1562059904d1d83a70a5d20f83

SHA1
ec36b5ff3d0ec1c345ae82a4a3f85fcb9609c117

SHA256
a3b4d9882172e08437e40ac708826cebbfdd4249d0fad9bda31484a27f1c9fbe

SHA512
8dd33d5a7e56b41a9dee0c177194746807b96e36f288c0a6010f99bdab59562a39ee456fcf0cfc3ac19f10c31f899d6246c48084d76c5b03e206577ce1d531da

Download Submit
C:\Users\Admin\AppData\Local\3b402a48-baf4-4897-a233-fee131499fa7\updater.exe

Filesize
1.7MB

MD5
175c9b6b2db3b3624f7df4c54dff3262

SHA1
a96c038467d2d6ff0b95275a828948997b6987a3

SHA256
5ce7687d00cc5cdc0b7575bc68940f7a092a1f559f987f3b6a9b0c837eaa6496

SHA512
3d728ce053930f16c8debc087807b3eaadef3c9b21a452b49f13ce767b35b221e71b15db8c849fe71c7d0077d2c0ab31506762626622f87347c596260cddff34

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma

Filesize
1024KB

MD5
34c29bdb9e41b1f47f2d2786762c12ec

SHA1
4075131b18c3487e3e848361e112009c897629c7

SHA256
67ee11b51cd6f637795e31ab501f135ed595c8459bce885735f08b0418513a17

SHA512
ca3a978798e77b2ced27b379f38e935ef18beaa7ea23e34270a9af20b37e1b1c5edf9478606311cf1acabd83992766cb3da8444de9394c674d5955bdbc53c0d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
4c04433d33ff1c228e2c6f3a4dff025b

SHA1
6917a004d5303ff3ab8751ecb55c2c6906d3d274

SHA256
be84421014f200b40bf3fad961f6ec6f0ec3b947a90fdee51beab2dec1fabef2

SHA512
51c9f9267e7f7a7769ed28630a832c5214a905bee7cac546708b4d961b67e3f2d9830d5b18d7b21f32a837bdc1dae730917f04c573fcc159338164588a3eeb29

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
498d1dff43773893500f7d41314dbb3d

SHA1
9b11a178c9e83e1c7a6c3469f6b6ec8f7e579aca

SHA256
16925969292989978c1801186b5f7100f4bc5425ba17508e32cbd27f85e0788a

SHA512
39c3024df8f364024aa137fae4aaeb54d8a69688755c9b98d7d1d356972593984518f42e983f7d0f83794ab294ff0a5fb06ae8162e2545de38c6a579e83a72f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_0

Filesize
44KB

MD5
6df5797a9ed176fcb2eab5fe913307cc

SHA1
3756d4e19390f337e1c6059a58d52d92431e46ad

SHA256
bcc7b3552c181ccee3e8bd27dc985b59b2fadbc51173a28ffd7ef32363ba8e88

SHA512
754d7cc93244cdca590ebc1011ca85a98fd3ad26322d6c78d1c14ffb080c7321f70de2e2bf8963b55a56f132037dee70f66df756f6445a6bde8d1154e4cb5ffc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_1

Filesize
264KB

MD5
577287b260d7016c5fa897d4dd5e53e9

SHA1
bb9b7f7b543d3e2ac5c584cc7debeb7b5fda6f9b

SHA256
ca0a8ff8d6da3e523642edde663bbec2d89f9a5257b7cac2fafb3464b618798b

SHA512
55d7357f52420c38a38716ca206ccbed821cd2ef9bcb121bea6934d91f203ebb1df8e8c09ba0d26ab9ab20ca093fb5d9e94d58e85fd72363a317e06dfb6baf09

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_2

Filesize
1.0MB

MD5
0605b75c5c345cc202a7885499cc09a7

SHA1
540568cdb245ba26bce8711347e456320012e83d

SHA256
8ed5d8964a977a79c5aacf34853c9e5e00a06de2f2f0964a56c4089805a2dda8

SHA512
dae16a98e4cf861b918d684f0d7660e1c6647897afeded6859253a51f8dd95c41f007e3f20fe43da0292b493c170cb94fb8370d7b17b4f23cf2950cec477f9a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_3

Filesize
4.0MB

MD5
0097369478e4555e0d4fbb166f534e0e

SHA1
df5cf497c8ebe15111494ed13b9e2d98fab5480c

SHA256
a0aa8ffb6e55f0dfef59d9461a241f9b41460eec860377e69d8ce51c81e15373

SHA512
499893077a4e70b154abd25bb37c2b46187991ff468f1002b1521206760103ad93bc54f09454f5ce76a7236b87d0e609abb04cf8f97a833132f6fd8fc7d48861

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
27KB

MD5
99ac36612a299555bb89d2befb08aee0

SHA1
1782e35de9f2aa6c67964ededbf6059c941b4df8

SHA256
bfbf5b773068c90cc65e6626c30f5a30e778aed5c4ac51fa3b12e937510e6f69

SHA512
a9b9831cbda4c4f970d155ce0709230f046e0b122a58962415ca0a6b6928cc549b395985030104917dfe3847f1d5c9cd7fcaf5b307396a2025f60721f35ad7d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006

Filesize
35KB

MD5
72371c73794a79adf794b1b84b5c2e11

SHA1
c6746d091ed70f39cf3969a8dde02e2512b92416

SHA256
00961b24381b765cae0ea624ed09b095c05d5943115254046dde08d2fb4fb06e

SHA512
2cf72d45e7fd6e656937fe3baf3475f80e0952e606c76c63e988660f88ad10f1c3212cbef250db5da50b6707e5fe2a61e8afc218f6857f5f75a66142ea177071

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000007

Filesize
63KB

MD5
1901d2bcbbabee4bbb9804c30642ae2b

SHA1
f31774bc12614be681c0b0c7de3ac128f0e932db

SHA256
15eba349e5829f11363614b8f3dd9c3d04994586601d3c4c4d8069e0f5655310

SHA512
bdb94d7d8cf47b239c61559545b1dd26e05da909fec05d215471388545879cd8ec9e1fea51c04ed43927e2b07b5b80a74f09eb9038c8d9045e4161ea69df215f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000008

Filesize
38KB

MD5
f53236bc138719b68ccd1c7efb02a276

SHA1
26b7d3eea5d3b12d0b0e173ebf2af50a7d7e56d6

SHA256
787c14f8cc865430c03c96a345044b7c5b8dc8a032511a500d4a42228533acd8

SHA512
5485bc7ccce8ec75f60bca3be846086a4bd4466009c8e22da9cdd16bb1154529af2fb2667cd3a97485cc4f6635fb79ac0fdda4f3e1f39f25f6196f708a92d740

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG

Filesize
320B

MD5
e534e2c15f1b8568ceb32e0ecf6eba77

SHA1
25d04d2f48ac39d42426e2ada33e6c127c35dd20

SHA256
8aeb11db36fbdf69c8337a7d335983ed7162f05f974a4e06dd192d4b73940870

SHA512
93edbc5fbf29abf906558c985ecd1ade9431779d230dd8eb20f72124e34f78a2c2191083ce9c1553d8dcc664eed3d850754133cb6b309f4470ff1d2cecfaba8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG

Filesize
329B

MD5
6b30575aa539ec506c237b6b2a48816e

SHA1
dab188a00993ba322118aec585d52c13c69bc0c8

SHA256
dc3397bb26a81323e56a83127ee2615610286f024d41ad3a40e68cf91f8418da

SHA512
f449180e1a50983a86bf14c87fd2a8db17f4875fbb08ab6023e746082314c311d5714a0f3fb4c3092cf3af545b3b590d42c9eef3d66cd7c5bcaddaaa8ae21c06

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\000003.log

Filesize
3KB

MD5
8dd80152bed640664b1a702398136c1c

SHA1
8e3cef25f03557caa7c4ee7ae878eaff45e7ed6f

SHA256
d87ae6868feff79bee76d33a56ab0c86e95b01bf70c497fa74ee9e529a9559fe

SHA512
dbb9cfdca8bfab8a8e157e4fb6188fa6880a9af671b0712d685a42f1a47aec38b9f7fbae4d236bd213ea199fc3aecfb2a0d19d26f062b3a033ea5040a5bdf072

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\LOG

Filesize
333B

MD5
21f98709fdb4843ba0255a12f0a4ed69

SHA1
5280f370c383e3cccdd8b9ce4d5253f390e086e8

SHA256
c940955ed64000a06d14182dc93f9e2fb64efa88201dc8ed5e2576df9b8992f5

SHA512
871139584dd8dab2d2409b471ca7d65355fbefefb4286af7e1bed1d307373e05770dc780e6d7de196a28d41f447d6d0789832b66499eba6504ec4605ba10019b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\f1cdccba37924bda_0

Filesize
128KB

MD5
ad5500392a3d6dab62cbbed72729419d

SHA1
74b1d039a44cc37e62dc573d0d14efe2ead9e391

SHA256
aac955452d846e19791a2c1f30dba6a9c1ebde5b20547d37c6e7ebb6c62154eb

SHA512
454433c661570990955c25eedb52ebdf5ae2317ac062cb23be3537b1cc8b5afc2a1d3d1e370951641a473cccb0f3ddee9db34dee2bb7f52db5bb4c9a609a1872

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\f1cdccba37924bda_1

Filesize
343KB

MD5
770e00dfdb87d8437b19581c6794e30f

SHA1
2f1dadd716b98238e3baf2a98b79233fa17c7a61

SHA256
4e77cbaeb1682d18bdb3edb21e1c4b5f7d63aa1623c9895882bde6e4c0b0a607

SHA512
771bacb303273f9d58ace217bd7a962d7c77274991578fc4fed5e3d4ceeee219f19a8dd6bdce50e333d3eda2630bcf2368959e1643d4de6cc799d972914b5335

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
48B

MD5
42831a75e1068ed987305db2dff2dc53

SHA1
a40531a80187bd14a66743554dc2e3832b277f19

SHA256
6776c664c7a97eb42a1428eede0b9299a359ee336c8f23940604a1494e148b0c

SHA512
2b0c29d2b334a677d44df6fa4cc9e6702a2d3c34589ab3c95e2fc9520e8f665d176babef4a14e57437a78935e14426e71b8239668864c109ede49bb11e68af6d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOG

Filesize
317B

MD5
91548ab4a2c7418d5cb699d7bcb08f18

SHA1
9bca5b30ed559caae8c70786babddf3278747c24

SHA256
15bfdc0026b39913e74a858e7a0cdc9824d2a24d09d2d59c88472522b60b70de

SHA512
0bc135a3cb03624bc9690c6441de229af4e288844edf75c956288c68c95914a445383bbcb0d803c35332a2859dcf2551984401c63a31f9b9cd117b31d45199a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG

Filesize
345B

MD5
50e34c8cc27403b84a37a2bcac862732

SHA1
1f458f09d39c16733215e45e48332966b1472710

SHA256
ffab249e663874552939d2d6216746ef578965c551fddf5a10b92e06c4b7efe2

SHA512
d4f0c4ab595c9e932bef9a5c5db2b7462c3dba44345a851e7f7eebab74a835aefea565213fe0b12b905eb54026afe096e9a42859d538c94d06d27abafc44d901

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG

Filesize
321B

MD5
795f701ebf6531a6ccdccec48d583cd8

SHA1
2ee5961ea18cdc1f0a88a0bab7daa814fc9317ab

SHA256
48d16fee1d4c0972831d426e9e30cd993d742c2c9e3f463082f63f6ffce950b6

SHA512
305ff27db3e3a28109d1e6f3f82980dc49be5fc8b1cd51b011f772f8ce727524610eefdf960459b94c626a620aa1d939c6093a77bbad955fa30b5f45295a979f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Data

Filesize
130KB

MD5
5d08e97ffca8eff021f5c0273f1b81b1

SHA1
ef435ac80b1830d2e631485c0c3a6b4ce3818ed3

SHA256
3b30308a7f8ff555c6c5a6b214d212d58e9209c67262f83c77cc56ce0b9c0198

SHA512
c5fb14b3536596f92a91990b9580ba65ce2c99b7b3e05b9d45f31df754b2ac870b6ec50f43479bbab68e7a5bed0b7ceaad2ddda3d3edf9d36ae5be0681ba8dce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\QuotaManager-journal

Filesize
12KB

MD5
7538e12d8c49ceaebb1fc4670877b835

SHA1
d86f308e959016aadccd0e0fde75ab6f11987cc6

SHA256
7b4750c82e8c04e0908c9cb96958f64cf4529c4317bc56f361c05f92ef59717b

SHA512
010fbc3bc2e95dd10f19ea1567216e0b4cc463595ab73f994a01b7b4fe7c2670c72e0eff9916204ade6f063c69f6f51d485d86317aa63238cce6350a92481da4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000003.log

Filesize
24KB

MD5
0feb5651f7f05a544df00ec54894e063

SHA1
10de4f505dbc21f6689f5495e8303cdc805c0c59

SHA256
cad51578006b91a7d473c0c8958b897251b01c7d3d8b59d883decc17209b5c91

SHA512
7dcc79e115f25e5ffbb893a2d0d92afa56b64582ae9c1e46f0e425285a66b4c752951cd5b847c1fff99c5aa5e8c2c27048922a25dec8b1d03bd160d6326e7d87

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG

Filesize
317B

MD5
32acf734e5a27477922c9fe890f873fc

SHA1
10e7a66df9286a8f444f5dbb5167c33e98ae9d4b

SHA256
706950f02961de4b7f30e4cf39a9159377ae88abbf361db60c8fc43877c77316

SHA512
2f511b6c9ba722bca6298bdae62a37a1f0cf7c46fc260c698f04c3178756d4687e864eb19ca2e9b468350ea3717660c26449345bd27f6b36482a940e8f3827b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
1KB

MD5
f89aaf7808917a12bd69ee11cc75b7d0

SHA1
6b3856ef5c11f186629ca3d254ab70ac79ffa9d2

SHA256
d9bb783dc2b1373bfaa7792fab70ec4583b1a3073a2e736b3a742a00a5ce616e

SHA512
5e45d3007fcd91b394516b28195da0313545d0494cc3d046667a18782075bdc5c2fefda4cc107d456a5e22989f4c39ab7592afdf30e8b09610326e2b933dd113

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\LOG

Filesize
335B

MD5
58bbcbb70ae0247bff567a28522d9d53

SHA1
ffc2aed835ceebcf2a879d856568917091ddcc60

SHA256
e7b06a6e7bdfe3973b4c6cf85a7244130906195f7e7e17ec3f672e103eaef0ed

SHA512
00857bf4b3f24704e8e9b5486bd4fbb4f1a785c7ef7e0a0978b24cbffbd167a9deef308566d2964da38659600d57de29ddb10334c7a93241ce53c612f0b4656e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version

Filesize
13B

MD5
a4710a30ca124ef24daf2c2462a1da92

SHA1
96958e2fe60d71e08ea922dfd5e69a50e38cc5db

SHA256
7114eaf0a021d2eb098b1e9f56f3500dc4f74ac68a87f5256922e4a4b9fa66b7

SHA512
43878e3bc6479df9e4ebd11092be61a73ab5a1441cd0bc8755edd401d37032c44a7279bab477c01d563ab4fa5d8078c0ba163a9207383538e894e0a7ff5a3e15

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations

Filesize
86B

MD5
16b7586b9eba5296ea04b791fc3d675e

SHA1
8890767dd7eb4d1beab829324ba8b9599051f0b0

SHA256
474d668707f1cb929fef1e3798b71b632e50675bd1a9dceaab90c9587f72f680

SHA512
58668d0c28b63548a1f13d2c2dfa19bcc14c0b7406833ad8e72dfc07f46d8df6ded46265d74a042d07fbc88f78a59cb32389ef384ec78a55976dfc2737868771

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\e85f4dac-cac3-4c2f-bcf2-278d8f6c14c4.tmp

Filesize
80KB

MD5
9e2025e0b7c8626a334f006e16438eb5

SHA1
c5955ad0b8569628fedda95b459cf96da56ba1f9

SHA256
812bfffe7cb8a66ceb21a4fbebcba4d18cfdf4c08dd8b040f8300f7026376b2a

SHA512
5703e78574763083b59de4a8323e59996003ab49e1b268fc95c99f8f463ddfc7c7f42df9c4af3e0d5c3ee82f1ed94566c5ab9a856416b3c536eb49df8be9783a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
f8025ea353ec3ee1108e70ee8fee040c

SHA1
95be843ea0a0f4d02a545c86b1eb0253bc2181db

SHA256
fba1a08343f8bd4e072c7106543532173ace3ac422ec05de785f661ccad5f7d3

SHA512
d07cbf04e9fb30c798d6936c4e8b8bac2ac30c030b94345309cd7ceba743c491dd6ec161b498d25f214e47c0786753d116507d84fc724aa881c3a1018c4f62f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
4d7b0551cc8f815c8c6e7fbe8b9dd42b

SHA1
49f7f3bc5043540b99c8f6084d518c091950b445

SHA256
1ac08a7065126dce50829d3423419339e92e80f67250c62efea3506a917e5a26

SHA512
a8decb79ffb6fd826a212ac50d60cbded99b18ffc4cde0f8275e90c8e42bc5545b2600e1eefe8a81c6d6674438091c07f03eff2065b0853e9be2455271dd2a31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
aad9ef568b38aa2ab42b57a3cbd8d8eb

SHA1
efe601b188069ca6b54ba6bd63866687c5574780

SHA256
ef0ca3af55b0eb83ea83d3376038feecaef97236df7c556f821c93bd08e86a9a

SHA512
5a3e66a1f995ed2779c7260787a2688118406190312d31e7a77bbfef233d81bbc17dd1bbf77a08ba73e390e22dd973c173b5eb39851b359a9196f48bb6fea963

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\0a58911e-b4bf-4001-8a07-399d5607acd8.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_ntp.msn.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt

Filesize
327B

MD5
138b442fccd0d4f5027f513da95d98f0

SHA1
a8a99b6e7c679b9b5b2fdc0d1a8feeb1d26cfe67

SHA256
42bc415227f505cd6cfe8496247735c87e72d5327ddf4c9ef4fa31a168eac302

SHA512
ff7cf8eeccbb02e2b9d59912c3740e3fa694f65845b087f305946c8f41f6cd42a1f1a317b72ae715727574eaac081fa5215ff82d53a10c36a6398855083ad9c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
28b055ca83317ec90b8431b879012ddc

SHA1
e0e89e7d4a64c7b1148f32d3aee178eb033ae7a7

SHA256
50ac099227aa35b220e5dc4f249017195e60b6686665d9f619e32e77df64512b

SHA512
352c26c09819a6daee2c0f9eee16164fa14b295ba1592d0d21ff1f1ef4c15b0ef86a226605b2a1bc013ac1386b0cada43acfcc414a13a7e381d6c4057df4dbf1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
21ffc912cbe094b3bce29d115df4226d

SHA1
e6bd099db2d6e419c4b0ef547c5b62db20c0adef

SHA256
b97c074fa383e382fb4f71395f687be9966b5bf346a8161f1683e8ef4bf7a15b

SHA512
034ca6818a6c87b077e120009fe1812e87924efb8cf2113675f85a2e635308083057580dd5a0dcca0103b08b68db6188b9d930b6bbcd04487c8d002a039e9af7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ijwx1fwf.rxz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\b98dd71b-1cdb-4889-a099-c9535eba3ede.tmp

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2976_533286829\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2976_533286829\CRX_INSTALL\_locales\en_US\messages.json

Filesize
1KB

MD5
64eaeb92cb15bf128429c2354ef22977

SHA1
45ec549acaa1fda7c664d3906835ced6295ee752

SHA256
4f70eca8e28541855a11ec7a4e6b3bc6dd16c672ff9b596ecfb7715bb3b5898c

SHA512
f63ee02159812146eee84c4eb2034edfc2858a287119cc34a8b38c309c1b98953e14ca1ca6304d6b32b715754b15ba1b3aa4b46976631b5944d50581b2f49def

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2976_533286829\CRX_INSTALL\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2976_533286829\CRX_INSTALL\manifest.json

Filesize
1KB

MD5
2a738ca67be8dd698c70974c9d4bb21b

SHA1
45a4086c876d276954ffce187af2ebe3dc667b5f

SHA256
b08d566a5705247ddc9abf5e970fc93034970b02cf4cb3d5ccc90e1a1f8c816e

SHA512
f72b9190f9f2b1acc52f7fbb920d48797a96e62dfc0659c418edbbc0299dccf1931f6c508b86c940b976016745b9877f88f2ee081d3e3d5dcdcc2cc7e7884492

Download Submit
C:\Users\Admin\AppData\Roaming\UpdateCache\WindowsUpdate.ps1

Filesize
3KB

MD5
21c010cf4481df82d7e5e4a0b4260793

SHA1
d2ae87b41aa4e951c3a3131ce7ebc8969948ed97

SHA256
b6e7e1ddaceee8c401056c0bd2e552c3545f6906b7de4b62ab3a239e5b01dfa7

SHA512
8f97b34ecda980b0a738d98a99a28ba6f6ceafe65ae97f41b0fc8561a919796e729429507a18e9fe0ef79feb6ee892afb29fc325615c920d72111f3649b3bf5f

Download Submit
memory/3004-61-0x00007FF8876B0000-0x00007FF888172000-memory.dmp

Filesize
10.8MB

Download
memory/3004-12-0x00007FF8876B0000-0x00007FF888172000-memory.dmp

Filesize
10.8MB

Download
memory/3004-3-0x0000023333130000-0x0000023333152000-memory.dmp

Filesize
136KB

Download
memory/3004-13-0x00007FF8876B0000-0x00007FF888172000-memory.dmp

Filesize
10.8MB

Download
memory/3004-0-0x00007FF8876B3000-0x00007FF8876B5000-memory.dmp

Filesize
8KB

Download
memory/3004-59-0x00007FF8876B0000-0x00007FF888172000-memory.dmp

Filesize
10.8MB

Download
memory/3004-11-0x00007FF8876B0000-0x00007FF888172000-memory.dmp

Filesize
10.8MB

Download
memory/3004-64-0x00007FF8876B0000-0x00007FF888172000-memory.dmp

Filesize
10.8MB

Download
memory/3004-677-0x00007FF8876B0000-0x00007FF888172000-memory.dmp

Filesize
10.8MB

Download
memory/3052-737-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3052-736-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3052-738-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3052-1102-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3052-735-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3052-739-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3052-728-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3052-1103-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3052-742-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3052-743-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3052-1104-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3052-733-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3052-734-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4872-411-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4872-671-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4872-670-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4872-669-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4872-668-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4872-667-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4872-666-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4872-665-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4872-664-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4872-663-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4872-661-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4872-660-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4872-659-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4872-658-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4872-657-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4872-656-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4872-655-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4872-654-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4872-649-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4872-648-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4872-647-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4872-615-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4872-419-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4872-417-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4872-416-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4872-415-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4872-414-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4872-413-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4872-412-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4872-410-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4872-409-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4872-87-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4872-69-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4872-70-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4872-68-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4872-67-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4872-66-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4872-65-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4872-63-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4872-62-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4872-60-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4872-52-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4872-51-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4872-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download