Resubmissions

14-03-2024 11:45

240314-nw4b5sbb5v 10

13-03-2024 15:01

240313-sdxtvsfh9x 10

13-03-2024 14:22

240313-rpjkyagg56 10

Analysis

  • max time kernel
    213s
  • max time network
    658s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240221-en
  • resource tags

    arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    14-03-2024 11:45

General

  • Target

    c88933a3bcc4494def9d0feb4568c4e865d6b333ace006256816166d34104ea0.exe

  • Size

    242KB

  • MD5

    8f44c565b6605afccbab295faaf420b8

  • SHA1

    a9fc5e1ca19b7034f846b12ee2e5890d8c64f3b3

  • SHA256

    c88933a3bcc4494def9d0feb4568c4e865d6b333ace006256816166d34104ea0

  • SHA512

    cdbf40c2def3a3dc45ac006f99ebff60d936eff53d2b16236f0424285a1749e847ee1180daa0e9e256bd86e44e76cdbc2b83d5afd1e8db1edb699d0b95900206

  • SSDEEP

    3072:sY1hNzde2qx1Y7CzY8hv2BXhssNPhslWeQYmbd/5NOVAAC:11Twx2uzYvVhsspSlWbYId

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://selebration17io.io/index.php

http://vacantion18ffeu.cc/index.php

http://valarioulinity1.net/index.php

http://buriatiarutuhuob.net/index.php

http://cassiosssionunu.me/index.php

http://sulugilioiu19.net/index.php

http://goodfooggooftool.net/index.php

rc4.i32
rc4.i32

Extracted

Family

amadey

Version

4.17

C2

http://185.215.113.32

Attributes
  • install_dir

    00c07260dc

  • install_file

    explorgu.exe

  • strings_key

    461809bd97c251ba0c0c8450c7055f1d

  • url_paths

    /yandex/index.php

rc4.plain

Extracted

Family

redline

Botnet

LiveTraffic

C2

20.218.68.91:7690

Extracted

Family

amadey

Version

4.17

C2

http://185.215.113.32

Attributes
  • strings_key

    461809bd97c251ba0c0c8450c7055f1d

  • url_paths

    /yandex/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Detect ZGRat V1 8 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 5 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • ZGRat

    ZGRat is remote access trojan written in C#.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 6 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 14 IoCs
  • Identifies Wine through registry keys 2 TTPs 3 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Loads dropped DLL 6 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 5 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 5 IoCs
  • NSIS installer 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\c88933a3bcc4494def9d0feb4568c4e865d6b333ace006256816166d34104ea0.exe
    "C:\Users\Admin\AppData\Local\Temp\c88933a3bcc4494def9d0feb4568c4e865d6b333ace006256816166d34104ea0.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:1612
  • C:\Users\Admin\AppData\Local\Temp\B44C.exe
    C:\Users\Admin\AppData\Local\Temp\B44C.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Executes dropped EXE
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    PID:1488
  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\E967.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2000
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\E967.dll
      2⤵
      • Loads dropped DLL
      PID:468
  • C:\Users\Admin\AppData\Local\Temp\3006.exe
    C:\Users\Admin\AppData\Local\Temp\3006.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1532
    • C:\Users\Admin\AppData\Local\Temp\3006.exe
      C:\Users\Admin\AppData\Local\Temp\3006.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      PID:1416
  • C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
    C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Executes dropped EXE
    • Identifies Wine through registry keys
    • Adds Run key to start application
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of WriteProcessMemory
    PID:2168
    • C:\Users\Admin\AppData\Local\Temp\1000836001\osminog.exe
      "C:\Users\Admin\AppData\Local\Temp\1000836001\osminog.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2940
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        3⤵
          PID:4372
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 1128
            4⤵
            • Program crash
            PID:4248
      • C:\Users\Admin\AppData\Local\Temp\1000837001\goldprime1234.exe
        "C:\Users\Admin\AppData\Local\Temp\1000837001\goldprime1234.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3020
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
          3⤵
            PID:2336
        • C:\Windows\SysWOW64\rundll32.exe
          "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
          2⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1172
          • C:\Windows\system32\rundll32.exe
            "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
            3⤵
            • Blocklisted process makes network request
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2052
            • C:\Windows\system32\netsh.exe
              netsh wlan show profiles
              4⤵
                PID:3544
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\637591879962_Desktop.zip' -CompressionLevel Optimal
                4⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:2124
          • C:\Windows\SysWOW64\rundll32.exe
            "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
            2⤵
            • Blocklisted process makes network request
            • Loads dropped DLL
            PID:4628
          • C:\Users\Admin\AppData\Local\Temp\1000858001\alex12341.exe
            "C:\Users\Admin\AppData\Local\Temp\1000858001\alex12341.exe"
            2⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            PID:3728
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
              3⤵
                PID:876
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                3⤵
                  PID:1056
                  • C:\Users\Admin\AppData\Roaming\configurationValue\olehpsp.exe
                    "C:\Users\Admin\AppData\Roaming\configurationValue\olehpsp.exe"
                    4⤵
                    • Executes dropped EXE
                    PID:2064
                  • C:\Users\Admin\AppData\Roaming\configurationValue\TWO.exe
                    "C:\Users\Admin\AppData\Roaming\configurationValue\TWO.exe"
                    4⤵
                    • Executes dropped EXE
                    PID:1180
              • C:\Users\Admin\AppData\Local\Temp\1000865001\dais.exe
                "C:\Users\Admin\AppData\Local\Temp\1000865001\dais.exe"
                2⤵
                • Executes dropped EXE
                PID:3832
              • C:\Users\Admin\AppData\Local\Temp\1000873001\random.exe
                "C:\Users\Admin\AppData\Local\Temp\1000873001\random.exe"
                2⤵
                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                • Checks BIOS information in registry
                • Executes dropped EXE
                • Identifies Wine through registry keys
                PID:4700
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
                  3⤵
                  • Creates scheduled task(s)
                  PID:8312
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
                  3⤵
                  • Creates scheduled task(s)
                  PID:5664
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1000874021\random.cmd" "
                2⤵
                  PID:2496
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
                    3⤵
                    • Enumerates system info in registry
                    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                    PID:224
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb30603cb8,0x7ffb30603cc8,0x7ffb30603cd8
                      4⤵
                        PID:3012
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1848,15283687223561376014,355363841788225220,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:2
                        4⤵
                          PID:1388
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1848,15283687223561376014,355363841788225220,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2364 /prefetch:3
                          4⤵
                            PID:760
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1848,15283687223561376014,355363841788225220,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:8
                            4⤵
                              PID:2816
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,15283687223561376014,355363841788225220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
                              4⤵
                                PID:1580
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,15283687223561376014,355363841788225220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
                                4⤵
                                  PID:1208
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,15283687223561376014,355363841788225220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3780 /prefetch:1
                                  4⤵
                                    PID:904
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,15283687223561376014,355363841788225220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3972 /prefetch:1
                                    4⤵
                                      PID:5264
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,15283687223561376014,355363841788225220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4828 /prefetch:1
                                      4⤵
                                        PID:5420
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,15283687223561376014,355363841788225220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4108 /prefetch:1
                                        4⤵
                                          PID:5516
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1848,15283687223561376014,355363841788225220,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5624 /prefetch:8
                                          4⤵
                                            PID:5296
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1848,15283687223561376014,355363841788225220,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5888 /prefetch:8
                                            4⤵
                                              PID:5836
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1848,15283687223561376014,355363841788225220,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4748 /prefetch:8
                                              4⤵
                                                PID:6028
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,15283687223561376014,355363841788225220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3780 /prefetch:1
                                                4⤵
                                                  PID:2600
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,15283687223561376014,355363841788225220,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4748 /prefetch:1
                                                  4⤵
                                                    PID:5148
                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,15283687223561376014,355363841788225220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:1
                                                    4⤵
                                                      PID:5836
                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,15283687223561376014,355363841788225220,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5800 /prefetch:1
                                                      4⤵
                                                        PID:1732
                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1848,15283687223561376014,355363841788225220,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2660 /prefetch:8
                                                        4⤵
                                                          PID:5684
                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1848,15283687223561376014,355363841788225220,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6772 /prefetch:2
                                                          4⤵
                                                            PID:9556
                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
                                                          3⤵
                                                            PID:4512
                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xe0,0x10c,0x7ffb30603cb8,0x7ffb30603cc8,0x7ffb30603cd8
                                                              4⤵
                                                                PID:1168
                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1948,11600439447427278000,4273508431963935441,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1960 /prefetch:2
                                                                4⤵
                                                                  PID:1340
                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1948,11600439447427278000,4273508431963935441,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2008 /prefetch:3
                                                                  4⤵
                                                                    PID:3556
                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video
                                                                  3⤵
                                                                    PID:4392
                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb30603cb8,0x7ffb30603cc8,0x7ffb30603cd8
                                                                      4⤵
                                                                        PID:4940
                                                                  • C:\Users\Admin\AppData\Local\Temp\1000875001\amadka.exe
                                                                    "C:\Users\Admin\AppData\Local\Temp\1000875001\amadka.exe"
                                                                    2⤵
                                                                      PID:6412
                                                                      • C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
                                                                        "C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
                                                                        3⤵
                                                                          PID:2272
                                                                          • C:\Windows\SysWOW64\rundll32.exe
                                                                            "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
                                                                            4⤵
                                                                              PID:8000
                                                                              • C:\Windows\system32\rundll32.exe
                                                                                "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
                                                                                5⤵
                                                                                  PID:5344
                                                                                  • C:\Windows\system32\netsh.exe
                                                                                    netsh wlan show profiles
                                                                                    6⤵
                                                                                      PID:6944
                                                                                • C:\Windows\SysWOW64\rundll32.exe
                                                                                  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
                                                                                  4⤵
                                                                                    PID:6852
                                                                                  • C:\Users\Admin\AppData\Local\Temp\1000010001\lenin.exe
                                                                                    "C:\Users\Admin\AppData\Local\Temp\1000010001\lenin.exe"
                                                                                    4⤵
                                                                                      PID:7520
                                                                                    • C:\Users\Admin\AppData\Local\Temp\1000018001\InstallSetup8.exe
                                                                                      "C:\Users\Admin\AppData\Local\Temp\1000018001\InstallSetup8.exe"
                                                                                      4⤵
                                                                                        PID:10988
                                                                                  • C:\Users\Admin\AppData\Local\Temp\1000903001\lummahelp.exe
                                                                                    "C:\Users\Admin\AppData\Local\Temp\1000903001\lummahelp.exe"
                                                                                    2⤵
                                                                                      PID:6680
                                                                                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                        3⤵
                                                                                          PID:6024
                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 6024 -s 1132
                                                                                            4⤵
                                                                                            • Program crash
                                                                                            PID:11908
                                                                                      • C:\Users\Admin\AppData\Local\Temp\1000935001\InstallSetup3.exe
                                                                                        "C:\Users\Admin\AppData\Local\Temp\1000935001\InstallSetup3.exe"
                                                                                        2⤵
                                                                                          PID:9220
                                                                                        • C:\Users\Admin\AppData\Local\Temp\1000936001\toolspub1.exe
                                                                                          "C:\Users\Admin\AppData\Local\Temp\1000936001\toolspub1.exe"
                                                                                          2⤵
                                                                                            PID:11240
                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4372 -ip 4372
                                                                                          1⤵
                                                                                            PID:3548
                                                                                          • C:\Users\Admin\AppData\Local\Temp\F1C1.exe
                                                                                            C:\Users\Admin\AppData\Local\Temp\F1C1.exe
                                                                                            1⤵
                                                                                            • Executes dropped EXE
                                                                                            • Loads dropped DLL
                                                                                            • Suspicious use of SetThreadContext
                                                                                            • Suspicious use of WriteProcessMemory
                                                                                            PID:1376
                                                                                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
                                                                                              C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
                                                                                              2⤵
                                                                                                PID:960
                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 960 -s 1124
                                                                                                  3⤵
                                                                                                  • Program crash
                                                                                                  PID:1716
                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 960 -s 1100
                                                                                                  3⤵
                                                                                                  • Program crash
                                                                                                  PID:4148
                                                                                            • C:\Windows\system32\taskmgr.exe
                                                                                              "C:\Windows\system32\taskmgr.exe" /0
                                                                                              1⤵
                                                                                              • Checks SCSI registry key(s)
                                                                                              • Modifies registry class
                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                              • Suspicious use of FindShellTrayWindow
                                                                                              • Suspicious use of SendNotifyMessage
                                                                                              PID:3400
                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 960 -ip 960
                                                                                              1⤵
                                                                                                PID:3184
                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 960 -ip 960
                                                                                                1⤵
                                                                                                  PID:4388
                                                                                                • C:\Windows\System32\rundll32.exe
                                                                                                  C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                                                                                  1⤵
                                                                                                    PID:4668
                                                                                                  • C:\Users\Admin\AppData\Local\Temp\CCC0.exe
                                                                                                    C:\Users\Admin\AppData\Local\Temp\CCC0.exe
                                                                                                    1⤵
                                                                                                    • Executes dropped EXE
                                                                                                    PID:2472
                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 512
                                                                                                      2⤵
                                                                                                      • Program crash
                                                                                                      PID:2936
                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2472 -ip 2472
                                                                                                    1⤵
                                                                                                      PID:652
                                                                                                    • C:\Users\Admin\AppData\Local\Temp\EEE0.exe
                                                                                                      C:\Users\Admin\AppData\Local\Temp\EEE0.exe
                                                                                                      1⤵
                                                                                                      • Executes dropped EXE
                                                                                                      • Writes to the Master Boot Record (MBR)
                                                                                                      PID:2568
                                                                                                    • C:\Windows\System32\CompPkgSrv.exe
                                                                                                      C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                                                      1⤵
                                                                                                        PID:3820
                                                                                                      • C:\Windows\System32\CompPkgSrv.exe
                                                                                                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                                                        1⤵
                                                                                                          PID:5316
                                                                                                        • C:\Windows\system32\AUDIODG.EXE
                                                                                                          C:\Windows\system32\AUDIODG.EXE 0x00000000000004D0 0x00000000000004D8
                                                                                                          1⤵
                                                                                                            PID:5588
                                                                                                          • C:\Windows\System32\CompPkgSrv.exe
                                                                                                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                                                            1⤵
                                                                                                              PID:5820
                                                                                                            • C:\Users\Admin\AppData\Roaming\bdasdga
                                                                                                              C:\Users\Admin\AppData\Roaming\bdasdga
                                                                                                              1⤵
                                                                                                                PID:7688
                                                                                                              • C:\Users\Admin\AppData\Local\Temp\617C.exe
                                                                                                                C:\Users\Admin\AppData\Local\Temp\617C.exe
                                                                                                                1⤵
                                                                                                                  PID:3784
                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe
                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe"
                                                                                                                    2⤵
                                                                                                                      PID:5024
                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
                                                                                                                      2⤵
                                                                                                                        PID:9776
                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\april.exe
                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\april.exe"
                                                                                                                        2⤵
                                                                                                                          PID:7360
                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\is-DAADB.tmp\april.tmp
                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\is-DAADB.tmp\april.tmp" /SL5="$30458,1478464,54272,C:\Users\Admin\AppData\Local\Temp\april.exe"
                                                                                                                            3⤵
                                                                                                                              PID:6672
                                                                                                                              • C:\Users\Admin\AppData\Local\Text Ultra Edit\textultraedit.exe
                                                                                                                                "C:\Users\Admin\AppData\Local\Text Ultra Edit\textultraedit.exe" -i
                                                                                                                                4⤵
                                                                                                                                  PID:6488
                                                                                                                                • C:\Users\Admin\AppData\Local\Text Ultra Edit\textultraedit.exe
                                                                                                                                  "C:\Users\Admin\AppData\Local\Text Ultra Edit\textultraedit.exe" -s
                                                                                                                                  4⤵
                                                                                                                                    PID:9696
                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
                                                                                                                              C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
                                                                                                                              1⤵
                                                                                                                                PID:8116
                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\3E7F.exe
                                                                                                                                C:\Users\Admin\AppData\Local\Temp\3E7F.exe
                                                                                                                                1⤵
                                                                                                                                  PID:7552
                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\is-7IPG4.tmp\3E7F.tmp
                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\is-7IPG4.tmp\3E7F.tmp" /SL5="$40420,1634991,54272,C:\Users\Admin\AppData\Local\Temp\3E7F.exe"
                                                                                                                                    2⤵
                                                                                                                                      PID:9112
                                                                                                                                      • C:\Users\Admin\AppData\Local\Text Ultra Edit\textultraedit.exe
                                                                                                                                        "C:\Users\Admin\AppData\Local\Text Ultra Edit\textultraedit.exe" -i
                                                                                                                                        3⤵
                                                                                                                                          PID:9668
                                                                                                                                        • C:\Users\Admin\AppData\Local\Text Ultra Edit\textultraedit.exe
                                                                                                                                          "C:\Users\Admin\AppData\Local\Text Ultra Edit\textultraedit.exe" -s
                                                                                                                                          3⤵
                                                                                                                                            PID:5452
                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
                                                                                                                                        1⤵
                                                                                                                                          PID:9444
                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\3880.exe
                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\3880.exe
                                                                                                                                          1⤵
                                                                                                                                            PID:8764
                                                                                                                                          • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
                                                                                                                                            "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
                                                                                                                                            1⤵
                                                                                                                                              PID:5048
                                                                                                                                            • C:\Windows\system32\taskmgr.exe
                                                                                                                                              "C:\Windows\system32\taskmgr.exe" /0
                                                                                                                                              1⤵
                                                                                                                                                PID:5904
                                                                                                                                              • C:\Windows\system32\taskmgr.exe
                                                                                                                                                "C:\Windows\system32\taskmgr.exe" /0
                                                                                                                                                1⤵
                                                                                                                                                  PID:8380
                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
                                                                                                                                                  1⤵
                                                                                                                                                    PID:5220
                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
                                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
                                                                                                                                                    1⤵
                                                                                                                                                      PID:11476
                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 6024 -ip 6024
                                                                                                                                                      1⤵
                                                                                                                                                        PID:10772
                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 6024 -ip 6024
                                                                                                                                                        1⤵
                                                                                                                                                          PID:5220
                                                                                                                                                        • C:\Windows\system32\werfault.exe
                                                                                                                                                          werfault.exe /h /shared Global\cd0e42c921a94894b7f746395ef78e5a /t 9576 /p 5904
                                                                                                                                                          1⤵
                                                                                                                                                            PID:8620
                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
                                                                                                                                                            1⤵
                                                                                                                                                              PID:5864

                                                                                                                                                            Network

                                                                                                                                                            MITRE ATT&CK Enterprise v15

                                                                                                                                                            Replay Monitor

                                                                                                                                                            Loading Replay Monitor...

                                                                                                                                                            Downloads

                                                                                                                                                            • C:\ProgramData\DirectSoundDriver 2.36.198.65\DirectSoundDriver 2.36.198.65.exe

                                                                                                                                                              Filesize

                                                                                                                                                              64KB

                                                                                                                                                              MD5

                                                                                                                                                              d4b23a07d6a976d8ecbe9d3945fd4942

                                                                                                                                                              SHA1

                                                                                                                                                              87406e5ffb24869fa3a73babddca69900085bdc8

                                                                                                                                                              SHA256

                                                                                                                                                              0f9dff2e66d625dd5d8b1f6ee68157f1f5771168a1a0cd38ed3aa4f8d065be56

                                                                                                                                                              SHA512

                                                                                                                                                              7fc002d6f9aa01087c793ad2870755df2af7968a0a686d5fb945f49932a947cbeeab4011d9febbe498f00b4c5fb01502097865a5595b8b5a1a6d79fead240d03

                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

                                                                                                                                                              Filesize

                                                                                                                                                              2KB

                                                                                                                                                              MD5

                                                                                                                                                              47b3bb3bf3bd31854ef77da134dc534f

                                                                                                                                                              SHA1

                                                                                                                                                              79f7ee98bfce765215cb9bc54d6c27a748af50f3

                                                                                                                                                              SHA256

                                                                                                                                                              27bd7f1def6afae36983285feba3f689c7a006617a7d48cdac752bbd8ca39683

                                                                                                                                                              SHA512

                                                                                                                                                              f0d52c49fe5de3abd83875dc52755fbdd7d70aa92d31abae733a8104742372cee2f2e59c5b71f6d667144e52c97c543b095a718ea63410e1709f55b73b4953d0

                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                                                                                                                              Filesize

                                                                                                                                                              152B

                                                                                                                                                              MD5

                                                                                                                                                              656bb397c72d15efa159441f116440a6

                                                                                                                                                              SHA1

                                                                                                                                                              5b57747d6fdd99160af6d3e580114dbbd351921f

                                                                                                                                                              SHA256

                                                                                                                                                              770ed0fcd22783f60407cdc55b5998b08e37b3e06efb3d1168ffed8768751fab

                                                                                                                                                              SHA512

                                                                                                                                                              5923db1d102f99d0b29d60916b183b92e6be12cc55733998d3da36d796d6158c76e385cef320ec0e9afa242a42bfb596f7233b60b548f719f7d41cb8f404e73c

                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                                                                                                                              Filesize

                                                                                                                                                              152B

                                                                                                                                                              MD5

                                                                                                                                                              d459a8c16562fb3f4b1d7cadaca620aa

                                                                                                                                                              SHA1

                                                                                                                                                              7810bf83e8c362e0c69298e8c16964ed48a90d3a

                                                                                                                                                              SHA256

                                                                                                                                                              fa31bc49a2f9af06d325871104e36dd69bfe3847cd521059b62461a92912331a

                                                                                                                                                              SHA512

                                                                                                                                                              35cb00c21908e1332c3439af1ec9867c81befcc4792248ee392080b455b1f5ce2b0c0c2415e344d91537469b5eb72f330b79feb7e8a86eeb6cf41ec5be5dfd2f

                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                                                                                                                              Filesize

                                                                                                                                                              1KB

                                                                                                                                                              MD5

                                                                                                                                                              ed3c427029c0aeaa2bc343fc17cb27a1

                                                                                                                                                              SHA1

                                                                                                                                                              09ebed30150478ac2c12c4ebf95b796119875554

                                                                                                                                                              SHA256

                                                                                                                                                              0ebf3b48aa1c57593a8b52bc41173399ba3269abcf82f540aa04725aab6c5439

                                                                                                                                                              SHA512

                                                                                                                                                              db176657d8d7f69ffc353219618e2c382b7de9c02179269c843226829e04d16254d741e75fa71236df7362d881c530c82abb1ed01cd2268cdb49c37b06e4b330

                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                                                                                                                                              Filesize

                                                                                                                                                              111B

                                                                                                                                                              MD5

                                                                                                                                                              285252a2f6327d41eab203dc2f402c67

                                                                                                                                                              SHA1

                                                                                                                                                              acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

                                                                                                                                                              SHA256

                                                                                                                                                              5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

                                                                                                                                                              SHA512

                                                                                                                                                              11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                                                                                                                                              Filesize

                                                                                                                                                              2KB

                                                                                                                                                              MD5

                                                                                                                                                              65ee5758072147cca9ce2526c1af9284

                                                                                                                                                              SHA1

                                                                                                                                                              61983152b0d331511eae43b331a413fa9cad4cd4

                                                                                                                                                              SHA256

                                                                                                                                                              e4930deac23e8b628949cccdc213cc04110581663315d123584b367a13538c70

                                                                                                                                                              SHA512

                                                                                                                                                              696bb4fa55347cb87d8a610c1f8a6adcbc11490c72fe91968a6bf987b879bd448ab9c7affdc576e5a8841651682ba8d1cffa22194b96ba3127fd654a2b72d451

                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                                                                                                              Filesize

                                                                                                                                                              5KB

                                                                                                                                                              MD5

                                                                                                                                                              11c83f27515bdc3b53183658946594ff

                                                                                                                                                              SHA1

                                                                                                                                                              baa504abb67ba68c6dcd3cb9b8c9950abbca5604

                                                                                                                                                              SHA256

                                                                                                                                                              42b63357d8b8b2512197aea3f821232833bc17ecfe387f79c3ee62569bf6627d

                                                                                                                                                              SHA512

                                                                                                                                                              871670503b44d1951fb4c678e5a63b80a43cb5841dd23fbe21cf64c003f927f81d5bfa6d31c5370676c2b1bef80b8052618fb47019378a724eb76e7326c9d7da

                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                                                                                                              Filesize

                                                                                                                                                              7KB

                                                                                                                                                              MD5

                                                                                                                                                              9ff3239a7f743e02d71771333afbc961

                                                                                                                                                              SHA1

                                                                                                                                                              edbeb3284e18fa48cbfa9a74c76752ab25d7fcc5

                                                                                                                                                              SHA256

                                                                                                                                                              9b957a8e128b157e3e1fc1531ad2f33f94e495fc0fec5e96cf15945471cea6f1

                                                                                                                                                              SHA512

                                                                                                                                                              b274452faf94b55a49faef69ceaf1a288fb3564b3b6e059f89a91a51733e6c33cd41226e4e8ee867b8d9026b52cba7bf11212ec39c970d9c75bb92462cce9659

                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                                                                                                              Filesize

                                                                                                                                                              7KB

                                                                                                                                                              MD5

                                                                                                                                                              f76c8c8c02999944580a36fe8a01d301

                                                                                                                                                              SHA1

                                                                                                                                                              063740de39a8204a6352b1aa951688252e6beb7b

                                                                                                                                                              SHA256

                                                                                                                                                              e5a7037278266acf4509dac6e4686f142f96fac123c8bdde6a659e72b31e0252

                                                                                                                                                              SHA512

                                                                                                                                                              16946da357bb320d42672ea9f41016e9707c2a8a6037814a566c9720c83fb444bb41af0094c131b7763afde56318cb7fbb44993fdec6790d09bcbe44787080cd

                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\addaf0b1-32be-46b2-ba2a-2097080d17fe\index-dir\the-real-index

                                                                                                                                                              Filesize

                                                                                                                                                              2KB

                                                                                                                                                              MD5

                                                                                                                                                              0520900f2e95a736c6a013225e8fe387

                                                                                                                                                              SHA1

                                                                                                                                                              4e57b8b7cc13c19b8e45260c6218ad37684f641e

                                                                                                                                                              SHA256

                                                                                                                                                              b1bd6b7de741c4a94bc644799c3d6a46515985d72cfc3199732d1f85fda4149d

                                                                                                                                                              SHA512

                                                                                                                                                              d4b0b2b88ff0337efeb51f0815891582575853cfa38104e6ee43876122be28637f5fcb09c107440bc42d111d60cf0134b61f73a15eeb6841347d933332e242e3

                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\addaf0b1-32be-46b2-ba2a-2097080d17fe\index-dir\the-real-index~RFe5ae8db.TMP

                                                                                                                                                              Filesize

                                                                                                                                                              48B

                                                                                                                                                              MD5

                                                                                                                                                              25daadb60fc0e833bd119fdfb60a553c

                                                                                                                                                              SHA1

                                                                                                                                                              5bb4cf7cfe4f5c07eb06db721da60121229b18e1

                                                                                                                                                              SHA256

                                                                                                                                                              09ec9108f6eb8bac37c57e4a690bd4b0550d3f80cc77d46a69aa8a17aa52704e

                                                                                                                                                              SHA512

                                                                                                                                                              594a2258db1d1ec26ea1ea4d3200fb168197aca0438ab8f0d1d829467f6baf58d6d00b939fbe3f9f63c8504f9730e7ae409898b30b9121a2a9769ed4e1025f61

                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

                                                                                                                                                              Filesize

                                                                                                                                                              146B

                                                                                                                                                              MD5

                                                                                                                                                              66f6be9b9b7af68a2253db380386c62e

                                                                                                                                                              SHA1

                                                                                                                                                              72238a1fb1d6b30f0ff9e5596486f2bf1d497e00

                                                                                                                                                              SHA256

                                                                                                                                                              e926d3b02fe60ef32f2c95bf442b263f917896b4d2db4b7f0d7391b6375f8b8e

                                                                                                                                                              SHA512

                                                                                                                                                              8b9fef262d86f7e763d069a00683f7094772ee1ac9dd9f1c041e1b3a6ae096a9fd0fd309ae68a48b8fa947dbd849c1e8a03c9ff61d3b92f7f1c7e3b365e55499

                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

                                                                                                                                                              Filesize

                                                                                                                                                              82B

                                                                                                                                                              MD5

                                                                                                                                                              192d08906fd53a938f2e32e97839d648

                                                                                                                                                              SHA1

                                                                                                                                                              8335361f4c1dfb42ac4316e27869e90f79356f6d

                                                                                                                                                              SHA256

                                                                                                                                                              0c06f39fd8b233fede1820d3ed70b37da139911abca537ed51157bb0c81024cc

                                                                                                                                                              SHA512

                                                                                                                                                              797840091b28735973209d3d700e0161f792f0bae9ec047963a9918c73f05ce06cce5624c3e90c96e33efc65538385a0e4e523e883c661724f8fba3f55393d00

                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

                                                                                                                                                              Filesize

                                                                                                                                                              84B

                                                                                                                                                              MD5

                                                                                                                                                              dd4da35bd2e45df570de5488a41b0a1e

                                                                                                                                                              SHA1

                                                                                                                                                              1e11dbb577e76e294fb6754fae9042e4a9143e18

                                                                                                                                                              SHA256

                                                                                                                                                              47958f1a5f5496a54eb3992a18f1ec07bf050accef5a6c0c98c07e0eb936a180

                                                                                                                                                              SHA512

                                                                                                                                                              4730391f9831708f3cf8d9c636180f96d78da9058ec110651468a5f1c207649acd37f6840677a33dbf95bdaee56b73a2635e4a1f65f8b8e65f6e17b7c70f6f5e

                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe5a90c8.TMP

                                                                                                                                                              Filesize

                                                                                                                                                              89B

                                                                                                                                                              MD5

                                                                                                                                                              8a3b99e470426e2edf5ab3d1f4d39ff8

                                                                                                                                                              SHA1

                                                                                                                                                              ab09be82dd737621cbff6c518eaf7899303936d6

                                                                                                                                                              SHA256

                                                                                                                                                              a5b944965a9e626743043f5a6c986438c0cfd0eb06612f9469522e90f36bb1cb

                                                                                                                                                              SHA512

                                                                                                                                                              d10a34d4252d5dcd86d0c7c45d242192e2da562f56b322fa989bcd4926f80645a0b86ef26556b31ac38c2efa1184f4f5f568a73ca1cc35a15643accd1290326a

                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

                                                                                                                                                              Filesize

                                                                                                                                                              16B

                                                                                                                                                              MD5

                                                                                                                                                              46295cac801e5d4857d09837238a6394

                                                                                                                                                              SHA1

                                                                                                                                                              44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                                                                                                                                              SHA256

                                                                                                                                                              0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                                                                                                                                              SHA512

                                                                                                                                                              8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

                                                                                                                                                              Filesize

                                                                                                                                                              72B

                                                                                                                                                              MD5

                                                                                                                                                              3fe3817871cc6e2555fdda9af976550d

                                                                                                                                                              SHA1

                                                                                                                                                              f1ef4a7798f026e3274c7aa70770e25002bf82aa

                                                                                                                                                              SHA256

                                                                                                                                                              156bca20c05d6577c6e0472aee06f7d18980d06d273d7567ffeed234dda4bb42

                                                                                                                                                              SHA512

                                                                                                                                                              a8e0a3ef9eff7522fe362c169d29ddefa40eabaa475aa6a74634c6dd829fe2012fb184abc07570a3f56bb1ca460f89541e2ed1f8173d02e1eaca8f00f105d62a

                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5ae0eb.TMP

                                                                                                                                                              Filesize

                                                                                                                                                              48B

                                                                                                                                                              MD5

                                                                                                                                                              c040d62fcd9925aa89bff95ce664b4d4

                                                                                                                                                              SHA1

                                                                                                                                                              e5e692274b8db603ba872ddc134ac4fc13e9004e

                                                                                                                                                              SHA256

                                                                                                                                                              bc05dc3ec6066ad89816ea3e183b155b5714afc91b647adb5b4880443313b05e

                                                                                                                                                              SHA512

                                                                                                                                                              7ce5f78643c2ba88d20077bba47da91fcbc27ce1eea4569837d39d160ab4ef3436bdbe33b4bbe1b4bb272553a3500f96ea45db5e922f21449f858fcfcbecee26

                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                                                                                                                                              Filesize

                                                                                                                                                              874B

                                                                                                                                                              MD5

                                                                                                                                                              55455fecbd117748522b26ef89939eb6

                                                                                                                                                              SHA1

                                                                                                                                                              45abed1f15a0d1b5ae90c8c0e61234e8e8e53213

                                                                                                                                                              SHA256

                                                                                                                                                              149763b55666d3b14259913d332e9db81856f2bbed9fdce256e2d03cca6009e4

                                                                                                                                                              SHA512

                                                                                                                                                              571e531776d51097007c4ff27a003ea0f0dc29b61c2e39c6743af87b328fc94d75b4105d692ba9b569c42a1c7f9ccad0d8439706e81630aabc9348ac68f635b7

                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                                                                                                                                              Filesize

                                                                                                                                                              874B

                                                                                                                                                              MD5

                                                                                                                                                              7a215e269de7d3e8a81359c0434c7a69

                                                                                                                                                              SHA1

                                                                                                                                                              8a8b63b1b2a0008ad6e9c8605822eca01b9da646

                                                                                                                                                              SHA256

                                                                                                                                                              49e0554b76f949948567f52bc02f5323b54cf88b04f914996cd2275ac2252d6d

                                                                                                                                                              SHA512

                                                                                                                                                              059c574e7140d6999aaec21b3c7cd1358f228c85e706fca1626acf85292fa4a1148bb79d91d0c443518efc02ddfe3228747125a4befeb4108d6c07cb983367e4

                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                                                                                                                                              Filesize

                                                                                                                                                              874B

                                                                                                                                                              MD5

                                                                                                                                                              270db498696e01c16f00424c1ef1d8ce

                                                                                                                                                              SHA1

                                                                                                                                                              4157a6aa106023bdff26c3f2d3d0f8ee17448ebe

                                                                                                                                                              SHA256

                                                                                                                                                              25c52eea27a0802af8dcc012424ccf2eb2c1cf9d0283d9fbd8bc7c9ac1d162e0

                                                                                                                                                              SHA512

                                                                                                                                                              8f3bd64f411642044e5944d88f0d9eb4cf605097ba91bc53bc3b50a4e471412ee42992dae6d2a62e9bc0ff150275bd864e698016477e9e87bd007c32b0190b09

                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                                                                                                                                              Filesize

                                                                                                                                                              874B

                                                                                                                                                              MD5

                                                                                                                                                              1de9119cd8cc0834003fa4d779d22754

                                                                                                                                                              SHA1

                                                                                                                                                              1f67d9abd601d78d635a5fadfe5cdfe1642568bf

                                                                                                                                                              SHA256

                                                                                                                                                              376a95032465cbc88b7244ffa5588adbcdd91cf0bd785bbd00d8ce37a479fd98

                                                                                                                                                              SHA512

                                                                                                                                                              d53c6a4ba2ee34631e067595823ecc9fc947e1ab5322d8a035a5697ca12644a42040fa756501ab9456792976e5cec85e06ec21ae1e083945a991655d87b97758

                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5af667.TMP

                                                                                                                                                              Filesize

                                                                                                                                                              707B

                                                                                                                                                              MD5

                                                                                                                                                              28e47ac79883b63cacd40e6b91db7e57

                                                                                                                                                              SHA1

                                                                                                                                                              871db53115e772e70f93bf4e158cc0cd7c934e3c

                                                                                                                                                              SHA256

                                                                                                                                                              61ec1bdca8db0569edd5a4ea807a88a78ee502d2a313b14fab99996ea74971cb

                                                                                                                                                              SHA512

                                                                                                                                                              2dff33fea309baad9f2ebf861d38f69350b9d5fc4b6ee6b7e13fa6d7148a2b7d5b51820a99ce480673699bf5a5ba345c4faaf1f1b19175cb443f02f4a473cb0c

                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                                                                                                                                              Filesize

                                                                                                                                                              16B

                                                                                                                                                              MD5

                                                                                                                                                              6752a1d65b201c13b62ea44016eb221f

                                                                                                                                                              SHA1

                                                                                                                                                              58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                                                                                                                                              SHA256

                                                                                                                                                              0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                                                                                                                                              SHA512

                                                                                                                                                              9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                                                                                                              Filesize

                                                                                                                                                              8KB

                                                                                                                                                              MD5

                                                                                                                                                              65bf07bb7a211b110d43ce685bcd6cd2

                                                                                                                                                              SHA1

                                                                                                                                                              27e8ee53db360181692e9d867d94bab0932968f3

                                                                                                                                                              SHA256

                                                                                                                                                              e18ec90b2cc6a89cf29497e6ad24ce296bd68dc7ffcd145c621684caea26ccd1

                                                                                                                                                              SHA512

                                                                                                                                                              0f032f97304c854e5795d6f03230fa59b517d86f6aa7ec0add6c4a268bd8aad0bc04d82044546682c41c8b0ef7af353e4406d45c850e45e03d76e51eb3baab35

                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                                                                                                              Filesize

                                                                                                                                                              11KB

                                                                                                                                                              MD5

                                                                                                                                                              b51d3f5f20f6a2bde90a546502b593b6

                                                                                                                                                              SHA1

                                                                                                                                                              e19cb2e5009cbe798325f3505841039bb6886d53

                                                                                                                                                              SHA256

                                                                                                                                                              ce464ae9ac166e380a677c80d43d29aa00a744a21952e1968f687085498574dd

                                                                                                                                                              SHA512

                                                                                                                                                              a516cde79ef7af44ce37694b3a54b1c60e1b5b0555fb40d2aa40bc151a3af54979f801a500ef0aacf40923ce1fff28c6bb5b131929a66c202b58ff8efa4047ee

                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                                                                                                              Filesize

                                                                                                                                                              11KB

                                                                                                                                                              MD5

                                                                                                                                                              8e69565860f98ab009c45d1aeb2a28cb

                                                                                                                                                              SHA1

                                                                                                                                                              574b6a7c8beb5339a59ed63e64555c050b4404f1

                                                                                                                                                              SHA256

                                                                                                                                                              4d84e4c87cf869dd40f25f618fc90801f953c54292edb01acdb18bf56df992f8

                                                                                                                                                              SHA512

                                                                                                                                                              abfd64812dd85ce440fe312654992346ff796618493cc798c80f87454a9c01ae98b8e342b93ec9b6532fc14a49d166e241fcc94d95a34be0bce01a5df12f785e

                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\XNU2PQS6\InstallSetup8[1].exe

                                                                                                                                                              Filesize

                                                                                                                                                              418KB

                                                                                                                                                              MD5

                                                                                                                                                              0099a99f5ffb3c3ae78af0084136fab3

                                                                                                                                                              SHA1

                                                                                                                                                              0205a065728a9ec1133e8a372b1e3864df776e8c

                                                                                                                                                              SHA256

                                                                                                                                                              919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226

                                                                                                                                                              SHA512

                                                                                                                                                              5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6

                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

                                                                                                                                                              Filesize

                                                                                                                                                              1.6MB

                                                                                                                                                              MD5

                                                                                                                                                              e712319f829bb8cd615b7c2cc97c97e3

                                                                                                                                                              SHA1

                                                                                                                                                              0bcdf2d7e6414b2282669871694e12e96c4ffe90

                                                                                                                                                              SHA256

                                                                                                                                                              09a291d9a0b89ef5c54703dbbbebab48175f5265aacae397e1f5c366d544250b

                                                                                                                                                              SHA512

                                                                                                                                                              58b9f2f21b0ba75d5c3985e16949f3deb5ca7e18049e1e4bbd19faac8c472a41f49cb23098815b4dd7484e8db63efb4e1d0d0c5192659750ab558314c8072e42

                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

                                                                                                                                                              Filesize

                                                                                                                                                              1.2MB

                                                                                                                                                              MD5

                                                                                                                                                              e05fdc969c15296b1a90da509294ed10

                                                                                                                                                              SHA1

                                                                                                                                                              9d71ee83bcd71b57d1795046c4d4f933202c34cf

                                                                                                                                                              SHA256

                                                                                                                                                              288ec4a87b88bc2077f77d2f6511fde993427394245ece02543479b61cb8b37a

                                                                                                                                                              SHA512

                                                                                                                                                              9bad15184f8257d3937f88bb0454dc97c4616dd16db3e833206134ccbec398cd1c6fc843f315326f956cba7dfd8e9652b9733219d08b21e9648dd51fc012d0e5

                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\1000836001\osminog.exe

                                                                                                                                                              Filesize

                                                                                                                                                              534KB

                                                                                                                                                              MD5

                                                                                                                                                              a3f8b60a08da0f600cfce3bb600d5cb3

                                                                                                                                                              SHA1

                                                                                                                                                              b00d7721767b717b3337b5c6dade4ebf2d56345e

                                                                                                                                                              SHA256

                                                                                                                                                              0c608a9b1e70bf8b51a681a8390c8e4743501c45b84cf4d59727aba2fc33cadb

                                                                                                                                                              SHA512

                                                                                                                                                              14f63e415133ca438d3c217d5fb3ecf0ad76e19969c54d356f46282230230f1b254fbfc8ae5f78809dc189a9648be2dc1398927b3f089c525cd1105a3843f60d

                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\1000837001\goldprime1234.exe

                                                                                                                                                              Filesize

                                                                                                                                                              555KB

                                                                                                                                                              MD5

                                                                                                                                                              0c4fee8706a8ea370b7a272b7c5bbc85

                                                                                                                                                              SHA1

                                                                                                                                                              bda2a1ebc921db843d06aa5074884207ccbe9242

                                                                                                                                                              SHA256

                                                                                                                                                              9ec8397acd7c4106763ba84f4ebe1fd1cf39b4b0de442be8f89cd57de6151aac

                                                                                                                                                              SHA512

                                                                                                                                                              dd2c1d00325533db2cc5fe14ab52747182a494a2524e4f891e3dcd3ce2ab9685322a9fe1f5f2bd2b9808d6f1efab2a9cdfcc762016935464a7ddd237e620f9a4

                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\1000838001\judith1234.exe

                                                                                                                                                              Filesize

                                                                                                                                                              4.3MB

                                                                                                                                                              MD5

                                                                                                                                                              6ae8bb98a051394f17d438a323043de2

                                                                                                                                                              SHA1

                                                                                                                                                              b92b1b2d69c11dcd0ed7dda14fd85e31e2ec72df

                                                                                                                                                              SHA256

                                                                                                                                                              96ba68504544a72a6f0cfa9622e8f475f5e779f4df1c1dc4be2be87ff3ec284b

                                                                                                                                                              SHA512

                                                                                                                                                              9708c78f1c7f8cd2f7c4e399940b8beb2ce341f10babd8acb961db05721cc15fd04ae9a1980545f1ddbf9054b5761a9b688329ebcc29289a6e462291ace4841b

                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\1000858001\alex12341.exe

                                                                                                                                                              Filesize

                                                                                                                                                              1.7MB

                                                                                                                                                              MD5

                                                                                                                                                              2b648280f8c5e94477ba7521982c0375

                                                                                                                                                              SHA1

                                                                                                                                                              c7d31fd2ae975ae8f409f47dfb044e3972e548c0

                                                                                                                                                              SHA256

                                                                                                                                                              0c3419ff8ddebff25027285ff876f30569e7915b993930411b230cfbf3e52214

                                                                                                                                                              SHA512

                                                                                                                                                              168265315dfcfd666cb681da84d0616fb74f9e389073a5a377acbca45320206097f59cc629ea93b8618ec8a265ef6a0a0d5e4a45f26ef133f53ca40234eb314f

                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\1000865001\dais.exe

                                                                                                                                                              Filesize

                                                                                                                                                              310KB

                                                                                                                                                              MD5

                                                                                                                                                              1f22a7e6656435da34317aa3e7a95f51

                                                                                                                                                              SHA1

                                                                                                                                                              8bec84fa7a4a5e4113ea3548eb0c0d95d050f218

                                                                                                                                                              SHA256

                                                                                                                                                              55fbfaaeee07219fa0c1854b2d594a4b334d94fad72e84f9f4b24f367628ca6c

                                                                                                                                                              SHA512

                                                                                                                                                              a263145b00ff21ecaf04214996f1b277db13bdc5013591c3c9cf25e9082fc99bc5e357f56aba4cea4dbcc68f85262fe7bbd7f1cec93cde81c0b30dae77f1b95e

                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\1000865001\dais.exe

                                                                                                                                                              MD5

                                                                                                                                                              d41d8cd98f00b204e9800998ecf8427e

                                                                                                                                                              SHA1

                                                                                                                                                              da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                                                                                                                              SHA256

                                                                                                                                                              e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                                                                                                                              SHA512

                                                                                                                                                              cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\1000873001\random.exe

                                                                                                                                                              Filesize

                                                                                                                                                              3.0MB

                                                                                                                                                              MD5

                                                                                                                                                              2b62ddfa9c96cf01598569d4de667dd0

                                                                                                                                                              SHA1

                                                                                                                                                              4003a8d4227e816ba8e80bfd6db341e3bd8cf4be

                                                                                                                                                              SHA256

                                                                                                                                                              96e553e13562bd052411b7d6a913779946c11c30a9e1c736f48d2f721badf462

                                                                                                                                                              SHA512

                                                                                                                                                              c9fa8bff091d1782e42e13ffaee84e5f2c98604accbf24a27b779a388ac5d0f290afa4bff14359127215c59d97ee722df22c17bb8f77c50b13b9b126e94f62b7

                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\1000873001\random.exe

                                                                                                                                                              Filesize

                                                                                                                                                              2.0MB

                                                                                                                                                              MD5

                                                                                                                                                              f9da0b608cc297351c0f664283fc86cf

                                                                                                                                                              SHA1

                                                                                                                                                              02000aae3546cffd8c1e20f5b00f242695f453fa

                                                                                                                                                              SHA256

                                                                                                                                                              dfca6745856d910aa5d0e4f6508d808946766a97f4764ec35a724a7575d2e92e

                                                                                                                                                              SHA512

                                                                                                                                                              5adb675986dfbd8fbc8d5f95260941096c6faebff3197800e91398b399790a3b5cd250d6ee229e780e75f1550a4009991741f4084ad0304802dc48f8bac4f10d

                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\1000873001\random.exe

                                                                                                                                                              Filesize

                                                                                                                                                              1024KB

                                                                                                                                                              MD5

                                                                                                                                                              5c7828cf9de5e778c2a212cff9de1252

                                                                                                                                                              SHA1

                                                                                                                                                              7e428673c6a7dd5f329fe58fcce9688bda522ce4

                                                                                                                                                              SHA256

                                                                                                                                                              0e367e9da1bc639dddd9f6fac190f55cf4667f7642cc1e1bc8f2acd6a5520337

                                                                                                                                                              SHA512

                                                                                                                                                              a4a1adbf829ad24453a2098c0afe0ffaa113104f8992a4c775fa557369c39faf4084821167eabe1b7415aa53ee21777e1ca9e37749e12f5759475976e0de3671

                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\1000874021\random.cmd

                                                                                                                                                              Filesize

                                                                                                                                                              104B

                                                                                                                                                              MD5

                                                                                                                                                              7ca00195b480ee284ddaebfea321f27e

                                                                                                                                                              SHA1

                                                                                                                                                              a9ef34c03c1285c450b0414a20fce7f9533f7fa6

                                                                                                                                                              SHA256

                                                                                                                                                              c133cb730f4483b60434981714e8544a30bdb422376495c74aabeb16b13fd5d6

                                                                                                                                                              SHA512

                                                                                                                                                              c78ba3153ac0999f71c1ab0e5c4738e2e46d03f6567045e8c5ec3bd7157adabe4ce61b56554c546ce6070f09c84f26a64354ffaef0bf32175a4b40c27d4a3035

                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\1000875001\amadka.exe

                                                                                                                                                              Filesize

                                                                                                                                                              192KB

                                                                                                                                                              MD5

                                                                                                                                                              496b75d209831cb8345c35b7abe59057

                                                                                                                                                              SHA1

                                                                                                                                                              37f2388ed50ad73b989e7885f632cffa72291e6e

                                                                                                                                                              SHA256

                                                                                                                                                              1f660ccec27336f1f2491db0f4ac532271dd2d144a57760c0c4723a6216b50fb

                                                                                                                                                              SHA512

                                                                                                                                                              7821edc7a2c493b8e2c52d755015c6bbfe10ce10ab2d77949bfae1881fc7676cbd65e7c9c8b91e4f7af34d56f80b0ef11547936c8d546f9134b899145e3b5087

                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\1000903001\lummahelp.exe

                                                                                                                                                              Filesize

                                                                                                                                                              192KB

                                                                                                                                                              MD5

                                                                                                                                                              f59dabd1309e8fb292d7d997974f6c13

                                                                                                                                                              SHA1

                                                                                                                                                              38062eaf89b0a50cb3482d921f01f68b706f05ba

                                                                                                                                                              SHA256

                                                                                                                                                              d43aa50a185a1acbcb6873d935833d4d6341bba82052ba8057c883e2d3a5e800

                                                                                                                                                              SHA512

                                                                                                                                                              b7fd6a56ff701ad75c23e97a683281a95c85884256330a46327a656ee1697867ba389d77e3a06bc3612a23288bf6e46daf1ec6f088f7407e2ce278c7f0a772b8

                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\1000935001\InstallSetup3.exe

                                                                                                                                                              Filesize

                                                                                                                                                              896KB

                                                                                                                                                              MD5

                                                                                                                                                              6028456bdbede902999333597e720871

                                                                                                                                                              SHA1

                                                                                                                                                              fb1b51d3b46b767a24f950a6b0c41f6a9cc4eaf6

                                                                                                                                                              SHA256

                                                                                                                                                              c59e4f36f1f0e0bdb05b899a47a4857b9aad387fa7cb2f8eb2a3c490960e960e

                                                                                                                                                              SHA512

                                                                                                                                                              6f820aa57812aaa1b2c4f3cfee5435b304520031050f6a35f5ac068bb9fb531ccf9c3a01d327280adbb87ea6e4a9995cd144da71e7e4d45ce92448233b2ede1c

                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

                                                                                                                                                              Filesize

                                                                                                                                                              64KB

                                                                                                                                                              MD5

                                                                                                                                                              e76cb04c069b3d121d96526d84eaa596

                                                                                                                                                              SHA1

                                                                                                                                                              2181f919f956c75672cb53a658f6c2d956d5cd19

                                                                                                                                                              SHA256

                                                                                                                                                              7c431ad9b6f7ea027c1ccabdf23a3b894e3449c1b6b5fe14755fefd7bb713092

                                                                                                                                                              SHA512

                                                                                                                                                              d03a5bad6349399e90af0fa127c211c905346f6660334532ed7945eb93582169f608719228882ace9691fd5e41807b27cc9b3a81c4dc105fea29c55f45f5b20a

                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\3006.exe

                                                                                                                                                              Filesize

                                                                                                                                                              1.8MB

                                                                                                                                                              MD5

                                                                                                                                                              996c2b1fb60f980ea6618aeefbe4cebf

                                                                                                                                                              SHA1

                                                                                                                                                              a8553f7f723132a1d35f7a57cae1a2e267cbc2ac

                                                                                                                                                              SHA256

                                                                                                                                                              f91c0a4753cdb98cce0ade020917fdefe7a8daf88d23b4c07595de741402ca50

                                                                                                                                                              SHA512

                                                                                                                                                              4af8fb921a332c5ac3d43b85bc23c859e431702e00852537bf1831c7af8b990d880808d044a1317873c77fbdecb1af7c97bed9edd9e2185bcbfa390c463f9056

                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\3006.exe

                                                                                                                                                              Filesize

                                                                                                                                                              128KB

                                                                                                                                                              MD5

                                                                                                                                                              f07ffc94cd213aba6744c5af7a43924b

                                                                                                                                                              SHA1

                                                                                                                                                              c1dbfd9ac5a8e58f013ce8a64c77a943f492b544

                                                                                                                                                              SHA256

                                                                                                                                                              28d5437ba0fbeb62913b396b10f0fbf9f149b138beb3376390b31531dd95c9de

                                                                                                                                                              SHA512

                                                                                                                                                              bb951e2462a5c0c280ffcb0f0b8f80aa6094c0e5c51586db2ecd0813504f4f18ad49ac87742a35f7f06a477a2909f0245e0bd194e22bad1de42add8dda9b5639

                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus

                                                                                                                                                              Filesize

                                                                                                                                                              2.6MB

                                                                                                                                                              MD5

                                                                                                                                                              c85a0e07782538a2be776b42ae50f843

                                                                                                                                                              SHA1

                                                                                                                                                              4a09a7acb4dfcdd6e94ae13c6cde67b6f2ad4de9

                                                                                                                                                              SHA256

                                                                                                                                                              0d3d4af4810805d73509a80834dd319b8d5a89c1bba91b7da2f3702b20891442

                                                                                                                                                              SHA512

                                                                                                                                                              94236febfd0773a3d5a8b58e3446c87e2972066578e5ce54a1ec0f6a9be6e648128dd757f66f59eec77e872d7e19b4e76cf53766c70a30d901eca561e872994c

                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new

                                                                                                                                                              Filesize

                                                                                                                                                              7.4MB

                                                                                                                                                              MD5

                                                                                                                                                              c69a5cc0b86fc03281a9dca6da35d4f2

                                                                                                                                                              SHA1

                                                                                                                                                              50e9988d9024b6e74744ca650ca435a9593234be

                                                                                                                                                              SHA256

                                                                                                                                                              ea4b5d8f1d3051c4e934976334eb6b9933d0787cd438170728801a52a5cebcef

                                                                                                                                                              SHA512

                                                                                                                                                              f095f4ed12ef3ce9602f39bad143a62997ac7bec73c26ebb5c11d6e1f0294ffc4f6c81360fdbce732d997d7ef0cdbddceed82c1ff3eb905d2c546561aace4c42

                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\637591879962_Desktop.zip

                                                                                                                                                              Filesize

                                                                                                                                                              159KB

                                                                                                                                                              MD5

                                                                                                                                                              c3f4b01efc18828706bd2d8b09e5e2b7

                                                                                                                                                              SHA1

                                                                                                                                                              33f0264b2a4f38c564a2342ecaa5b34df4b7ba2d

                                                                                                                                                              SHA256

                                                                                                                                                              4ff0abeee00d6cd0beb770b57197ddb9d668be070c630a120b90f19a25ede7b2

                                                                                                                                                              SHA512

                                                                                                                                                              8b41be33fb9232139bcd6319b4649e24f5dc0a8114228c4f9b473a4e1c361baa0918d0ab998fd679bc9357098961f48bec37d8b69e3b78677951d4995b2817db

                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\B44C.exe

                                                                                                                                                              Filesize

                                                                                                                                                              1.8MB

                                                                                                                                                              MD5

                                                                                                                                                              1f2075eafec0c5327118290b68666531

                                                                                                                                                              SHA1

                                                                                                                                                              0e12d995b602f9aac7dd3558f01c32d68a8ac1ce

                                                                                                                                                              SHA256

                                                                                                                                                              d1c60eb9343d583dbe9fca64e97f481368187d7927f8a8a60bddcfe092d526c3

                                                                                                                                                              SHA512

                                                                                                                                                              e4113ed594d23c21e20111007e8dd025eb16e86f64e50e5f02cc6b075e8cb180a2aba3b5e6529729332c8f53e0392e46d1a769cc2add53a2c41e4a4c34673723

                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\CCC0.exe

                                                                                                                                                              Filesize

                                                                                                                                                              6.5MB

                                                                                                                                                              MD5

                                                                                                                                                              d8475e3eb1b8088c1b747799b20802be

                                                                                                                                                              SHA1

                                                                                                                                                              27727b8406dd18ae5ddc347257eac438f1dc08c2

                                                                                                                                                              SHA256

                                                                                                                                                              40201bb18c81921d55236144105f37012832f6e321f41f5f48f7469420df0990

                                                                                                                                                              SHA512

                                                                                                                                                              27bc79e9633f19f92efb72ae5e11603fe2ae0587cf532188b2bb8f2351123167556faf4ea347f0a394c6f3ab0d98374b9f9d7cecb4aa491117415fb9eed70726

                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\E967.dll

                                                                                                                                                              Filesize

                                                                                                                                                              2.8MB

                                                                                                                                                              MD5

                                                                                                                                                              b0fb18cfcac1983582e7fd67b2843ce8

                                                                                                                                                              SHA1

                                                                                                                                                              ca29cf7cee80be38c5d667d5e8c00e6ea11b3294

                                                                                                                                                              SHA256

                                                                                                                                                              4132c2587cfe85b944d95835d8d0bf92a08a0f831ea26a45c826146048347f45

                                                                                                                                                              SHA512

                                                                                                                                                              4d9e1b14ef1a8adc15d38846c0a4e1d762e76fd944c76621ef6ac3a8482d14e40cfd4d7a14853d7a99cca2a99aa438eba996e842f1172f5f9a8f34ba1d97daf9

                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\EEE0.exe

                                                                                                                                                              Filesize

                                                                                                                                                              554KB

                                                                                                                                                              MD5

                                                                                                                                                              a1b5ee1b9649ab629a7ac257e2392f8d

                                                                                                                                                              SHA1

                                                                                                                                                              dc1b14b6d57589440fb3021c9e06a3e3191968dc

                                                                                                                                                              SHA256

                                                                                                                                                              2bfd95260a4c52d4474cd51e74469fc3de94caed28937ff0ce99ded66af97e65

                                                                                                                                                              SHA512

                                                                                                                                                              50ccbb9fd4ea2da847c6be5988e1e82e28d551b06cc9122b921dbd40eff4b657a81a010cea76f29e88fda06f8c053090b38d04eb89a6d63ec4f42ef68b1cf82b

                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\F1C1.exe

                                                                                                                                                              Filesize

                                                                                                                                                              3.1MB

                                                                                                                                                              MD5

                                                                                                                                                              e2db24dba48048a90b9a775a6050f4f5

                                                                                                                                                              SHA1

                                                                                                                                                              9c067bdfaf89d2255419ce0e3f6dc23d56fd8a7e

                                                                                                                                                              SHA256

                                                                                                                                                              06b4dede30c5f402559c61459e745e0d86d988ae00728cb3a7d55945c92dffdc

                                                                                                                                                              SHA512

                                                                                                                                                              e723c6ffbf8d71a7ae2fd2da4e78d2ab826d2d786ed97490129c6f56d60edb2b33b75969e4310017a1fe587a6141881160170a0d8ed5f147631a144b849e61dd

                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\F1C1.exe

                                                                                                                                                              Filesize

                                                                                                                                                              3.3MB

                                                                                                                                                              MD5

                                                                                                                                                              7571d61af43d8b0d3614154c847f952a

                                                                                                                                                              SHA1

                                                                                                                                                              74751bbebcff1055fcba0382cbfb562ef6b7099c

                                                                                                                                                              SHA256

                                                                                                                                                              d9ba761ab2cf8fdb2e6a5924eacff211760891abe53ab66619657ed360e9764a

                                                                                                                                                              SHA512

                                                                                                                                                              9a02d917acf8ad1fdb6f4f57ef92bbccb113beaeaf7d7f9d4db2c74052d8c32940f38349b35394fda3e85d6df40fad8068fc3381d66ee172543ba67f591974c1

                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

                                                                                                                                                              Filesize

                                                                                                                                                              742KB

                                                                                                                                                              MD5

                                                                                                                                                              544cd51a596619b78e9b54b70088307d

                                                                                                                                                              SHA1

                                                                                                                                                              4769ddd2dbc1dc44b758964ed0bd231b85880b65

                                                                                                                                                              SHA256

                                                                                                                                                              dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd

                                                                                                                                                              SHA512

                                                                                                                                                              f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719

                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\_Files_\DismountUnblock.txt

                                                                                                                                                              Filesize

                                                                                                                                                              159KB

                                                                                                                                                              MD5

                                                                                                                                                              40ac385cf9b62d322c623662e2d65ce8

                                                                                                                                                              SHA1

                                                                                                                                                              7c2e8e708e64f36887219f4b8ecdc42d343708da

                                                                                                                                                              SHA256

                                                                                                                                                              6261701bb08cb6856cd5ffa25af5e08efe9645c410ddfd5a030602b0646411e8

                                                                                                                                                              SHA512

                                                                                                                                                              df6dc71e3c3c68380fd96e3ef5b3536a5bce31a49af66fb8f06231449980d605e8530e313098efcc1982b63069cefd7a4a85c5a5968eb0a1a2905253fce4764b

                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1lg4gpmg.ln3.ps1

                                                                                                                                                              Filesize

                                                                                                                                                              60B

                                                                                                                                                              MD5

                                                                                                                                                              d17fe0a3f47be24a6453e9ef58c94641

                                                                                                                                                              SHA1

                                                                                                                                                              6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                                                                              SHA256

                                                                                                                                                              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                                                                              SHA512

                                                                                                                                                              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\adobeNXG4jhfEzm4G\information.txt

                                                                                                                                                              Filesize

                                                                                                                                                              4KB

                                                                                                                                                              MD5

                                                                                                                                                              227fd64f50b04b6ec34c29a97ffeb327

                                                                                                                                                              SHA1

                                                                                                                                                              98da522f8943b88dd75568ed7eaa93dd79ec2fe5

                                                                                                                                                              SHA256

                                                                                                                                                              461fa725982955c29b92645e293c543c2255d3f0bb9c131ca9194f74008bea2e

                                                                                                                                                              SHA512

                                                                                                                                                              b30179e355275163911bc670cb485292e631ed1df451691f9fa06629cbc54e85645b441d3d7a91a0377f8c613f430c6b4c4d9447d04937c54854ec6db4c6d81c

                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\april.exe

                                                                                                                                                              Filesize

                                                                                                                                                              896KB

                                                                                                                                                              MD5

                                                                                                                                                              909cc21ca77aa84e90637926823577f4

                                                                                                                                                              SHA1

                                                                                                                                                              68a104ee3641a29e53e03533bb9ca7c3b32e9cc3

                                                                                                                                                              SHA256

                                                                                                                                                              0a10223f76ff767f6dda39493d1f8d94c53e01c03e5e0c8669865bf32ead78d6

                                                                                                                                                              SHA512

                                                                                                                                                              1b596d8603cb10bf87ce266346e43b1e9d8f0eaa78256314542c923d05c9d6eea2082f2ce40649170961a3519f16530908d1d4fffd13535cfe5494b785e15709

                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\heidiNXG4jhfEzm4G\QdX9ITDLyCRBWeb Data

                                                                                                                                                              Filesize

                                                                                                                                                              92KB

                                                                                                                                                              MD5

                                                                                                                                                              82727ca228f125c6c472807a15c3402c

                                                                                                                                                              SHA1

                                                                                                                                                              9562c5f8c68309c2d660cd445e9f364edce93b8f

                                                                                                                                                              SHA256

                                                                                                                                                              b2aa7c525764660b70c53bacdda9f334017db0b44c2abffa31621fa682bfb833

                                                                                                                                                              SHA512

                                                                                                                                                              61a2ccae65cf18f6e1c29f1df72b341cdc272078a236d9db5223e024d8acc57f48d8f664f6a747223297e91715578fb9e311fbe42f03c529b85f4111cbf3d900

                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\heidiNXG4jhfEzm4G\ZunTSaNJLBVfWeb Data

                                                                                                                                                              Filesize

                                                                                                                                                              112KB

                                                                                                                                                              MD5

                                                                                                                                                              9cf0b730c84728d555a21f9639e36b6d

                                                                                                                                                              SHA1

                                                                                                                                                              31b7bed8d5606241ea2fae3a99be20ad9a74fad7

                                                                                                                                                              SHA256

                                                                                                                                                              002b1a9bee320aa70d416b1d264b77a021b03f57c68454ef805e885627fb5ba9

                                                                                                                                                              SHA512

                                                                                                                                                              8444c3afac9d7755ccc3fc7e1a42d3e1ed890cf69255c1bf0720b36e1f8f30ca25150d7ae566cb5f7123fe0fef081cf359cc1e138234a8c293c4b8c47284d43e

                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\is-HL9CI.tmp\_isetup\_iscrypt.dll

                                                                                                                                                              Filesize

                                                                                                                                                              2KB

                                                                                                                                                              MD5

                                                                                                                                                              a69559718ab506675e907fe49deb71e9

                                                                                                                                                              SHA1

                                                                                                                                                              bc8f404ffdb1960b50c12ff9413c893b56f2e36f

                                                                                                                                                              SHA256

                                                                                                                                                              2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

                                                                                                                                                              SHA512

                                                                                                                                                              e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\is-HL9CI.tmp\_isetup\_shfoldr.dll

                                                                                                                                                              Filesize

                                                                                                                                                              22KB

                                                                                                                                                              MD5

                                                                                                                                                              92dc6ef532fbb4a5c3201469a5b5eb63

                                                                                                                                                              SHA1

                                                                                                                                                              3e89ff837147c16b4e41c30d6c796374e0b8e62c

                                                                                                                                                              SHA256

                                                                                                                                                              9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

                                                                                                                                                              SHA512

                                                                                                                                                              9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

                                                                                                                                                            • C:\Users\Admin\AppData\Local\Text Ultra Edit\is-QVHMC.tmp

                                                                                                                                                              Filesize

                                                                                                                                                              122KB

                                                                                                                                                              MD5

                                                                                                                                                              6231b452e676ade27ca0ceb3a3cf874a

                                                                                                                                                              SHA1

                                                                                                                                                              f8236dbf9fa3b2835bbb5a8d08dab3a155f310d1

                                                                                                                                                              SHA256

                                                                                                                                                              9941eee1cafffad854ab2dfd49bf6e57b181efeb4e2d731ba7a28f5ab27e91cf

                                                                                                                                                              SHA512

                                                                                                                                                              f5882a3cded0a4e498519de5679ea12a0ea275c220e318af1762855a94bdac8dc5413d1c5d1a55a7cc31cfebcf4647dcf1f653195536ce1826a3002cf01aa12c

                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

                                                                                                                                                              Filesize

                                                                                                                                                              109KB

                                                                                                                                                              MD5

                                                                                                                                                              2afdbe3b99a4736083066a13e4b5d11a

                                                                                                                                                              SHA1

                                                                                                                                                              4d4856cf02b3123ac16e63d4a448cdbcb1633546

                                                                                                                                                              SHA256

                                                                                                                                                              8d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee

                                                                                                                                                              SHA512

                                                                                                                                                              d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f

                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

                                                                                                                                                              Filesize

                                                                                                                                                              1.1MB

                                                                                                                                                              MD5

                                                                                                                                                              fd17bf7b07fc556a1748e9aafed3a89f

                                                                                                                                                              SHA1

                                                                                                                                                              ba458f77410c2cd7644bb5a6f37d88ed86ebdfcf

                                                                                                                                                              SHA256

                                                                                                                                                              e649e0c94651f1201d50828cc7598eebf21dbae67631308b412febb3c9dbf9f6

                                                                                                                                                              SHA512

                                                                                                                                                              53a3975029e7788acab6242527a9f056b98e246c72a88eb440cf1407b96c86ef6781fffe0bf441d3d25521be3577ef7c87218ffb42b9aae49453861854fda3c4

                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

                                                                                                                                                              Filesize

                                                                                                                                                              1.2MB

                                                                                                                                                              MD5

                                                                                                                                                              92fbdfccf6a63acef2743631d16652a7

                                                                                                                                                              SHA1

                                                                                                                                                              971968b1378dd89d59d7f84bf92f16fc68664506

                                                                                                                                                              SHA256

                                                                                                                                                              b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72

                                                                                                                                                              SHA512

                                                                                                                                                              b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117

                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

                                                                                                                                                              Filesize

                                                                                                                                                              109KB

                                                                                                                                                              MD5

                                                                                                                                                              726cd06231883a159ec1ce28dd538699

                                                                                                                                                              SHA1

                                                                                                                                                              404897e6a133d255ad5a9c26ac6414d7134285a2

                                                                                                                                                              SHA256

                                                                                                                                                              12fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46

                                                                                                                                                              SHA512

                                                                                                                                                              9ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e

                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

                                                                                                                                                              Filesize

                                                                                                                                                              832KB

                                                                                                                                                              MD5

                                                                                                                                                              63609258b213e16c70bef1ca7bedf907

                                                                                                                                                              SHA1

                                                                                                                                                              6ef1504255f3d2880e44f50e3f77aac4f4ef242a

                                                                                                                                                              SHA256

                                                                                                                                                              943e96a3617079e6f01ee232269ee57afca170b338a5f9e00b177420b55851ed

                                                                                                                                                              SHA512

                                                                                                                                                              cfe0b153260f459ad5bcd1aa95d468ef93178da50c09885338baeecd232b21324197bc8680be3aab066b365c0e375e39505fcf463686a1acda9bdd8fed5348ec

                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\configurationValue\TWO.exe

                                                                                                                                                              Filesize

                                                                                                                                                              296KB

                                                                                                                                                              MD5

                                                                                                                                                              28f30e43da4c45f023b546fc871a12ea

                                                                                                                                                              SHA1

                                                                                                                                                              ab063bbb313b75320f4335a8cd878f7a02e5f91c

                                                                                                                                                              SHA256

                                                                                                                                                              1e246855bc5d7648a3425771faa304d08ce84496a3afa7a023937ac41d381c6b

                                                                                                                                                              SHA512

                                                                                                                                                              559099480bc8518f740249b096c123bc5dfb9dc0126d1c681f4e650329cfb4383754ec8a307057f24b2692c36f4fa8e90b5b5d2debe1061e1ece27a7b26335b4

                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\configurationValue\olehpsp.exe

                                                                                                                                                              Filesize

                                                                                                                                                              278KB

                                                                                                                                                              MD5

                                                                                                                                                              ea1279a3e9e0c0d6ef4fb266f153e734

                                                                                                                                                              SHA1

                                                                                                                                                              5aeef1a7233ff1dccfbdf6d24bccdd29eb4fa96c

                                                                                                                                                              SHA256

                                                                                                                                                              9c38ecba653de6a28945eefb0d85def795dd25678d81c717b79fb00a07b70ad8

                                                                                                                                                              SHA512

                                                                                                                                                              e52e2233c285d918774fb9b3f01258ab070da9500e7568458c7362adcb0755b9a2b0a3df073d6c6a864df962c7556bb07c85d323dab951b8279f9c3fbf7aea29

                                                                                                                                                            • memory/468-36-0x0000000010000000-0x00000000102CE000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              2.8MB

                                                                                                                                                            • memory/468-35-0x0000000000710000-0x0000000000716000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              24KB

                                                                                                                                                            • memory/468-212-0x0000000002980000-0x0000000003AB2000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              17.2MB

                                                                                                                                                            • memory/468-211-0x0000000002870000-0x000000000297F000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              1.1MB

                                                                                                                                                            • memory/468-214-0x0000000000C10000-0x0000000000D0C000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              1008KB

                                                                                                                                                            • memory/468-215-0x0000000000C10000-0x0000000000D0C000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              1008KB

                                                                                                                                                            • memory/468-213-0x0000000000900000-0x00000000009FD000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              1012KB

                                                                                                                                                            • memory/468-38-0x0000000002740000-0x000000000286B000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              1.2MB

                                                                                                                                                            • memory/468-39-0x0000000002870000-0x000000000297F000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              1.1MB

                                                                                                                                                            • memory/468-217-0x0000000000C10000-0x0000000000D0C000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              1008KB

                                                                                                                                                            • memory/468-42-0x0000000002870000-0x000000000297F000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              1.1MB

                                                                                                                                                            • memory/468-43-0x0000000010000000-0x00000000102CE000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              2.8MB

                                                                                                                                                            • memory/468-218-0x00000000002C0000-0x00000000002D2000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              72KB

                                                                                                                                                            • memory/468-219-0x00000000398E0000-0x0000000039932000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              328KB

                                                                                                                                                            • memory/1376-228-0x0000000000550000-0x0000000000AEE000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              5.6MB

                                                                                                                                                            • memory/1416-59-0x0000000000400000-0x0000000000848000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              4.3MB

                                                                                                                                                            • memory/1416-77-0x0000000002F00000-0x000000000302B000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              1.2MB

                                                                                                                                                            • memory/1416-52-0x0000000000400000-0x0000000000848000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              4.3MB

                                                                                                                                                            • memory/1416-78-0x0000000003030000-0x000000000313F000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              1.1MB

                                                                                                                                                            • memory/1416-62-0x0000000000F70000-0x0000000000F76000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              24KB

                                                                                                                                                            • memory/1416-81-0x0000000003030000-0x000000000313F000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              1.1MB

                                                                                                                                                            • memory/1416-55-0x0000000000400000-0x0000000000848000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              4.3MB

                                                                                                                                                            • memory/1416-56-0x0000000000400000-0x0000000000848000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              4.3MB

                                                                                                                                                            • memory/1416-57-0x0000000000400000-0x0000000000848000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              4.3MB

                                                                                                                                                            • memory/1416-58-0x0000000000400000-0x0000000000848000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              4.3MB

                                                                                                                                                            • memory/1488-23-0x0000000004EA0000-0x0000000004EA1000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              4KB

                                                                                                                                                            • memory/1488-21-0x0000000004EF0000-0x0000000004EF1000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              4KB

                                                                                                                                                            • memory/1488-31-0x0000000000E00000-0x00000000012B0000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              4.7MB

                                                                                                                                                            • memory/1488-15-0x0000000000E00000-0x00000000012B0000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              4.7MB

                                                                                                                                                            • memory/1488-16-0x0000000077436000-0x0000000077438000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              8KB

                                                                                                                                                            • memory/1488-17-0x0000000000E00000-0x00000000012B0000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              4.7MB

                                                                                                                                                            • memory/1488-25-0x0000000004F10000-0x0000000004F11000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              4KB

                                                                                                                                                            • memory/1488-24-0x0000000004F20000-0x0000000004F21000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              4KB

                                                                                                                                                            • memory/1488-19-0x0000000004ED0000-0x0000000004ED1000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              4KB

                                                                                                                                                            • memory/1488-18-0x0000000004EC0000-0x0000000004EC1000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              4KB

                                                                                                                                                            • memory/1488-22-0x0000000004E90000-0x0000000004E91000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              4KB

                                                                                                                                                            • memory/1488-20-0x0000000004EB0000-0x0000000004EB1000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              4KB

                                                                                                                                                            • memory/1532-50-0x00000000023D0000-0x000000000258D000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              1.7MB

                                                                                                                                                            • memory/1532-51-0x0000000002590000-0x0000000002747000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              1.7MB

                                                                                                                                                            • memory/1612-5-0x0000000000400000-0x0000000001A29000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              22.2MB

                                                                                                                                                            • memory/1612-3-0x0000000000400000-0x0000000001A29000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              22.2MB

                                                                                                                                                            • memory/1612-2-0x0000000003870000-0x000000000387B000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              44KB

                                                                                                                                                            • memory/1612-1-0x0000000001AD0000-0x0000000001BD0000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              1024KB

                                                                                                                                                            • memory/2124-210-0x000001F7240F0000-0x000001F724100000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              64KB

                                                                                                                                                            • memory/2124-180-0x00007FFB353C0000-0x00007FFB35E82000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              10.8MB

                                                                                                                                                            • memory/2124-181-0x000001F7240F0000-0x000001F724100000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              64KB

                                                                                                                                                            • memory/2124-182-0x000001F7240F0000-0x000001F724100000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              64KB

                                                                                                                                                            • memory/2124-191-0x000001F724270000-0x000001F724292000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              136KB

                                                                                                                                                            • memory/2168-71-0x0000000004C90000-0x0000000004C91000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              4KB

                                                                                                                                                            • memory/2168-237-0x0000000000200000-0x00000000006B0000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              4.7MB

                                                                                                                                                            • memory/2168-236-0x0000000000200000-0x00000000006B0000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              4.7MB

                                                                                                                                                            • memory/2168-209-0x0000000000200000-0x00000000006B0000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              4.7MB

                                                                                                                                                            • memory/2168-208-0x0000000000200000-0x00000000006B0000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              4.7MB

                                                                                                                                                            • memory/2168-66-0x0000000000200000-0x00000000006B0000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              4.7MB

                                                                                                                                                            • memory/2168-67-0x0000000000200000-0x00000000006B0000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              4.7MB

                                                                                                                                                            • memory/2168-69-0x0000000004C70000-0x0000000004C71000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              4KB

                                                                                                                                                            • memory/2168-68-0x0000000004C60000-0x0000000004C61000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              4KB

                                                                                                                                                            • memory/2168-70-0x0000000004C50000-0x0000000004C51000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              4KB

                                                                                                                                                            • memory/2168-172-0x0000000000200000-0x00000000006B0000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              4.7MB

                                                                                                                                                            • memory/2168-72-0x0000000004C30000-0x0000000004C31000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              4KB

                                                                                                                                                            • memory/2168-73-0x0000000004C40000-0x0000000004C41000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              4KB

                                                                                                                                                            • memory/2168-75-0x0000000004CC0000-0x0000000004CC1000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              4KB

                                                                                                                                                            • memory/2168-76-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              4KB

                                                                                                                                                            • memory/2168-127-0x0000000000200000-0x00000000006B0000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              4.7MB

                                                                                                                                                            • memory/2336-144-0x0000000005910000-0x00000000059A2000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              584KB

                                                                                                                                                            • memory/2336-157-0x00000000085A0000-0x00000000085B2000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              72KB

                                                                                                                                                            • memory/2336-152-0x00000000058E0000-0x00000000058F0000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              64KB

                                                                                                                                                            • memory/2336-150-0x00000000059D0000-0x00000000059DA000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              40KB

                                                                                                                                                            • memory/2336-201-0x0000000009230000-0x00000000093F2000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              1.8MB

                                                                                                                                                            • memory/2336-202-0x0000000009930000-0x0000000009E5C000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              5.2MB

                                                                                                                                                            • memory/2336-174-0x0000000009010000-0x0000000009060000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              320KB

                                                                                                                                                            • memory/2336-173-0x0000000006870000-0x00000000068D6000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              408KB

                                                                                                                                                            • memory/2336-141-0x0000000005DC0000-0x0000000006366000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              5.6MB

                                                                                                                                                            • memory/2336-159-0x0000000008780000-0x00000000087CC000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              304KB

                                                                                                                                                            • memory/2336-158-0x0000000008600000-0x000000000863C000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              240KB

                                                                                                                                                            • memory/2336-155-0x0000000008670000-0x000000000877A000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              1.0MB

                                                                                                                                                            • memory/2336-156-0x00000000729B0000-0x0000000073161000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              7.7MB

                                                                                                                                                            • memory/2336-133-0x0000000000400000-0x0000000000450000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              320KB

                                                                                                                                                            • memory/2336-153-0x0000000006CE0000-0x00000000072F8000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              6.1MB

                                                                                                                                                            • memory/2940-145-0x0000000002CA0000-0x0000000004CA0000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              32.0MB

                                                                                                                                                            • memory/2940-123-0x0000000005480000-0x0000000005490000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              64KB

                                                                                                                                                            • memory/2940-122-0x00000000729B0000-0x0000000073161000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              7.7MB

                                                                                                                                                            • memory/2940-111-0x0000000000990000-0x0000000000A1C000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              560KB

                                                                                                                                                            • memory/2940-147-0x00000000729B0000-0x0000000073161000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              7.7MB

                                                                                                                                                            • memory/3020-125-0x0000000000020000-0x00000000000B2000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              584KB

                                                                                                                                                            • memory/3020-126-0x00000000729B0000-0x0000000073161000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              7.7MB

                                                                                                                                                            • memory/3020-135-0x0000000002300000-0x0000000004300000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              32.0MB

                                                                                                                                                            • memory/3020-138-0x00000000729B0000-0x0000000073161000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              7.7MB

                                                                                                                                                            • memory/3020-128-0x0000000004B60000-0x0000000004B70000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              64KB

                                                                                                                                                            • memory/3304-4-0x0000000003340000-0x0000000003356000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              88KB

                                                                                                                                                            • memory/4372-137-0x0000000000400000-0x0000000000448000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              288KB

                                                                                                                                                            • memory/4372-179-0x0000000000400000-0x0000000000448000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              288KB

                                                                                                                                                            • memory/4372-154-0x0000000000400000-0x0000000000448000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              288KB

                                                                                                                                                            • memory/4372-148-0x0000000000C00000-0x0000000000C01000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              4KB

                                                                                                                                                            • memory/4372-143-0x0000000000400000-0x0000000000448000-memory.dmp

                                                                                                                                                              Filesize

                                                                                                                                                              288KB