vidar | 884c8595250427c245264532b41f29334691e9b21b3526e9acb261a5952be10f

Analysis

max time kernel
107s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
30/03/2025, 20:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

884c8595250427c245264532b41f29334691e9b21b3526e9acb261a5952be10f.ps1
Size

3KB
MD5

eb268445cfc78545bacae46af1b5f268
SHA1

82a4feb89a8f2240778e1d49b401e8d28fb0f718
SHA256

884c8595250427c245264532b41f29334691e9b21b3526e9acb261a5952be10f
SHA512

c19cfbe8e0b84ec9f84e6cf6153d253ae89bb868d775b21e69f5645ad16e4df9eeb4b4d039ba6bd050349448cccd811dc5e58e203cdcd43bbfea35c050274f8a

Score

10^/10

vidar 00cb84c6bd4caac4bdfc1131beae4df7 credential_access defense_evasion discovery execution persistence spyware stealer

Malware Config

Extracted

Family

vidar

Version

13.3

Botnet

00cb84c6bd4caac4bdfc1131beae4df7

https://t.me/lw25chm

https://steamcommunity.com/profiles/76561199839170361

Attributes

user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/132.0.0.0 Safari/537.36 OPR/117.0.0.0

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://jacrcell.com/joomla/crypted.exe

exe.dropper

https://installsh.pages.dev/config.ps1

Signatures

Detect Vidar Stealer 64 IoCs

stealer

resource	yara_rule
behavioral2/memory/1600-49-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/1600-50-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/1600-51-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/1600-58-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/1600-59-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/1600-64-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/1600-65-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/1600-68-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/1600-72-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/1600-73-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/1600-74-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/1600-78-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/1600-79-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/1600-97-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/1600-426-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/1600-427-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/1600-428-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/1600-429-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/1600-432-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/1600-436-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/1600-437-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/1600-438-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/1600-442-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/1600-444-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/1600-799-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/1600-852-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/1600-857-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/1600-859-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/1600-860-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/1600-863-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/1600-864-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/1600-865-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/1600-866-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/1600-873-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/1600-874-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/1600-878-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/1600-879-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/1600-883-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/1600-884-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/1600-885-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/1600-890-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4468-942-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4468-947-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4468-948-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4468-953-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4468-954-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4468-957-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4468-961-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4468-962-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4468-963-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4468-968-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4468-969-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4468-1336-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4468-1337-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4468-1338-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4468-1339-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4468-1342-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4468-1346-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4468-1347-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4468-1348-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4468-1352-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4468-1383-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4468-1594-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4468-1602-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Blocklisted process makes network request 4 IoCs

flow	pid	Process
17	3240	powershell.exe
247	3240	powershell.exe
249	2736	powershell.exe
396	2736	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2736	powershell.exe
3240	powershell.exe

Downloads MZ/PE file 2 IoCs

flow	pid	Process
17	3240	powershell.exe
249	2736	powershell.exe

Uses browser remote debugging 2 TTPs 16 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
4528	msedge.exe
5624	chrome.exe
2436	chrome.exe
4728	chrome.exe
1832	chrome.exe
5036	chrome.exe
5764	msedge.exe
1916	chrome.exe
3428	chrome.exe
264	chrome.exe
3940	chrome.exe
4932	msedge.exe
2952	msedge.exe
3992	chrome.exe
3056	msedge.exe
400	msedge.exe

Executes dropped EXE 2 IoCs

pid	Process
4880	updater.exe
5672	updater.exe

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate.ps1 = "powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File \"C:\\Users\\Admin\\AppData\\Roaming\\UpdateCache\\WindowsUpdate.ps1\""	powershell.exe

Hide Artifacts: Hidden Window 1 TTPs 1 IoCs

Windows that would typically be displayed when an application carries out an operation can be hidden.

defense_evasion

Hidden Window

T1564.003

pid	Process
540	cmd.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4880 set thread context of 1600	4880	updater.exe	96
PID 5672 set thread context of 4468	5672	updater.exe	143

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSBuild.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSBuild.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSBuild.exe

Delays execution with timeout.exe 2 IoCs

defense_evasion

pid	Process
2332	timeout.exe
1184	timeout.exe

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133878385001300705"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	powershell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	powershell.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
3240	powershell.exe
3240	powershell.exe
1600	MSBuild.exe
1600	MSBuild.exe
1600	MSBuild.exe
1600	MSBuild.exe
1916	chrome.exe
1916	chrome.exe
1600	MSBuild.exe
1600	MSBuild.exe
1600	MSBuild.exe
1600	MSBuild.exe
1600	MSBuild.exe
1600	MSBuild.exe
1600	MSBuild.exe
1600	MSBuild.exe
2736	powershell.exe
2736	powershell.exe
2736	powershell.exe
4468	MSBuild.exe
4468	MSBuild.exe
4468	MSBuild.exe
4468	MSBuild.exe
4728	chrome.exe
4728	chrome.exe
4468	MSBuild.exe
4468	MSBuild.exe
4468	MSBuild.exe
4468	MSBuild.exe
4468	MSBuild.exe
4468	MSBuild.exe
4468	MSBuild.exe
4468	MSBuild.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
3056	msedge.exe
3056	msedge.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4932	msedge.exe
4932	msedge.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeDebugPrivilege	3240	powershell.exe
Token: SeShutdownPrivilege	1916	chrome.exe
Token: SeCreatePagefilePrivilege	1916	chrome.exe
Token: SeShutdownPrivilege	1916	chrome.exe
Token: SeCreatePagefilePrivilege	1916	chrome.exe
Token: SeShutdownPrivilege	1916	chrome.exe
Token: SeCreatePagefilePrivilege	1916	chrome.exe
Token: SeShutdownPrivilege	1916	chrome.exe
Token: SeCreatePagefilePrivilege	1916	chrome.exe
Token: SeShutdownPrivilege	1916	chrome.exe
Token: SeCreatePagefilePrivilege	1916	chrome.exe
Token: SeShutdownPrivilege	1916	chrome.exe
Token: SeCreatePagefilePrivilege	1916	chrome.exe
Token: SeShutdownPrivilege	1916	chrome.exe
Token: SeCreatePagefilePrivilege	1916	chrome.exe
Token: SeDebugPrivilege	2736	powershell.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe

Suspicious use of FindShellTrayWindow 54 IoCs

pid	Process
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
3056	msedge.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4932	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3240 wrote to memory of 4880	3240	powershell.exe	94
PID 3240 wrote to memory of 4880	3240	powershell.exe	94
PID 4880 wrote to memory of 4720	4880	updater.exe	95
PID 4880 wrote to memory of 4720	4880	updater.exe	95
PID 4880 wrote to memory of 4720	4880	updater.exe	95
PID 4880 wrote to memory of 1600	4880	updater.exe	96
PID 4880 wrote to memory of 1600	4880	updater.exe	96
PID 4880 wrote to memory of 1600	4880	updater.exe	96
PID 4880 wrote to memory of 1600	4880	updater.exe	96
PID 4880 wrote to memory of 1600	4880	updater.exe	96
PID 4880 wrote to memory of 1600	4880	updater.exe	96
PID 4880 wrote to memory of 1600	4880	updater.exe	96
PID 4880 wrote to memory of 1600	4880	updater.exe	96
PID 4880 wrote to memory of 1600	4880	updater.exe	96
PID 4880 wrote to memory of 1600	4880	updater.exe	96
PID 4880 wrote to memory of 1600	4880	updater.exe	96
PID 4880 wrote to memory of 1600	4880	updater.exe	96
PID 1600 wrote to memory of 1916	1600	MSBuild.exe	99
PID 1600 wrote to memory of 1916	1600	MSBuild.exe	99
PID 1916 wrote to memory of 3712	1916	chrome.exe	100
PID 1916 wrote to memory of 3712	1916	chrome.exe	100
PID 1916 wrote to memory of 5384	1916	chrome.exe	101
PID 1916 wrote to memory of 5384	1916	chrome.exe	101
PID 1916 wrote to memory of 1400	1916	chrome.exe	102
PID 1916 wrote to memory of 1400	1916	chrome.exe	102
PID 1916 wrote to memory of 5384	1916	chrome.exe	101
PID 1916 wrote to memory of 5384	1916	chrome.exe	101
PID 1916 wrote to memory of 5384	1916	chrome.exe	101
PID 1916 wrote to memory of 5384	1916	chrome.exe	101
PID 1916 wrote to memory of 5384	1916	chrome.exe	101
PID 1916 wrote to memory of 5384	1916	chrome.exe	101
PID 1916 wrote to memory of 5384	1916	chrome.exe	101
PID 1916 wrote to memory of 5384	1916	chrome.exe	101
PID 1916 wrote to memory of 5384	1916	chrome.exe	101
PID 1916 wrote to memory of 5384	1916	chrome.exe	101
PID 1916 wrote to memory of 5384	1916	chrome.exe	101
PID 1916 wrote to memory of 5384	1916	chrome.exe	101
PID 1916 wrote to memory of 5384	1916	chrome.exe	101
PID 1916 wrote to memory of 5384	1916	chrome.exe	101
PID 1916 wrote to memory of 5384	1916	chrome.exe	101
PID 1916 wrote to memory of 5384	1916	chrome.exe	101
PID 1916 wrote to memory of 5384	1916	chrome.exe	101
PID 1916 wrote to memory of 5384	1916	chrome.exe	101
PID 1916 wrote to memory of 5384	1916	chrome.exe	101
PID 1916 wrote to memory of 5384	1916	chrome.exe	101
PID 1916 wrote to memory of 5384	1916	chrome.exe	101
PID 1916 wrote to memory of 5384	1916	chrome.exe	101
PID 1916 wrote to memory of 5384	1916	chrome.exe	101
PID 1916 wrote to memory of 5384	1916	chrome.exe	101
PID 1916 wrote to memory of 5384	1916	chrome.exe	101
PID 1916 wrote to memory of 5384	1916	chrome.exe	101
PID 1916 wrote to memory of 5384	1916	chrome.exe	101
PID 1916 wrote to memory of 5384	1916	chrome.exe	101
PID 1916 wrote to memory of 3792	1916	chrome.exe	103
PID 1916 wrote to memory of 3792	1916	chrome.exe	103
PID 1916 wrote to memory of 3792	1916	chrome.exe	103
PID 1916 wrote to memory of 3792	1916	chrome.exe	103
PID 1916 wrote to memory of 3792	1916	chrome.exe	103
PID 1916 wrote to memory of 3792	1916	chrome.exe	103
PID 1916 wrote to memory of 3792	1916	chrome.exe	103
PID 1916 wrote to memory of 3792	1916	chrome.exe	103
PID 1916 wrote to memory of 3792	1916	chrome.exe	103
PID 1916 wrote to memory of 3792	1916	chrome.exe	103
PID 1916 wrote to memory of 3792	1916	chrome.exe	103

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\884c8595250427c245264532b41f29334691e9b21b3526e9acb261a5952be10f.ps1
1⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Downloads MZ/PE file
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3240
- C:\Users\Admin\AppData\Local\cca7e8b1-e058-4a6d-9c5b-f032a484b1ea\updater.exe
  "C:\Users\Admin\AppData\Local\cca7e8b1-e058-4a6d-9c5b-f032a484b1ea\updater.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4880
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:4720
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1600
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      Checks processor information in registry
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:1916
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb60bcdcf8,0x7ffb60bcdd04,0x7ffb60bcdd10
        5⤵
        
        PID:3712
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2012,i,4547991403198635274,11815442871695003230,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2008 /prefetch:2
        5⤵
        
        PID:5384
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=2044,i,4547991403198635274,11815442871695003230,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2112 /prefetch:3
        5⤵
        
        PID:1400
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2392,i,4547991403198635274,11815442871695003230,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2364 /prefetch:8
        5⤵
        
        PID:3792
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3272,i,4547991403198635274,11815442871695003230,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3284 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:5036
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3288,i,4547991403198635274,11815442871695003230,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3320 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:3992
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4308,i,4547991403198635274,11815442871695003230,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=4336 /prefetch:2
        5⤵
        Uses browser remote debugging
        
        PID:2436
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4716,i,4547991403198635274,11815442871695003230,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=4740 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:3428
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4704,i,4547991403198635274,11815442871695003230,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=4768 /prefetch:8
        5⤵
        
        PID:4800
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5048,i,4547991403198635274,11815442871695003230,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5028 /prefetch:8
        5⤵
        
        PID:1504
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5304,i,4547991403198635274,11815442871695003230,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5316 /prefetch:8
        5⤵
        
        PID:4320
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5512,i,4547991403198635274,11815442871695003230,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5524 /prefetch:8
        5⤵
        
        PID:228
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5528,i,4547991403198635274,11815442871695003230,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5556 /prefetch:8
        5⤵
        
        PID:5244
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5708,i,4547991403198635274,11815442871695003230,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5724 /prefetch:8
        5⤵
        
        PID:516
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5804,i,4547991403198635274,11815442871695003230,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5372 /prefetch:8
        5⤵
        
        PID:2852
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5808,i,4547991403198635274,11815442871695003230,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5552 /prefetch:8
        5⤵
        
        PID:1160
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      Enumerates system info in registry
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      PID:3056
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x264,0x7ffb60baf208,0x7ffb60baf214,0x7ffb60baf220
        5⤵
        
        PID:4712
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1912,i,771271080058029552,13962556346388371164,262144 --variations-seed-version --mojo-platform-channel-handle=2200 /prefetch:3
        5⤵
        
        PID:5264
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2172,i,771271080058029552,13962556346388371164,262144 --variations-seed-version --mojo-platform-channel-handle=2168 /prefetch:2
        5⤵
        
        PID:5584
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2468,i,771271080058029552,13962556346388371164,262144 --variations-seed-version --mojo-platform-channel-handle=2524 /prefetch:8
        5⤵
        
        PID:1816
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3580,i,771271080058029552,13962556346388371164,262144 --variations-seed-version --mojo-platform-channel-handle=3616 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:4528
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3596,i,771271080058029552,13962556346388371164,262144 --variations-seed-version --mojo-platform-channel-handle=3620 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:400
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\b1djm" & exit
      4⤵
      System Location Discovery: System Language Discovery
      PID:2424
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 11
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:2332

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:2380

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3500

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:3912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\UpdateCache\WindowsUpdate.ps1"
1⤵
- Hide Artifacts: Hidden Window
PID:540
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\UpdateCache\WindowsUpdate.ps1"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Downloads MZ/PE file
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2736
- - C:\Users\Admin\AppData\Local\f0990f0d-41f2-4513-acbc-df29172e02d8\updater.exe
    "C:\Users\Admin\AppData\Local\f0990f0d-41f2-4513-acbc-df29172e02d8\updater.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:5672
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:4468
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        5⤵
        Uses browser remote debugging
        Checks processor information in registry
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:4728
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb62a9dcf8,0x7ffb62a9dd04,0x7ffb62a9dd10
        6⤵
        
        PID:5512
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=2000,i,8353662880125683826,9657396741918206957,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2140 /prefetch:3
        6⤵
        
        PID:3696
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2112,i,8353662880125683826,9657396741918206957,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2108 /prefetch:2
        6⤵
        
        PID:1232
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2424,i,8353662880125683826,9657396741918206957,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2624 /prefetch:8
        6⤵
        
        PID:2660
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3096,i,8353662880125683826,9657396741918206957,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3132 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:5624
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3104,i,8353662880125683826,9657396741918206957,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3152 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:1832
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4304,i,8353662880125683826,9657396741918206957,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=4352 /prefetch:2
        6⤵
        Uses browser remote debugging
        
        PID:264
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4600,i,8353662880125683826,9657396741918206957,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3088 /prefetch:8
        6⤵
        
        PID:3668
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4872,i,8353662880125683826,9657396741918206957,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2736 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:3940
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5012,i,8353662880125683826,9657396741918206957,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3080 /prefetch:8
        6⤵
        
        PID:5940
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5352,i,8353662880125683826,9657396741918206957,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5372 /prefetch:8
        6⤵
        
        PID:2332
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5560,i,8353662880125683826,9657396741918206957,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5396 /prefetch:8
        6⤵
        
        PID:4764
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5380,i,8353662880125683826,9657396741918206957,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5468 /prefetch:8
        6⤵
        
        PID:1432
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5668,i,8353662880125683826,9657396741918206957,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=4812 /prefetch:8
        6⤵
        
        PID:3540
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5444,i,8353662880125683826,9657396741918206957,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5564 /prefetch:8
        6⤵
        
        PID:1808
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5468,i,8353662880125683826,9657396741918206957,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5484 /prefetch:8
        6⤵
        
        PID:4668
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
        5⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        
        PID:4932
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x260,0x7ffb62a7f208,0x7ffb62a7f214,0x7ffb62a7f220
        6⤵
        
        PID:3952
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1864,i,1443907857288267238,14442194233878443546,262144 --variations-seed-version --mojo-platform-channel-handle=2400 /prefetch:3
        6⤵
        
        PID:3192
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2192,i,1443907857288267238,14442194233878443546,262144 --variations-seed-version --mojo-platform-channel-handle=2416 /prefetch:8
        6⤵
        
        PID:5144
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2316,i,1443907857288267238,14442194233878443546,262144 --variations-seed-version --mojo-platform-channel-handle=2308 /prefetch:2
        6⤵
        
        PID:5232
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3532,i,1443907857288267238,14442194233878443546,262144 --variations-seed-version --mojo-platform-channel-handle=3608 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:2952
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3580,i,1443907857288267238,14442194233878443546,262144 --variations-seed-version --mojo-platform-channel-handle=3624 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:5764
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\bas0z" & exit
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3940
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 11
        6⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:1184

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:2896

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:5288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Modify Authentication Process

T1556

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Window

T1564.003

Modify Authentication Process

T1556

Modify Registry

T1112

Credential Access

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\bas0z\3o8y5p

Filesize
14KB

MD5
4f9f81e779118bf783d22c1a5d51a94b

SHA1
e0648cca352464c4c54852a2cda6207103045ab8

SHA256
45dd969f8c15be26f62dd48f76943cf9035f46c6afe51490620f4326c72abc02

SHA512
290c9fa10df8767e73ff89471617314855a919ae5065dae81f8d86f6920f32fb18b237d62e00894c8aff59df9012e32535ca5a4b00bad1e730570055f5900ce7

Download Submit
C:\ProgramData\bas0z\ri5x4o

Filesize
288KB

MD5
9a3efac6cbb953007e61987d5299af8c

SHA1
1b636605499b29843c6e174e4839ba9b5903a4ab

SHA256
8d5473e4703144bc973151bf6d6b77fa6e3cc75b22996b308560468ae966491d

SHA512
da6115118c04a34aa90d8a1b353270f4fe9350a5ae0eed51918ebb8e3f97e14c42eea98b7e0080e9e8ee451cd3ab00c751aa1493c5ad2e9e9e79d5e88d74dc01

Download Submit
C:\ProgramData\bas0z\uk6f3e

Filesize
6KB

MD5
ab3b290f1097665f6c3283d09469d940

SHA1
5dfc7427d95408cbae6d73f41758a75b50189225

SHA256
22b5e2e8b31c471c991d4247bd477d53c2fbab73318fbe2ac2abffff7f1b54cc

SHA512
9aa4daae7847cd7385c474360e5f7603fe555dd99e5f7d2396a7eb91aad5c3ec6b2a29b7d2cfedb220eaf85e5bba679851bf9f94f89f0c44465427747efafb19

Download Submit
C:\ProgramData\bas0z\vasr16

Filesize
10KB

MD5
8083c711faff9cb59a7ad412fe50d70d

SHA1
a52d351323a935b277dece8300c40effa9a87802

SHA256
a8531117ebef246a6dfc0c7e4eee3c86e4247b0e5595fbbfc7a09bbb7b0d1848

SHA512
b0d5fd3dcb72756ef6ab76e581fd2bd0ca22960d4c8690e1ab76a1d50b9392e3417007f703d915fa4a728dee7e45bad7226b2962cebceb2dc7f3c37ace49a32a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
734B

MD5
e192462f281446b5d1500d474fbacc4b

SHA1
5ed0044ac937193b78f9878ad7bac5c9ff7534ff

SHA256
f1ba9f1b63c447682ebf9de956d0da2a027b1b779abef9522d347d3479139a60

SHA512
cc69a761a4e8e1d4bf6585aa8e3e5a7dfed610f540a6d43a288ebb35b16e669874ed5d2b06756ee4f30854f6465c84ee423502fc5b67ee9e7758a2dab41b31d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D40B29EF2AAB638A6E53A219BE0F7862_7CC1BE4083661CE8C617B0F6CF027C04

Filesize
346B

MD5
6c29a159b6de77772b7d0a3527587f6c

SHA1
6531ad25db77d957cc41f08f9c5e36eb9cabd1e5

SHA256
1cc28d1657760a265f79d6c3793a2abe247fc65466ebfcb3722b08592f312ad7

SHA512
1a4fd04d4efee9767b8a172cc12ca1e53a0574eca569fa17ca8997414749feba303923dbfff7f7873d0b2f24007728d5fe5075f9136ce5a1340114371af44761

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
191bc2bc2494a7f6e8d70270e7189296

SHA1
cd56410e64b369be86e0d6644a95e9c213f91574

SHA256
f33da845d1094d963508fc739de11cbded77eeb490d8d063662eb28b8d1391f4

SHA512
5a71676057331b29e0a2ce6e3a2bd1bfceab6062ed9dd95b91bb6081272e6e773357c42c8b0f72fdfd722bb0cbd27ecabab3330545b2514a21adec21c800c003

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D40B29EF2AAB638A6E53A219BE0F7862_7CC1BE4083661CE8C617B0F6CF027C04

Filesize
544B

MD5
ab97f412aecff8a170c1900fddfa300d

SHA1
e79d8df07a8b833a864cf4429b926be111c65ac3

SHA256
a9ddf11ae528217ffafc00ba113cb4b5d5df899d046eae8e3f04debca050a2ab

SHA512
0a49ade1e39ea5be0a42153aac0d5afd9832e06286ed5d14317dcf30fb1747fc17d49610532c6ec254282414b1a247939cd48022efef7f1719d598e34b6c5742

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma

Filesize
1024KB

MD5
34c29bdb9e41b1f47f2d2786762c12ec

SHA1
4075131b18c3487e3e848361e112009c897629c7

SHA256
67ee11b51cd6f637795e31ab501f135ed595c8459bce885735f08b0418513a17

SHA512
ca3a978798e77b2ced27b379f38e935ef18beaa7ea23e34270a9af20b37e1b1c5edf9478606311cf1acabd83992766cb3da8444de9394c674d5955bdbc53c0d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
13e85db7ab7bd0131b6d7b372eb6b3cb

SHA1
5bd031c1d79faee9f5b180576fb2ba73afd236a9

SHA256
96bf5616e02db2a7d71c4eb64ee4bf0ca8a06700e34ffa47bdc9c02f97092e20

SHA512
63e735544156689c62d6d5cffe428e6cf749066239e69dae910f08b89aa9f87efbeaf9ba5fa16d2644d16478ee854903270d4e330ddf89ea1bae6d54c98cb029

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
5fd15605b056e341a692255223ddd049

SHA1
a11507db4adc41c6030d12c3d0da31acc8002105

SHA256
054a2faa8fbacc541720675eba1fa53ac463d3961dad1f86e71a11af5efa1d53

SHA512
cc2acc951496bcdabfa2717f4f871d5b9fac94614319e5a02edb6e4d71731c8b0117384005167b5835841a37898d1fb957eda3bff4db816213c0acb6e8a949fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_0

Filesize
44KB

MD5
8e82dfbf08b1b212a6c46ef6639f0a03

SHA1
2b74bff13e98c180548cd539fb03645de3c27527

SHA256
9ee354b6bfa975ad55f4b4dbc1355752205c8030c7640e99ca6fe6c27b745231

SHA512
802b47dfdb4e443d1c881f48f1e87a18cd0477068be233e41cf13c2a8bda5e226a034eb349f0799915430a411acd7c27fd51fdee6a3526fac47f7acae0d396cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_1

Filesize
264KB

MD5
3e0c8a9baa8e8449af7ee190ed4824be

SHA1
6930889630a777eb2deffdfaa3458596f7b6c7e7

SHA256
319c5fea583896831bdd0434169541014de708ff688a908277bec5ecda3ddd95

SHA512
e35a7a140b227d4653aad836c06baf4372f4b33641deb1e120fdf7a2be8923b5b240dfbcd1561eeb694a64810e9bf70348224bb4664e864bba1aa6f76d74c056

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_2

Filesize
1.0MB

MD5
0605b75c5c345cc202a7885499cc09a7

SHA1
540568cdb245ba26bce8711347e456320012e83d

SHA256
8ed5d8964a977a79c5aacf34853c9e5e00a06de2f2f0964a56c4089805a2dda8

SHA512
dae16a98e4cf861b918d684f0d7660e1c6647897afeded6859253a51f8dd95c41f007e3f20fe43da0292b493c170cb94fb8370d7b17b4f23cf2950cec477f9a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_3

Filesize
4.0MB

MD5
12c21b7f0fad35aea4ce1b64c6cd4720

SHA1
a1d7ece6c1dd423aa917b86f76b374ba318c2e50

SHA256
6c0f57155f0cd5a25d3a5604a88ec661b9458cda15a1fff0c2fd70bd73f2315e

SHA512
b25c1fe0538684a6852933f4b300255059205461f495b7d871f0a22283dc8c78135c2f799b8b4b8a5610509ff4adc97b3a9fa0b0a573d023711ae85decceb16a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
27KB

MD5
7299a7844980571ce56cf5c2b7069bca

SHA1
b90242158153eec1f7e4e8db3abae30fcce0d1aa

SHA256
497ddb227256efa83067dbaf22205653d7bca6bcde228130c9b69d25db6890b7

SHA512
caa80d63a9bb894778203a226be8248ba94ebb2954bf44e29395744c7a109d2dfc5819fba3b4f9a265af7d2322c13813afb722fc9f7c4ad5d1e27c8d9fb776e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006

Filesize
35KB

MD5
c20b4b83755823442ba476ae3f840a2f

SHA1
cc2f444cf7a665d0d5a093c10502522e3af46dbf

SHA256
98babccf8549407e98ada9a0b9fe393539d9614ae30e45adcb12563eabe27c0e

SHA512
1e3c315fe283019c740e604f8191b5353973ecc4a0eabbeab8b7bcdff546819ee9b3af9d0f50481c8d7e8d7d2a56c3c45cf8b1f182b38a3bc04b45407d20b856

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000007

Filesize
63KB

MD5
1901d2bcbbabee4bbb9804c30642ae2b

SHA1
f31774bc12614be681c0b0c7de3ac128f0e932db

SHA256
15eba349e5829f11363614b8f3dd9c3d04994586601d3c4c4d8069e0f5655310

SHA512
bdb94d7d8cf47b239c61559545b1dd26e05da909fec05d215471388545879cd8ec9e1fea51c04ed43927e2b07b5b80a74f09eb9038c8d9045e4161ea69df215f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000008

Filesize
38KB

MD5
f53236bc138719b68ccd1c7efb02a276

SHA1
26b7d3eea5d3b12d0b0e173ebf2af50a7d7e56d6

SHA256
787c14f8cc865430c03c96a345044b7c5b8dc8a032511a500d4a42228533acd8

SHA512
5485bc7ccce8ec75f60bca3be846086a4bd4466009c8e22da9cdd16bb1154529af2fb2667cd3a97485cc4f6635fb79ac0fdda4f3e1f39f25f6196f708a92d740

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG

Filesize
320B

MD5
dfd4cfbd5d67c4c7583db447d4ba317b

SHA1
de63eee43a7f8907a12f7eb6e221e7419b29c967

SHA256
da147dc0ef4202dc4df3c166a684c4e27f8db9787ed66adcd2a8a663aac2632b

SHA512
b3223a7ed39ab2a25ec449f8caccbe19780226f898c7b7d5fa2b3848015780540760678aa0978635f9936fb811db1a8b08949b962e1259a334f32583a27db245

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Platform Notifications\LOG

Filesize
334B

MD5
44681d814a1a4dc9c0dbab9b57ea6b99

SHA1
9df14e81845b1d55a0a1c94a467b100ac7442b29

SHA256
48e1ea0f927b5f03e568ba55a9a05467f8af65d071a6303e69e6048452281eca

SHA512
a6444e77b57591b0c11156e5742b506f3066d5c3c5717b5fdd4f36e9a56220fe9bac8e2b3d3573c82098db70f53afd380109f05530b22ccd07b7ec41a11cd0db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\000003.log

Filesize
3KB

MD5
35697c44070004143ec5b533f040e05a

SHA1
06807cc63aba8f98c8834d334178480e9f38a537

SHA256
996912e8687e4fcde8df65a66948edf73c88395ea03d98c08e238b76c6b18db9

SHA512
ac69520b88b5e3c17138b3d444ee89dddac79f2ea63aa5bfe38ab3cefd7f4d84aa128bbff4531c867c19fbdf67cf8554796eae4146598236cbd7338546c250cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\LOG

Filesize
333B

MD5
0a2e6885ff13bdc15bb8c40181b887b6

SHA1
2da92209cb8982925061338d731be59a6d351d98

SHA256
6f9c99c1e9bf065d47df66a86cdc993ba74ac38a1fcfc4714a27b93335cfd907

SHA512
14ffb9e90cfce8ef3829e29b70904a699fa7d2aab0db82279ef1000cc5bb82baa9b32edf6559d9eafd0db8224784773f074d5867d6256ae60abadba9725f6fa3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\ba23d8ecda68de77_0

Filesize
128KB

MD5
028d7845b069fb83c99db7cda3aee936

SHA1
c2be7849b640a02c03c489d8f6c3b0209acceb93

SHA256
bcd361261b958afd0f8fbfb18c4eda3401ae1fff3f2b3dee947b8cb3d0ecf416

SHA512
c76b5ef824933e60afb952d592b9667582d67780131401998c0b5f34c8413b2ad736d82fffc6629cb835ff7614d542abb5f09cea72efe064e23dcfa88f41f852

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\ba23d8ecda68de77_1

Filesize
343KB

MD5
235ad81f37c2f1be98e0f28e986c0caa

SHA1
b4445ff79b1a1c45c488eba2328ddee909f4e367

SHA256
71118322ef09a3988c0e29fa888e4cfb8309cd2e425ceaebeb4a0dac50b671e1

SHA512
0ddf345a66cefe8dd2ef38e1f85de97e021a6279167ae2f347015d728498d59f5a0db7b7f5a7bb9a5fd033940f272a9af7cd832ddc2c34ca92d5c4b9b04584a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
48B

MD5
8c79bdf8d1d7e3c6ddfa7b9c64fcadc5

SHA1
8cc0ce639228684abb2abbba3eee1d93704a8fe4

SHA256
6742694ea3cfa46a06c48c236637f8cf17059a90e75ab99ccdcad7302fb12d2b

SHA512
052857b96460f7cc29aec1ae6950afd65e23a5003719310362524db6528d41277f2e67ea8c83b06c4d5ba25b747af891a2a7f9935d9302c488b7d194c9348c09

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOG

Filesize
317B

MD5
98f243122f85687df59cd378b0b5b052

SHA1
4d810e14121694f5d5d0dd21c82359739342999e

SHA256
c81067ffe223d0d260e5ac0b1e611b1e911ca78f1c3d10a3f3d96e3d9d4f38a8

SHA512
5159a9bd6743cb09ea9922a893d7f4535e9fa55b6aa09643a12ec4b968648d9ce8c6d85e8f62c36f8e756091fc1774edc77a6fb2c27292d01e87865d040f3219

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG

Filesize
345B

MD5
c91065d0545e8842810171c61a0b8b00

SHA1
115ab5441ea82a6571e923bd58833da3b0833dbc

SHA256
acc34838231f70bb1e25a96a399fe822be4eb08b97fcc442f33180086b85b17e

SHA512
79ba4f77bb93ea879d01bcb396eeec0d7ea7d236fb212ec77115e122348638335e12a0a8fffa789e74702669843b61ecad840da7554a57dd04560e41b4e2c8b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG

Filesize
321B

MD5
ecc15ceeac22f2525cf0302e9384cc4a

SHA1
f4a3fffb192c5e65e0d9ae442e0b46ef4b1c2300

SHA256
5bb54ad2c0191a8d55f63b48db38c7f83f52a0f53de2d29a17b3643d8f877105

SHA512
bd108de0c9795d2d2996c016b5d1f96cc8be5b1e0b12438893ed449e43e5a6dc57581f567e61020071a92856e1ebb7820c2d04168392219e08694713f5ba34b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Data

Filesize
130KB

MD5
c3c05df8b0c04fe6380bdd859a5cf4d3

SHA1
e0f3283dc3c96de467303324374eacfc1013500d

SHA256
7273c7a9ad8dcad318ca89559be421c9a52a9607179eadfc6b407fbde32f708c

SHA512
e2b3404e515936187ac9f7afd1d6b23eeb2c44e5510efb99e187b93d608297aa3ff01700ae3b731f12bd91109c0f84019ff2aaf97218958b7f32549b164a8e5e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\QuotaManager-journal

Filesize
12KB

MD5
9224769eec979f14914af8e00389122b

SHA1
f88084b84b3f37cd3fec7edcd9e25387a6ef2bff

SHA256
404776d85bc19315edef17dba3f7e908dce8b354e54518767fa7f1ee8db4b3a5

SHA512
53d2bed285aaab745f26b22394f7998912ab90bdfe8d79a863160047de5f99b7330c5aad4cf735cb784f0c730cd68f7da7d362d6d64c14d621ed8d13b52e47d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000003.log

Filesize
24KB

MD5
4befeec938525bcc8824b3eaca9b3cca

SHA1
87b13379d4272b8981c45fb6b827e3c1a9707a92

SHA256
33d1ee70cff753cdcfd50986a51dc7d841dec1fbff5a730ab114bbcdd416fa5e

SHA512
b8713e566b958ce54190d863dec2608b367d4da70b0965e40fd84331e3e55f7836790edc068537f6981ae67c40aa682677fa6ff85a4bacfc18b8cfafbd60c5b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG

Filesize
320B

MD5
15acb697de6fec81a0ed397331906152

SHA1
4ada702fcc9a81ab903876c364418e9214d0820d

SHA256
afee6386933d30deda18b8bc0c956c136ff1c1056e371461f5941418264bd58a

SHA512
9a5d1f4513d9ba9f5dfad40bad0d3f5b4e1170ead3b650c4bc0b7df6901f360b0b7aa90118fb090f11fa5b96e862c337a09b5c5eb246b91e183eeb38cbeaab21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
1KB

MD5
b68e07a9c68407965683001b68f0b28f

SHA1
ee66a8a6761449e5e0179266609900571108cb1a

SHA256
7ea91963df568f5372d8f1b47f7afb5fc078ce7ed6b7d4675ed41be2cc4f146b

SHA512
c2e566520debbd59414b029efcef548791930fb0869e6c6d819efd5db45f7fe1348315abd5021e89eddbb24e56d9fa82473e15a1d74bf512df5910ef6bd081c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\LOG

Filesize
338B

MD5
3c2d220131545f8a76f88c04d5e30114

SHA1
eabbb7e512759a972791913b4f38dd15ca654061

SHA256
ea49849493173d119c29d544d5fda57f754229dc728abd1a0fbd9b810b30fcee

SHA512
33b6ea809e055203f7a054411d9e50c809df08784c0519051ecbf17cc85eeb7bc180fc6684c67b41e20467f9356fc83ac80363d994cecb9f8030b381929b604f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_0

Filesize
44KB

MD5
b2409032b07cf9751348a24fb088e699

SHA1
e96e6f98289028a927df7a738cd89c5730ec9916

SHA256
3079225b9e0fa4466f884521248c9d617e7b1976fa3880586950c17a22327b71

SHA512
ebd38beafad754df4889206eb74c6cfbf2084c8967043903e99917ddad0a1dabc7b3b76d5a6ce4b1094f202f509eddd854dde42296811ac299910d129774f931

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_1

Filesize
264KB

MD5
61126569c58bed0343617ce43d80aa62

SHA1
efd1ea11e92320bb7ef2c05ae892f4b3483fc096

SHA256
321e8a23b669a7ca5e30a937d76986dea6fd0ca3b56acc61059b565579e861be

SHA512
977350e67c17762aa92939adc3cc2e5961332cf061467b57a8c19b2a912a9b03a75eb87b15aa9450fa9a93d733509815871310073b1f1b0e0ee3f747fe212c87

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version

Filesize
13B

MD5
a4710a30ca124ef24daf2c2462a1da92

SHA1
96958e2fe60d71e08ea922dfd5e69a50e38cc5db

SHA256
7114eaf0a021d2eb098b1e9f56f3500dc4f74ac68a87f5256922e4a4b9fa66b7

SHA512
43878e3bc6479df9e4ebd11092be61a73ab5a1441cd0bc8755edd401d37032c44a7279bab477c01d563ab4fa5d8078c0ba163a9207383538e894e0a7ff5a3e15

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
79KB

MD5
56feda0be5bb6175beb9ba5eada899f4

SHA1
47360cd690529653106f6aef459b9b07752a89bb

SHA256
b2db333b475c7fca2e2e0b2061b0de5c0f964f1342d81eaafe4181e062f57951

SHA512
a7916eecceb8c923a05454738463af6cb87a55356470d23c2318ab2ea42166edaaf1cf465e7adf307a663d18a08f0132d2ce92b2ebf0ac7cc1e60f153077fed8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations

Filesize
86B

MD5
16b7586b9eba5296ea04b791fc3d675e

SHA1
8890767dd7eb4d1beab829324ba8b9599051f0b0

SHA256
474d668707f1cb929fef1e3798b71b632e50675bd1a9dceaab90c9587f72f680

SHA512
58668d0c28b63548a1f13d2c2dfa19bcc14c0b7406833ad8e72dfc07f46d8df6ded46265d74a042d07fbc88f78a59cb32389ef384ec78a55976dfc2737868771

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
223bd4ae02766ddc32e6145fd1a29301

SHA1
900cfd6526d7e33fb4039a1cc2790ea049bc2c5b

SHA256
1022ec2fed08ff473817fc53893e192a8e33e6a16f3d2c8cb6fd37f49c938e1e

SHA512
648cd3f8a89a18128d2b1bf960835e087a74cdbc783dbfcc712b3cb9e3a2e4f715e534ba2ef81d89af8f60d4882f6859373248c875ceb26ad0922e891f2e74cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
20031480ccf6bebf98361fe14c288baa

SHA1
8ac883d71ff92f3ed8125c72e3799bab14d3d070

SHA256
68e4d74b70dd8b8bc2e37789231867ebc49ec16b10586f49c47e3b044bd060a5

SHA512
143d50c79edde2cee329c547a8f195c5a6f3881bed18fec6239953aedf0ba68c18725d0297769289714a02179c88843ad435c15e52909781ea57c4d7c084f9ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
998db8a9f40f71e2f3d9e19aac4db4a9

SHA1
dade0e68faef54a59d68ae8cb3b8314b6947b6d7

SHA256
1b28744565eb600485d9800703f2fb635ecf4187036c12d47f86bbd1e078e06b

SHA512
0e66fd26a11507f78fb1b173fd50555dbd95b0d330e095cdd93206757c6af2780ece914a11a23cd4c840636a59470f44c6db35fa392303fb583806264e652016

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_ntp.msn.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt

Filesize
327B

MD5
b8cf72f6331c3144e55a69c14c50b30e

SHA1
bd6f9c61b552e592bcb584b950d51ad6f41fb698

SHA256
395979a6a3a951101bd7f456171db87d47b312d5ec349574b1e2c77e8602a1c8

SHA512
de95185f434ab2a7ed7124feaa885795b5824f513b9194b5b406c2037078c3e83d48a59dfc89fca5c99f1d2b9545dfa03f466564977a4fcf9c7fcfe3e56b9e03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\d5ced14d-035f-42cc-bff6-566faa3bfdfb.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
e577438a1ad1b613ba91e2bd68816533

SHA1
ab43e836514e386e35296416c40be83c2dffd0e6

SHA256
23ff0ec41e75e053b41fa64fae8a4e95c81b380d4d2117746e38d12638d53676

SHA512
d82214b9833a143a8e2f73889426bca2352e3f5041e7bce4dd0e37c1040d9c80c076aedfaba103bab4814e5de0f8556c82ecacc7b6c64645b8b56573f71920c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d2598f94e21b31058e6214b9c26467c6

SHA1
92368dbec01dfee1daa4d395f500ca78f1f4be6f

SHA256
d4830c77a22b7ef4ec4e16e0ada48fc0b60918652b0299b09850b5bc9939ddfe

SHA512
e69d81999970beb7eb71987326f2bf69a423e2c7019295f8f8baef7dffc093e50550050d1d7e5da427b31f301ad0a103baf89b4c74cff46f11ace263f401546e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lpjahues.wex.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ddfdc4ba-a459-4f27-ba3b-11d2dbb2c24a.tmp

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4728_2128080357\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4728_2128080357\CRX_INSTALL\_locales\en_US\messages.json

Filesize
1KB

MD5
64eaeb92cb15bf128429c2354ef22977

SHA1
45ec549acaa1fda7c664d3906835ced6295ee752

SHA256
4f70eca8e28541855a11ec7a4e6b3bc6dd16c672ff9b596ecfb7715bb3b5898c

SHA512
f63ee02159812146eee84c4eb2034edfc2858a287119cc34a8b38c309c1b98953e14ca1ca6304d6b32b715754b15ba1b3aa4b46976631b5944d50581b2f49def

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4728_2128080357\CRX_INSTALL\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4728_2128080357\CRX_INSTALL\manifest.json

Filesize
1KB

MD5
2a738ca67be8dd698c70974c9d4bb21b

SHA1
45a4086c876d276954ffce187af2ebe3dc667b5f

SHA256
b08d566a5705247ddc9abf5e970fc93034970b02cf4cb3d5ccc90e1a1f8c816e

SHA512
f72b9190f9f2b1acc52f7fbb920d48797a96e62dfc0659c418edbbc0299dccf1931f6c508b86c940b976016745b9877f88f2ee081d3e3d5dcdcc2cc7e7884492

Download Submit
C:\Users\Admin\AppData\Local\cca7e8b1-e058-4a6d-9c5b-f032a484b1ea\updater.exe

Filesize
1.7MB

MD5
175c9b6b2db3b3624f7df4c54dff3262

SHA1
a96c038467d2d6ff0b95275a828948997b6987a3

SHA256
5ce7687d00cc5cdc0b7575bc68940f7a092a1f559f987f3b6a9b0c837eaa6496

SHA512
3d728ce053930f16c8debc087807b3eaadef3c9b21a452b49f13ce767b35b221e71b15db8c849fe71c7d0077d2c0ab31506762626622f87347c596260cddff34

Download Submit
C:\Users\Admin\AppData\Roaming\UpdateCache\WindowsUpdate.ps1

Filesize
3KB

MD5
21c010cf4481df82d7e5e4a0b4260793

SHA1
d2ae87b41aa4e951c3a3131ce7ebc8969948ed97

SHA256
b6e7e1ddaceee8c401056c0bd2e552c3545f6906b7de4b62ab3a239e5b01dfa7

SHA512
8f97b34ecda980b0a738d98a99a28ba6f6ceafe65ae97f41b0fc8561a919796e729429507a18e9fe0ef79feb6ee892afb29fc325615c920d72111f3649b3bf5f

Download Submit
memory/1600-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1600-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1600-884-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1600-883-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1600-879-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1600-890-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1600-51-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1600-878-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1600-432-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1600-873-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1600-866-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1600-58-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1600-59-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1600-865-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1600-64-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1600-65-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1600-68-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1600-72-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1600-73-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1600-74-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1600-864-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1600-78-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1600-79-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1600-863-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1600-860-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1600-428-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1600-857-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1600-852-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1600-799-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1600-444-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1600-442-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1600-438-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1600-437-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1600-436-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1600-874-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1600-427-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1600-859-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1600-429-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1600-426-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1600-97-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1600-885-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3240-0-0x00007FFB69F73000-0x00007FFB69F75000-memory.dmp

Filesize
8KB

Download
memory/3240-6-0x0000023C24530000-0x0000023C24552000-memory.dmp

Filesize
136KB

Download
memory/3240-11-0x00007FFB69F70000-0x00007FFB6AA31000-memory.dmp

Filesize
10.8MB

Download
memory/3240-12-0x00007FFB69F70000-0x00007FFB6AA31000-memory.dmp

Filesize
10.8MB

Download
memory/3240-13-0x00007FFB69F70000-0x00007FFB6AA31000-memory.dmp

Filesize
10.8MB

Download
memory/3240-14-0x00007FFB69F73000-0x00007FFB69F75000-memory.dmp

Filesize
8KB

Download
memory/3240-15-0x00007FFB69F70000-0x00007FFB6AA31000-memory.dmp

Filesize
10.8MB

Download
memory/3240-895-0x00007FFB69F70000-0x00007FFB6AA31000-memory.dmp

Filesize
10.8MB

Download
memory/4468-1337-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4468-1342-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4468-942-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4468-948-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4468-1336-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4468-969-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4468-954-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4468-953-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4468-957-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4468-1338-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4468-1339-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4468-947-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4468-1346-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4468-1347-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4468-1348-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4468-1352-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4468-961-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4468-1383-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4468-1594-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4468-962-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4468-1602-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4468-963-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4468-968-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download