Overview

overview

10

Static

static

7

cryptolaemus

windows10-2004-x64

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    44s
  • max time network
    102s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-05-2024 20:34

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    b662fc479161e92aee6749fa4deb969c12a43eb4b34e913d1340671eba98b64c.exe

  • Size

    1.5MB

  • MD5

    7f5800f336ab3e718a8621b07b54ea14

  • SHA1

    358914195e96ed04954bdb52f3388ba2075489a8

  • SHA256

    b662fc479161e92aee6749fa4deb969c12a43eb4b34e913d1340671eba98b64c

  • SHA512

    be0813ddeda3648bf69ad947c24f588030d5f9cb9ab00aab4b70246a7d96c3d82ca11c58074b65e8213ea5cf70e966b530d1f048ab7457fd5a96e28a18985e98

  • SSDEEP

    24576:Gz/nQKPDuahwSbEk+vQS70ziXOAo9trt4on6ntx3fz4WIhmswsMVkDw56/Xkouw5:4/zPDSxQC0ziXOB9xh6tx3fkNpuV76f7

Score
10/10
amadeylummaredlineriseprostealcxmrig118befc@cloudytteamc767c0zzvvdiscoveryevasionexecutioninfostealerminerpersistencespywarestealerthemidatrojan

Malware Config

Extracted

Family

amadey

Version

4.20

Botnet

18befc

C2

http://5.42.96.141

Attributes
  • install_dir

    908f070dff

  • install_file

    explorku.exe

  • strings_key

    b25a9385246248a95c600f9a061438e1

  • url_paths

    /go34ko8/index.php

rc4.plain

Extracted

Family

amadey

Version

4.20

Botnet

c767c0

C2

http://5.42.96.7

Attributes
  • install_dir

    7af68cdb52

  • install_file

    axplons.exe

  • strings_key

    e2ce58e78f631ed97d01fe7b70e85d5e

  • url_paths

    /zamo7h/index.php

rc4.plain

Extracted

Family

risepro

C2

147.45.47.126:58709

Extracted

Family

redline

Botnet

@CLOUDYTTEAM

C2

185.172.128.33:8970

Extracted

Family

redline

Botnet

1

C2

185.215.113.67:26260

Extracted

Family

stealc

Botnet

zzvv

C2

http://23.88.106.134

Attributes
  • url_path

    /c73eed764cc59dcb.php

Extracted

Family

lumma

C2

https://headraisepresidensu.shop/api

https://sofaprivateawarderysj.shop/api

https://lineagelasserytailsd.shop/api

https://tendencyportionjsuk.shop/api

https://appetitesallooonsj.shop/api

https://minorittyeffeoos.shop/api

https://prideconstituiiosjk.shop/api

https://smallelementyjdui.shop/api

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Lumma Stealer

    An infostealer written in C++ first seen in August 2022.

    stealerlumma
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 6 IoCs
  • RisePro

    RisePro stealer is an infostealer distributed by PrivateLoader.

    stealerrisepro
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 2 IoCs
    evasiontrojan
  • XMRig Miner payload 4 IoCs
    miner
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
    evasion
  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Downloads MZ/PE file
  • Stops running service(s) 4 TTPs
    evasionexecution
  • Checks BIOS information in registry 2 TTPs 14 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 8 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 24 IoCs
  • Identifies Wine through registry keys 2 TTPs 3 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 44 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
  • Suspicious use of SetThreadContext 5 IoCs
  • Drops file in Program Files directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 12 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\b662fc479161e92aee6749fa4deb969c12a43eb4b34e913d1340671eba98b64c.exe
    "C:\Users\Admin\AppData\Local\Temp\b662fc479161e92aee6749fa4deb969c12a43eb4b34e913d1340671eba98b64c.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:1980
    • C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
      "C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Suspicious use of WriteProcessMemory
      PID:4800
      • C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
        "C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"
        3⤵
          PID:3864
        • C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe
          "C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe"
          3⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Checks computer location settings
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4948
          • C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
            "C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"
            4⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Checks computer location settings
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2560
            • C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exe
              "C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exe"
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of WriteProcessMemory
              PID:2112
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                6⤵
                  PID:2584
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                  6⤵
                  • Checks computer location settings
                  • Suspicious use of WriteProcessMemory
                  PID:3688
                  • C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe
                    "C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe"
                    7⤵
                    • Executes dropped EXE
                    • Modifies system certificate store
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1940
                  • C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe
                    "C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe"
                    7⤵
                    • Executes dropped EXE
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2092
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
                    7⤵
                      PID:3996
                      • C:\Windows\SysWOW64\choice.exe
                        choice /C Y /N /D Y /T 3
                        8⤵
                          PID:2768
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 352
                      6⤵
                      • Program crash
                      PID:1328
                  • C:\Users\Admin\AppData\Local\Temp\1000004001\crypted333.exe
                    "C:\Users\Admin\AppData\Local\Temp\1000004001\crypted333.exe"
                    5⤵
                    • Executes dropped EXE
                    • Suspicious use of SetThreadContext
                    • Suspicious use of WriteProcessMemory
                    PID:4752
                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                      6⤵
                        PID:4412
                    • C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exe
                      "C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exe"
                      5⤵
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:3252
                    • C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe
                      "C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe"
                      5⤵
                      • Checks computer location settings
                      • Executes dropped EXE
                      • Drops file in Program Files directory
                      • Suspicious use of WriteProcessMemory
                      PID:3168
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameStabilityService\installm.bat" "
                        6⤵
                        • Suspicious use of WriteProcessMemory
                        PID:2056
                        • C:\Windows\SysWOW64\sc.exe
                          Sc delete GameSyncLinks
                          7⤵
                          • Launches sc.exe
                          PID:2164
                        • C:\Program Files (x86)\GameStabilityService\GameService.exe
                          GameService remove GameSyncLinks confirm
                          7⤵
                          • Executes dropped EXE
                          PID:1088
                        • C:\Program Files (x86)\GameStabilityService\GameService.exe
                          GameService install GameStabilityService "C:\Program Files (x86)\GameStabilityService\GameStabilityService.exe"
                          7⤵
                          • Executes dropped EXE
                          PID:2480
                        • C:\Program Files (x86)\GameStabilityService\GameService.exe
                          GameService start GameStabilityService
                          7⤵
                          • Executes dropped EXE
                          PID:5008
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
                        6⤵
                          PID:3852
                      • C:\Users\Admin\AppData\Local\Temp\1000007001\swizzzz.exe
                        "C:\Users\Admin\AppData\Local\Temp\1000007001\swizzzz.exe"
                        5⤵
                        • Executes dropped EXE
                        • Suspicious use of SetThreadContext
                        PID:2112
                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                          6⤵
                            PID:2060
                          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                            6⤵
                            • Loads dropped DLL
                            • Checks processor information in registry
                            • Suspicious behavior: EnumeratesProcesses
                            PID:4908
                        • C:\Users\Admin\AppData\Local\Temp\1000010001\lumma1.exe
                          "C:\Users\Admin\AppData\Local\Temp\1000010001\lumma1.exe"
                          5⤵
                          • Executes dropped EXE
                          • Suspicious use of SetThreadContext
                          PID:2052
                          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                            6⤵
                              PID:4064
                          • C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe
                            "C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe"
                            5⤵
                            • Checks computer location settings
                            • Executes dropped EXE
                            PID:4764
                            • C:\Windows\SysWOW64\schtasks.exe
                              "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe" /F
                              6⤵
                              • Creates scheduled task(s)
                              PID:4580
                          • C:\Users\Admin\AppData\Local\Temp\1000042001\file300un.exe
                            "C:\Users\Admin\AppData\Local\Temp\1000042001\file300un.exe"
                            5⤵
                            • UAC bypass
                            • Windows security bypass
                            • Checks computer location settings
                            • Executes dropped EXE
                            • Windows security modification
                            • Checks whether UAC is enabled
                            • Suspicious use of SetThreadContext
                            • Suspicious use of AdjustPrivilegeToken
                            • System policy modification
                            PID:3448
                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1000042001\file300un.exe" -Force
                              6⤵
                              • Command and Scripting Interpreter: PowerShell
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              PID:3068
                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
                              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
                              6⤵
                                PID:4768
                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
                                6⤵
                                • Suspicious use of AdjustPrivilegeToken
                                PID:4256
                                • C:\Users\Admin\Pictures\V1WBwCqmYdkoTzuxtwh9YamG.exe
                                  "C:\Users\Admin\Pictures\V1WBwCqmYdkoTzuxtwh9YamG.exe"
                                  7⤵
                                  • Executes dropped EXE
                                  PID:3192
                                  • C:\Windows\SysWOW64\WerFault.exe
                                    C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 452
                                    8⤵
                                    • Program crash
                                    PID:836
                                  • C:\Windows\SysWOW64\WerFault.exe
                                    C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 484
                                    8⤵
                                    • Program crash
                                    PID:1648
                                  • C:\Windows\SysWOW64\WerFault.exe
                                    C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 748
                                    8⤵
                                    • Program crash
                                    PID:4464
                                  • C:\Windows\SysWOW64\WerFault.exe
                                    C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 756
                                    8⤵
                                    • Program crash
                                    PID:4884
                                  • C:\Windows\SysWOW64\WerFault.exe
                                    C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 828
                                    8⤵
                                    • Program crash
                                    PID:220
                                  • C:\Windows\SysWOW64\WerFault.exe
                                    C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 836
                                    8⤵
                                    • Program crash
                                    PID:1420
                                  • C:\Windows\SysWOW64\WerFault.exe
                                    C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 968
                                    8⤵
                                    • Program crash
                                    PID:3000
                                  • C:\Windows\SysWOW64\WerFault.exe
                                    C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 1004
                                    8⤵
                                    • Program crash
                                    PID:3748
                                  • C:\Windows\SysWOW64\WerFault.exe
                                    C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 1056
                                    8⤵
                                    • Program crash
                                    PID:4992
                                  • C:\Windows\SysWOW64\WerFault.exe
                                    C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 1372
                                    8⤵
                                    • Program crash
                                    PID:4988
                                  • C:\Windows\SysWOW64\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /c taskkill /im "V1WBwCqmYdkoTzuxtwh9YamG.exe" /f & erase "C:\Users\Admin\Pictures\V1WBwCqmYdkoTzuxtwh9YamG.exe" & exit
                                    8⤵
                                      PID:2384
                                      • C:\Windows\SysWOW64\taskkill.exe
                                        taskkill /im "V1WBwCqmYdkoTzuxtwh9YamG.exe" /f
                                        9⤵
                                        • Kills process with taskkill
                                        PID:2692
                                    • C:\Windows\SysWOW64\WerFault.exe
                                      C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 1484
                                      8⤵
                                      • Program crash
                                      PID:312
                                  • C:\Users\Admin\Pictures\8G4yEsfdP8E7VtiQpZU7mmJ0.exe
                                    "C:\Users\Admin\Pictures\8G4yEsfdP8E7VtiQpZU7mmJ0.exe"
                                    7⤵
                                      PID:4852
                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        powershell -nologo -noprofile
                                        8⤵
                                        • Command and Scripting Interpreter: PowerShell
                                        PID:4460
                                      • C:\Users\Admin\Pictures\8G4yEsfdP8E7VtiQpZU7mmJ0.exe
                                        "C:\Users\Admin\Pictures\8G4yEsfdP8E7VtiQpZU7mmJ0.exe"
                                        8⤵
                                          PID:3028
                                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            powershell -nologo -noprofile
                                            9⤵
                                            • Command and Scripting Interpreter: PowerShell
                                            PID:2584
                                      • C:\Users\Admin\Pictures\iyMOq1rJzgF5eNUyxV64Iroy.exe
                                        "C:\Users\Admin\Pictures\iyMOq1rJzgF5eNUyxV64Iroy.exe"
                                        7⤵
                                          PID:4908
                                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            powershell -nologo -noprofile
                                            8⤵
                                            • Command and Scripting Interpreter: PowerShell
                                            PID:3116
                                          • C:\Users\Admin\Pictures\iyMOq1rJzgF5eNUyxV64Iroy.exe
                                            "C:\Users\Admin\Pictures\iyMOq1rJzgF5eNUyxV64Iroy.exe"
                                            8⤵
                                              PID:2444
                                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                powershell -nologo -noprofile
                                                9⤵
                                                • Command and Scripting Interpreter: PowerShell
                                                PID:3912
                                          • C:\Users\Admin\Pictures\o0iWYS6qFMrb9mEgBp1ANR15.exe
                                            "C:\Users\Admin\Pictures\o0iWYS6qFMrb9mEgBp1ANR15.exe" /s
                                            7⤵
                                              PID:1060
                                            • C:\Users\Admin\Pictures\N9iu7zLQ4fY4Nrx4fp3OipqG.exe
                                              "C:\Users\Admin\Pictures\N9iu7zLQ4fY4Nrx4fp3OipqG.exe"
                                              7⤵
                                                PID:3752
                                              • C:\Users\Admin\Pictures\QswPwAJvsynMoFsYrPIY104g.exe
                                                "C:\Users\Admin\Pictures\QswPwAJvsynMoFsYrPIY104g.exe"
                                                7⤵
                                                  PID:4904
                                              • C:\Windows\system32\WerFault.exe
                                                C:\Windows\system32\WerFault.exe -u -p 3448 -s 1044
                                                6⤵
                                                  PID:4580
                                          • C:\Users\Admin\AppData\Local\Temp\1000014001\ad784f20dd.exe
                                            "C:\Users\Admin\AppData\Local\Temp\1000014001\ad784f20dd.exe"
                                            3⤵
                                            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                            • Checks BIOS information in registry
                                            • Executes dropped EXE
                                            • Checks whether UAC is enabled
                                            PID:2964
                                      • C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
                                        C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
                                        1⤵
                                        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                        • Checks BIOS information in registry
                                        • Executes dropped EXE
                                        • Identifies Wine through registry keys
                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                        • Suspicious behavior: EnumeratesProcesses
                                        PID:1920
                                      • C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
                                        C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
                                        1⤵
                                        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                        • Checks BIOS information in registry
                                        • Executes dropped EXE
                                        • Checks whether UAC is enabled
                                        PID:1080
                                      • C:\Windows\SysWOW64\WerFault.exe
                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 2112 -ip 2112
                                        1⤵
                                          PID:4416
                                        • C:\Program Files (x86)\GameStabilityService\GameService.exe
                                          "C:\Program Files (x86)\GameStabilityService\GameService.exe"
                                          1⤵
                                          • Executes dropped EXE
                                          PID:4488
                                          • C:\Program Files (x86)\GameStabilityService\GameStabilityService.exe
                                            "C:\Program Files (x86)\GameStabilityService\GameStabilityService.exe"
                                            2⤵
                                            • Executes dropped EXE
                                            PID:4048
                                            • C:\Windows\Temp\795102.exe
                                              "C:\Windows\Temp\795102.exe" --http-port 14343 -o xmr.2miners.com:2222 -u 86Adxfq6AnkKUZNQwBuLMF9HYKxy399q4GoNvX86ddj4DNkHhKaPCWagERDeBPVYSw76hQwZATyV8GAWhX5g2ujETX6AWcp --coin XMR -t 1 --no-color -p x
                                              3⤵
                                              • Executes dropped EXE
                                              • Suspicious use of AdjustPrivilegeToken
                                              • Suspicious use of FindShellTrayWindow
                                              PID:1888
                                            • C:\Windows\Temp\202833.exe
                                              "C:\Windows\Temp\202833.exe" --http-port 14343 -o xmr.2miners.com:2222 -u 86Adxfq6AnkKUZNQwBuLMF9HYKxy399q4GoNvX86ddj4DNkHhKaPCWagERDeBPVYSw76hQwZATyV8GAWhX5g2ujETX6AWcp --coin XMR -t 1 --no-color -p x
                                              3⤵
                                              • Executes dropped EXE
                                              • Suspicious use of AdjustPrivilegeToken
                                              • Suspicious use of FindShellTrayWindow
                                              PID:448
                                        • C:\Windows\SysWOW64\WerFault.exe
                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3192 -ip 3192
                                          1⤵
                                            PID:3156
                                          • C:\Windows\SysWOW64\WerFault.exe
                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3192 -ip 3192
                                            1⤵
                                              PID:548
                                            • C:\Windows\SysWOW64\WerFault.exe
                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3192 -ip 3192
                                              1⤵
                                                PID:3212
                                              • C:\Windows\SysWOW64\WerFault.exe
                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3192 -ip 3192
                                                1⤵
                                                  PID:4476
                                                • C:\Windows\SysWOW64\WerFault.exe
                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3192 -ip 3192
                                                  1⤵
                                                    PID:3312
                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3192 -ip 3192
                                                    1⤵
                                                      PID:3012
                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3192 -ip 3192
                                                      1⤵
                                                        PID:3316
                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3192 -ip 3192
                                                        1⤵
                                                          PID:5100
                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3192 -ip 3192
                                                          1⤵
                                                            PID:4464
                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3192 -ip 3192
                                                            1⤵
                                                              PID:3796
                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3192 -ip 3192
                                                              1⤵
                                                                PID:2484
                                                              • C:\Windows\system32\svchost.exe
                                                                C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
                                                                1⤵
                                                                  PID:1512
                                                                • C:\Windows\system32\svchost.exe
                                                                  C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
                                                                  1⤵
                                                                    PID:2424

                                                                  Network

                                                                  MITRE ATT&CK Enterprise v15

                                                                  Reconnaissance

                                                                  Resource Development

                                                                  Initial Access

                                                                  Execution

                                                                  Command and Scripting Interpreter

                                                                  1
                                                                  T1059

                                                                  PowerShell

                                                                  1
                                                                  T1059.001

                                                                  Scheduled Task/Job

                                                                  1
                                                                  T1053

                                                                  System Services

                                                                  1
                                                                  T1569

                                                                  Service Execution

                                                                  1
                                                                  T1569.002

                                                                  Persistence

                                                                  Boot or Logon Autostart Execution

                                                                  1
                                                                  T1547

                                                                  Registry Run Keys / Startup Folder

                                                                  1
                                                                  T1547.001

                                                                  Create or Modify System Process

                                                                  1
                                                                  T1543

                                                                  Windows Service

                                                                  1
                                                                  T1543.003

                                                                  Scheduled Task/Job

                                                                  1
                                                                  T1053

                                                                  Privilege Escalation

                                                                  Abuse Elevation Control Mechanism

                                                                  1
                                                                  T1548

                                                                  Bypass User Account Control

                                                                  1
                                                                  T1548.002

                                                                  Boot or Logon Autostart Execution

                                                                  1
                                                                  T1547

                                                                  Registry Run Keys / Startup Folder

                                                                  1
                                                                  T1547.001

                                                                  Create or Modify System Process

                                                                  1
                                                                  T1543

                                                                  Windows Service

                                                                  1
                                                                  T1543.003

                                                                  Scheduled Task/Job

                                                                  1
                                                                  T1053

                                                                  Defense Evasion

                                                                  Abuse Elevation Control Mechanism

                                                                  1
                                                                  T1548

                                                                  Bypass User Account Control

                                                                  1
                                                                  T1548.002

                                                                  Impair Defenses

                                                                  4
                                                                  T1562

                                                                  Disable or Modify Tools

                                                                  3
                                                                  T1562.001

                                                                  Modify Registry

                                                                  6
                                                                  T1112

                                                                  Subvert Trust Controls

                                                                  1
                                                                  T1553

                                                                  Install Root Certificate

                                                                  1
                                                                  T1553.004

                                                                  Virtualization/Sandbox Evasion

                                                                  2
                                                                  T1497

                                                                  Credential Access

                                                                  Unsecured Credentials

                                                                  3
                                                                  T1552

                                                                  Credentials In Files

                                                                  3
                                                                  T1552.001

                                                                  Discovery

                                                                  Query Registry

                                                                  6
                                                                  T1012

                                                                  System Information Discovery

                                                                  5
                                                                  T1082

                                                                  Virtualization/Sandbox Evasion

                                                                  2
                                                                  T1497

                                                                  Lateral Movement

                                                                  Collection

                                                                  Data from Local System

                                                                  3
                                                                  T1005

                                                                  Command and Control

                                                                  Web Service

                                                                  1
                                                                  T1102

                                                                  Exfiltration

                                                                  Impact

                                                                  Service Stop

                                                                  1
                                                                  T1489

                                                                  Replay Monitor

                                                                  Loading Replay Monitor...

                                                                  Downloads

                                                                  • C:\Program Files (x86)\GameStabilityService\GameService.exe
                                                                    Filesize

                                                                    288KB

                                                                    MD5

                                                                    d9ec6f3a3b2ac7cd5eef07bd86e3efbc

                                                                    SHA1

                                                                    e1908caab6f938404af85a7df0f80f877a4d9ee6

                                                                    SHA256

                                                                    472232ca821b5c2ef562ab07f53638bc2cc82eae84cea13fbe674d6022b6481c

                                                                    SHA512

                                                                    1b6b8702dca3cb90fe64c4e48f2477045900c5e71dd96b84f673478bab1089febfa186bfc55aebd721ca73db1669145280ebb4e1862d3b9dc21f712cd76a07c4

                                                                    Download Submit

                                                                  • C:\Program Files (x86)\GameStabilityService\GameStabilityService.exe
                                                                    Filesize

                                                                    6.2MB

                                                                    MD5

                                                                    c4f2b643c3ff9bb7ae4fd625c9d98154

                                                                    SHA1

                                                                    bd7c7190e45cbda09be256bee7622bb74f75f00c

                                                                    SHA256

                                                                    76b585b4eac7b0584f28d66d6bf37ad29b1ab73354cbd3c5bb1c819787208f0b

                                                                    SHA512

                                                                    2efeaf9473ac1a8f42fd5870154faa37b06e4f331768cd7934fd4aa685eb6da4e28eaa7357807c4bf37dd79fc4a5eaf70ab4324ed0100dcdb4abaf4d9b0a7dcb

                                                                    Download Submit

                                                                  • C:\Program Files (x86)\GameStabilityService\installm.bat
                                                                    Filesize

                                                                    247B

                                                                    MD5

                                                                    192ae14b572f1bdd164ee67855d5a83a

                                                                    SHA1

                                                                    9cf0757c807a8b834470d216ccd85be9a6b60aa0

                                                                    SHA256

                                                                    2f6be6b40cf7c1802b6540dbf0b90eac67fd6a94067a06090e1f71bee164188d

                                                                    SHA512

                                                                    18fc80eb3d450359863d61cf9123a08cdfe8c52d5f59e97f5b42816584d474d8a080bb75e7fe92480d2961481d59584a3987b2e7a15e611b58885b4441085e3c

                                                                    Download Submit

                                                                  • C:\ProgramData\mozglue.dll
                                                                    Filesize

                                                                    593KB

                                                                    MD5

                                                                    c8fd9be83bc728cc04beffafc2907fe9

                                                                    SHA1

                                                                    95ab9f701e0024cedfbd312bcfe4e726744c4f2e

                                                                    SHA256

                                                                    ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

                                                                    SHA512

                                                                    fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

                                                                    Download Submit

                                                                  • C:\ProgramData\nss3.dll
                                                                    Filesize

                                                                    2.0MB

                                                                    MD5

                                                                    1cc453cdf74f31e4d913ff9c10acdde2

                                                                    SHA1

                                                                    6e85eae544d6e965f15fa5c39700fa7202f3aafe

                                                                    SHA256

                                                                    ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

                                                                    SHA512

                                                                    dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
                                                                    Filesize

                                                                    2KB

                                                                    MD5

                                                                    a6ea7bfcd3aac150c0caef765cb52281

                                                                    SHA1

                                                                    037dc22c46a0eb0b9ad4c74088129e387cffe96b

                                                                    SHA256

                                                                    f019af2e5e74cdf13c963910500f9436c66b6f2901f5056d72f82310f20113b9

                                                                    SHA512

                                                                    c8d2d373b48a26cf6eec1f5cfc05819011a3fc49d863820ad07b6442dd6d5f64e27022a9e4c381eb58bf7f6b19f8e77d508734ff803073ec2fb32da9081b6f23

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
                                                                    Filesize

                                                                    21KB

                                                                    MD5

                                                                    a0689646fb6c9fee64d4c94b7c639222

                                                                    SHA1

                                                                    62f5c991665e70ff65d6b7d644c061fe6756db08

                                                                    SHA256

                                                                    d634db075c9c831674f150e3cfd3cc850bfe7620e073ac134f1bfbba87d10812

                                                                    SHA512

                                                                    ec23048aba2a801c82de19583f5d7883e66588ef2d2fff8211848e3e1be18645caaf35cd7090d7a10a4d292ac8f27386d1a2be23378cec9651086b0087dbbbee

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Temp\[email protected]
                                                                    Filesize

                                                                    656B

                                                                    MD5

                                                                    184a117024f3789681894c67b36ce990

                                                                    SHA1

                                                                    c5b687db3b27ef04ad2b2cbc9f4e523cb7f6ba7e

                                                                    SHA256

                                                                    b10d5fef165fc89e61cd16e02eac1b90b8f94ef95218bdd4b678cd0d5c8a925e

                                                                    SHA512

                                                                    354d3bbc1329cbbe30d22f0cf95564e44acc68d6fe91e2beb4584a473d320faf4c092de9db7f1f93cf0b235703fc8de913883985c7d5db6b596244771a1edaf7

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Temp\[email protected]\setup.ini
                                                                    Filesize

                                                                    830B

                                                                    MD5

                                                                    e6edb41c03bce3f822020878bde4e246

                                                                    SHA1

                                                                    03198ad7bbfbdd50dd66ab4bed13ad230b66e4d9

                                                                    SHA256

                                                                    9fa80f0889358d9db3d249a2e747e27b7c01c6123b784d94d169c0e54cacf454

                                                                    SHA512

                                                                    2d71b7d50212f980e82562af95598c430aa0875f7a9d9cc670ba2cb1f63057fb26fd747a99cb4ca08f2355d002daa79bda2236b3ad9e37a3cfef32ae5420e2a1

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exe
                                                                    Filesize

                                                                    2.7MB

                                                                    MD5

                                                                    31841361be1f3dc6c2ce7756b490bf0f

                                                                    SHA1

                                                                    ff2506641a401ac999f5870769f50b7326f7e4eb

                                                                    SHA256

                                                                    222393a4ab4b2ae83ca861faee6df02ac274b2f2ca0bed8db1783dd61f2f37ee

                                                                    SHA512

                                                                    53d66fa19e8db360042dadc55caaa9a1ca30a9d825e23ed2a58f32834691eb2aaaa27a4471e3fc4d13e201accc43160436ed0e9939df1cc227a62a09a2ae0019

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Temp\1000004001\crypted333.exe
                                                                    Filesize

                                                                    474KB

                                                                    MD5

                                                                    e967f019b01357086d92181e6ee28e0b

                                                                    SHA1

                                                                    7f26480ea5ca0ee9481dfc0bea12194bd6f10283

                                                                    SHA256

                                                                    c69c17f4c6b2206437e7954c02424b80605d40e98c0adcad6839e170c94b1c82

                                                                    SHA512

                                                                    dd2abe993397cf9f117753fd71ed9f98c4952616ee30f10479fbc3dad93a88dcfbfd6b80083541c7a796936dd37667a0f178156bdf5c35abf76dd8b23015d88a

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exe
                                                                    Filesize

                                                                    304KB

                                                                    MD5

                                                                    9faf597de46ed64912a01491fe550d33

                                                                    SHA1

                                                                    49203277926355afd49393782ae4e01802ad48af

                                                                    SHA256

                                                                    0854678d655668c8ebb949c990166e26a4c04aef4ecf0191a95693ca150a9715

                                                                    SHA512

                                                                    ef8a7a8566eaf962c4e21d49d9c1583ed2cdc9c2751ce75133a9765d2fa6dc511fc6cc99ea871eb83d50bd08a31cb0b25c03f27b8e6f351861231910a6cf1a1e

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe
                                                                    Filesize

                                                                    2.0MB

                                                                    MD5

                                                                    1d814be25e80fa6739f6f1eec2018102

                                                                    SHA1

                                                                    44353b52a72e3f5c46b3d6078aab1211ce33b4fd

                                                                    SHA256

                                                                    01862602fb4853d90796a1a669b4ec4ab5e8cc6a774bf94e707171d5e16594fc

                                                                    SHA512

                                                                    15732577c4fd4a0d2303df2f2d623e165c94f5b8dcd92724681d41ac35ecefbe8c04052329ec6938a594086bf8a19a54253be9f33cc8b3a298261467cddf5578

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Temp\1000007001\swizzzz.exe
                                                                    Filesize

                                                                    778KB

                                                                    MD5

                                                                    05b11e7b711b4aaa512029ffcb529b5a

                                                                    SHA1

                                                                    a8074cf8a13f21617632951e008cdfdace73bb83

                                                                    SHA256

                                                                    2aab2ca39749b21877d1c52526009f9f5d251d934205e9f671a9e84cecd55afa

                                                                    SHA512

                                                                    dde7b561ffb3b9fe71827be9313cd3b83900c3ce76b053d028e84223fba1b06035437b3860a74de7dc2f5d40f0b90bd7d60139701d752c803eb08f362a5d57ff

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Temp\1000010001\lumma1.exe
                                                                    Filesize

                                                                    1.2MB

                                                                    MD5

                                                                    56e7d98642cfc9ec438b59022c2d58d7

                                                                    SHA1

                                                                    26526f702e584d8c8b629b2db5d282c2125665d7

                                                                    SHA256

                                                                    a2aa61942bae116f8c855fda0e9a991dba92b3a1e2f147aee0e7e2be1bdea383

                                                                    SHA512

                                                                    0be0b11de472029bd4e2268cddb5ddb381f7f275dfe50c47b9c836980e5cbfa7f71fe78804ef2180ee110ca9cf36944ec8b8b22babb31a1fc7a6585f79932a1f

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe
                                                                    Filesize

                                                                    1.8MB

                                                                    MD5

                                                                    c4c98eaf54be1bcc4f60af386194db44

                                                                    SHA1

                                                                    fc24b98fe5a8df7c0837476c9e7d92aeb827106d

                                                                    SHA256

                                                                    24af93b0dc559b4e87754ee7f190e3a9f7ad0f1779fea69b75bfb84799ed101f

                                                                    SHA512

                                                                    0b2b422e2fe2dd2177f01a238a4d061c1e60d57af4a4e21060c5dabb21130e9ed73c164cfa733e219225f53b05df437f7a3c293f450ed7bc5950d0569b3dd746

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Temp\1000014001\ad784f20dd.exe
                                                                    Filesize

                                                                    2.2MB

                                                                    MD5

                                                                    b3d7da359c2aef9e2ec11bf9fc1a226e

                                                                    SHA1

                                                                    2a26c446ad9726d6306f23b07c3fbb3a22000615

                                                                    SHA256

                                                                    2db74885883ece9645e088c1e3b94c9407aa483edc5c5db137ea331e5735d29d

                                                                    SHA512

                                                                    2b340f49c837fd01cbc83eb5540d8a5c4c0cec31372cf545a424aea40ea7852d098241c79c3672f21d86a689f0ce35cc71a980a3be77b6b6b80300c92c089ecb

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe
                                                                    Filesize

                                                                    418KB

                                                                    MD5

                                                                    0099a99f5ffb3c3ae78af0084136fab3

                                                                    SHA1

                                                                    0205a065728a9ec1133e8a372b1e3864df776e8c

                                                                    SHA256

                                                                    919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226

                                                                    SHA512

                                                                    5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Temp\1000042001\file300un.exe
                                                                    Filesize

                                                                    379KB

                                                                    MD5

                                                                    009669d63111ff8efad651efac7333af

                                                                    SHA1

                                                                    d0ebf3a228e2d44e094aa3b1b056176bc05c8f40

                                                                    SHA256

                                                                    4736228698b5bb9b7dc86f4dbfe539e54fe5f5153be6c4aec7b8269e34c7a84b

                                                                    SHA512

                                                                    dbf32ce7ba68fa88f508bced74b898baa73679216374d885e279eaf848c8f197294f66a0131491050f70f93413d973cc1fe7245e8128758a6103a453e7aed808

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd
                                                                    Filesize

                                                                    208B

                                                                    MD5

                                                                    2dbc71afdfa819995cded3cc0b9e2e2e

                                                                    SHA1

                                                                    60e1703c3fd4fe0fba9f1e65e10a61e0e72d9faf

                                                                    SHA256

                                                                    5a0070457636d37c11deb3148f6914583148fe45a66f44d7852f007ed5aad0ac

                                                                    SHA512

                                                                    0c59fa999ed912e6e747017c4e4c73f37ed7a72654f95eaea3db899308468e8756621db6e4edfd79e456ec69ce2e3e880817410b6aab1d01414f6300240d8b52

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
                                                                    Filesize

                                                                    1.5MB

                                                                    MD5

                                                                    7f5800f336ab3e718a8621b07b54ea14

                                                                    SHA1

                                                                    358914195e96ed04954bdb52f3388ba2075489a8

                                                                    SHA256

                                                                    b662fc479161e92aee6749fa4deb969c12a43eb4b34e913d1340671eba98b64c

                                                                    SHA512

                                                                    be0813ddeda3648bf69ad947c24f588030d5f9cb9ab00aab4b70246a7d96c3d82ca11c58074b65e8213ea5cf70e966b530d1f048ab7457fd5a96e28a18985e98

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Temp\TmpBC4B.tmp
                                                                    Filesize

                                                                    2KB

                                                                    MD5

                                                                    1420d30f964eac2c85b2ccfe968eebce

                                                                    SHA1

                                                                    bdf9a6876578a3e38079c4f8cf5d6c79687ad750

                                                                    SHA256

                                                                    f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

                                                                    SHA512

                                                                    6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oopwcyif.exh.ps1
                                                                    Filesize

                                                                    60B

                                                                    MD5

                                                                    d17fe0a3f47be24a6453e9ef58c94641

                                                                    SHA1

                                                                    6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                    SHA256

                                                                    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                    SHA512

                                                                    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Temp\{7A490DC9-786A-44a4-B6B6-CB8B595138C8}.tmp\360P2SP.dll
                                                                    Filesize

                                                                    824KB

                                                                    MD5

                                                                    fc1796add9491ee757e74e65cedd6ae7

                                                                    SHA1

                                                                    603e87ab8cb45f62ecc7a9ef52d5dedd261ea812

                                                                    SHA256

                                                                    bf1b96f5b56be51e24d6314bc7ec25f1bdba2435f4dfc5be87de164fe5de9e60

                                                                    SHA512

                                                                    8fa2e4ff5cbc05034051261c778fec1f998ceb2d5e8dea16b26b91056a989fdc58f33767687b393f32a5aff7c2b8d6df300b386f608abd0ad193068aa9251e0d

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2539840389-1261165778-1087677076-1000\76b53b3ec448f7ccdda2063b15d2bfc3_468f6343-c0e6-4931-9703-30c6539573cb
                                                                    Filesize

                                                                    2KB

                                                                    MD5

                                                                    5586ebd0313bb1fda515656b29c05e75

                                                                    SHA1

                                                                    f2c9b91ba06b7dc8110ec326ec8fd7cc694376ff

                                                                    SHA256

                                                                    b25c83a729a7d6b4569996beb94e47af4b7281243785488148967cbaa91bff9f

                                                                    SHA512

                                                                    77cea1f85a04f0e132d9854a5e862b41078f1f81796222a074c009566cb4f8dc8fc7301cda30c8015c47ff08b86567efa89bd235ead2e582b532b3f09097f2b6

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe
                                                                    Filesize

                                                                    304KB

                                                                    MD5

                                                                    0c582da789c91878ab2f1b12d7461496

                                                                    SHA1

                                                                    238bd2408f484dd13113889792d6e46d6b41c5ba

                                                                    SHA256

                                                                    a6ab532816fbb0c9664c708746db35287aaa85cbb417bef2eafcd9f5eaf7cf67

                                                                    SHA512

                                                                    a1b7c5c13462a7704ea2aea5025d1cb16ddd622fe1e2de3bbe08337c271a4dc8b9be2eae58a4896a7df3ad44823675384dbc60bdc737c54b173909be7a0a086a

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe
                                                                    Filesize

                                                                    750KB

                                                                    MD5

                                                                    20ae0bb07ba77cb3748aa63b6eb51afb

                                                                    SHA1

                                                                    87c468dc8f3d90a63833d36e4c900fa88d505c6d

                                                                    SHA256

                                                                    daf6ae706fc78595f0d386817a0f8a3a7eb4ec8613219382b1cbaa7089418e7d

                                                                    SHA512

                                                                    db315e00ce2b2d5a05cb69541ee45aade4332e424c4955a79d2b7261ab7bd739f02dc688224f031a7a030c92fa915d029538e236dbd3c28b8d07d1265a52e5b2

                                                                    Download Submit

                                                                  • C:\Users\Admin\Desktop\Microsoft Edge.lnk
                                                                    Filesize

                                                                    2KB

                                                                    MD5

                                                                    bd5698465057c205e04f0d915150ea84

                                                                    SHA1

                                                                    212935831427bb2a33101491c99e926104639b6e

                                                                    SHA256

                                                                    ca3e904b19a7801c1fd3ce21c1b8a11583f3ea2ebca03b468d227e944b311b67

                                                                    SHA512

                                                                    7212f0344561fa147e27c1455f5179e58b72e4f2846c898050d1315ca9697c7407d2575043b907a4074b40e2b280304f1fd1e69494ad6e7ba12f595321becef2

                                                                    Download Submit

                                                                  • C:\Users\Admin\Desktop\Microsoft Edge.lnk
                                                                    Filesize

                                                                    2KB

                                                                    MD5

                                                                    10cfd4b82d089911d5cddebc5755247d

                                                                    SHA1

                                                                    ae1f89726fce76e48740872571380234dc71b7be

                                                                    SHA256

                                                                    b42b26a10f32f723718240596786a34f15bff4e79db1c14f9e69c3a74ae6305c

                                                                    SHA512

                                                                    f194efb6fdfcaa4833adfd03b5c1ac261872d73d6f5a4f4744dab2c48ef4ded62592fe9bee94fbb6cf5692fe5d15481f94dd13c0e460e4922c51fe6819e8954a

                                                                    Download Submit

                                                                  • C:\Users\Admin\Pictures\8G4yEsfdP8E7VtiQpZU7mmJ0.exe
                                                                    Filesize

                                                                    4.1MB

                                                                    MD5

                                                                    1eee28bc105cbbd364cca7b2db042a8c

                                                                    SHA1

                                                                    ee4370c95fdc7ac05b80bf69fdbb555c96e1b728

                                                                    SHA256

                                                                    a23c303215aaf509077321343e5de6fcdc1d1f6ba7f752e316452818899beeab

                                                                    SHA512

                                                                    330230ba0c892bf6b37fd103ee323d931bd5c980f2506dfe603b3f9d5f582005d069309026534c3a5be7231806a173be2a111b38ea8189ae1298db26430489a0

                                                                    Download Submit

                                                                  • C:\Users\Admin\Pictures\N9iu7zLQ4fY4Nrx4fp3OipqG.exe
                                                                    Filesize

                                                                    6.2MB

                                                                    MD5

                                                                    382307497abd634a05135b72690f8b2a

                                                                    SHA1

                                                                    87e587c8fc92e93cc5742ec3ba461ed2f28e4ad6

                                                                    SHA256

                                                                    45ab37527b51f17c6665856e1266f916a1ddf8609c9e3106904219c909c78cb9

                                                                    SHA512

                                                                    8021605db06782b311e530e929c8b9de144bbf778f651f90892821e7ecc854820556330afcfbfb4637e1db456cb0c6ab8bbacfbd90ba4a802d55066521df1c60

                                                                    Download Submit

                                                                  • C:\Users\Admin\Pictures\QswPwAJvsynMoFsYrPIY104g.exe
                                                                    Filesize

                                                                    901KB

                                                                    MD5

                                                                    bbb6e29319908e684a34df5cd053b1d6

                                                                    SHA1

                                                                    0c8bad1f0d5737189a35984a87eae40931284a81

                                                                    SHA256

                                                                    1a752bac587013dc8d249b80b400d5b23ad8d7c6a54a5795143aa4b71718bc21

                                                                    SHA512

                                                                    207c6293f8fd1fcc9fd5710c511285cdba25c736f7053a2f2999d4245ce89bdb09d4d0f32543417eeeaf453291079ca2c11ccbb0989613fe4e546fc5039c70c6

                                                                    Download Submit

                                                                  • C:\Users\Admin\Pictures\V1WBwCqmYdkoTzuxtwh9YamG.exe
                                                                    Filesize

                                                                    280KB

                                                                    MD5

                                                                    3e612b39c8ee2bc5c4fa3a75cdc34d3f

                                                                    SHA1

                                                                    233d9d109bc3e03412e2af6f7cba8253e6ba79d4

                                                                    SHA256

                                                                    0e1b23c1a2b3a9ddb5b89ae0485d94f9ec725bf007e6a86f83e8f58d8d8d82fe

                                                                    SHA512

                                                                    e7e945679a0407c4eb357ec510e11a3631ddfaa47c8386f3ff342ae0b159d2bff181e51e2e99030dd8e91e55c7b2058d8c56fcd80ec4d6e68786b214d5c9a07f

                                                                    Download Submit

                                                                  • C:\Users\Admin\Pictures\l2Aheu08xISKmygm1f2ngCaO.exe
                                                                    Filesize

                                                                    7KB

                                                                    MD5

                                                                    77f762f953163d7639dff697104e1470

                                                                    SHA1

                                                                    ade9fff9ffc2d587d50c636c28e4cd8dd99548d3

                                                                    SHA256

                                                                    d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea

                                                                    SHA512

                                                                    d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499

                                                                    Download Submit

                                                                  • C:\Users\Admin\Pictures\o0iWYS6qFMrb9mEgBp1ANR15.exe
                                                                    Filesize

                                                                    1.5MB

                                                                    MD5

                                                                    cd4acedefa9ab5c7dccac667f91cef13

                                                                    SHA1

                                                                    bff5ce910f75aeae37583a63828a00ae5f02c4e7

                                                                    SHA256

                                                                    dd0e8944471f44180dd44807d817e0b8a1c931fc67d48278cdb7354d98567e7c

                                                                    SHA512

                                                                    06fae66da503eb1b9b4fbe63a5bb98c519a43999060029c35fe289e60b1cb126a6278c67ce90f02e05b893fcaea6d54f9deb65bc6da82561487a7754f50c93d1

                                                                    Download Submit

                                                                  • C:\Users\Public\Desktop\Google Chrome.lnk
                                                                    Filesize

                                                                    2KB

                                                                    MD5

                                                                    298e3f21a9acb2ce740e063daf930624

                                                                    SHA1

                                                                    2566fd2fb1707adbc37a638a3e81b31d055bffcf

                                                                    SHA256

                                                                    1de9941ecf837f5143fbd920c0fd117aa73a1bacd0e89696bb61879f6eae140a

                                                                    SHA512

                                                                    a49d9bea79f0c00a175a93066ca9f3a50f78eacb9daa0850b7df55fee34241f5846edeb991872d24aef33419af960b40d9ee82c1181a545213e1788dbd781915

                                                                    Download Submit

                                                                  • C:\Users\Public\Desktop\Google Chrome.lnk
                                                                    Filesize

                                                                    2KB

                                                                    MD5

                                                                    54ddde25cd28cfe4001cb3be7fcc8dea

                                                                    SHA1

                                                                    c3d83018ef5c6528856fc4c430c61da3fe8efd28

                                                                    SHA256

                                                                    6aef66625a30c42ada82a35073390ac6eb41c187e7a161d6b10c76085f9f8453

                                                                    SHA512

                                                                    1097f6d1043862b7cf8b5730d01e758df7ff4efcb2a807838a5d9e686c5c661c6bd61e9f6ec4e34682387bf5cfedcaf439961835fcecc5dc5d72a5f212d7c5dc

                                                                    Download Submit

                                                                  • C:\Windows\System32\GroupPolicy\gpt.ini
                                                                    Filesize

                                                                    127B

                                                                    MD5

                                                                    8ef9853d1881c5fe4d681bfb31282a01

                                                                    SHA1

                                                                    a05609065520e4b4e553784c566430ad9736f19f

                                                                    SHA256

                                                                    9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

                                                                    SHA512

                                                                    5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

                                                                    Download Submit

                                                                  • C:\Windows\Temp\795102.exe
                                                                    Filesize

                                                                    6.0MB

                                                                    MD5

                                                                    5cdb390aaba8caad929f5891f86cf8d7

                                                                    SHA1

                                                                    324a43fa56dffe541c0414f253faf2bf34ad9fa4

                                                                    SHA256

                                                                    1dfe2dd5f1bd757e852a271e0dc34f96aa9418983e9c8aded545302d2d69de44

                                                                    SHA512

                                                                    9e8dab07b840d9b0949a539e70cfa155ad08b34c73ae7f2810909f4bf5e1ddcee79f9630a9422083d244322d1afd9d91ade9fc4d75324bc4e45ee67a4900bbe9

                                                                    Download Submit

                                                                  • memory/1080-100-0x0000000000500000-0x00000000009E2000-memory.dmp

                                                                    Filesize

                                                                    4.9MB

                                                                    Download

                                                                  • memory/1080-98-0x0000000000500000-0x00000000009E2000-memory.dmp

                                                                    Filesize

                                                                    4.9MB

                                                                    Download

                                                                  • memory/1080-95-0x0000000000500000-0x00000000009E2000-memory.dmp

                                                                    Filesize

                                                                    4.9MB

                                                                    Download

                                                                  • memory/1080-99-0x0000000000500000-0x00000000009E2000-memory.dmp

                                                                    Filesize

                                                                    4.9MB

                                                                    Download

                                                                  • memory/1080-101-0x0000000000500000-0x00000000009E2000-memory.dmp

                                                                    Filesize

                                                                    4.9MB

                                                                    Download

                                                                  • memory/1080-112-0x0000000000500000-0x00000000009E2000-memory.dmp

                                                                    Filesize

                                                                    4.9MB

                                                                    Download

                                                                  • memory/1080-94-0x0000000000500000-0x00000000009E2000-memory.dmp

                                                                    Filesize

                                                                    4.9MB

                                                                    Download

                                                                  • memory/1080-102-0x0000000000500000-0x00000000009E2000-memory.dmp

                                                                    Filesize

                                                                    4.9MB

                                                                    Download

                                                                  • memory/1080-96-0x0000000000500000-0x00000000009E2000-memory.dmp

                                                                    Filesize

                                                                    4.9MB

                                                                    Download

                                                                  • memory/1888-302-0x0000023861F70000-0x0000023861F90000-memory.dmp

                                                                    Filesize

                                                                    128KB

                                                                    Download

                                                                  • memory/1920-97-0x00000000009F0000-0x0000000000EA6000-memory.dmp

                                                                    Filesize

                                                                    4.7MB

                                                                    Download

                                                                  • memory/1920-124-0x00000000009F0000-0x0000000000EA6000-memory.dmp

                                                                    Filesize

                                                                    4.7MB

                                                                    Download

                                                                  • memory/1940-200-0x0000000006A50000-0x0000000006A8C000-memory.dmp

                                                                    Filesize

                                                                    240KB

                                                                    Download

                                                                  • memory/1940-413-0x0000000007B50000-0x0000000007D12000-memory.dmp

                                                                    Filesize

                                                                    1.8MB

                                                                    Download

                                                                  • memory/1940-158-0x0000000000980000-0x00000000009D2000-memory.dmp

                                                                    Filesize

                                                                    328KB

                                                                    Download

                                                                  • memory/1940-160-0x00000000052C0000-0x0000000005352000-memory.dmp

                                                                    Filesize

                                                                    584KB

                                                                    Download

                                                                  • memory/1940-163-0x0000000005450000-0x000000000545A000-memory.dmp

                                                                    Filesize

                                                                    40KB

                                                                    Download

                                                                  • memory/1940-303-0x0000000006D00000-0x0000000006D66000-memory.dmp

                                                                    Filesize

                                                                    408KB

                                                                    Download

                                                                  • memory/1940-360-0x0000000006F10000-0x0000000006F60000-memory.dmp

                                                                    Filesize

                                                                    320KB

                                                                    Download

                                                                  • memory/1940-181-0x0000000005F00000-0x0000000005F76000-memory.dmp

                                                                    Filesize

                                                                    472KB

                                                                    Download

                                                                  • memory/1940-414-0x0000000008250000-0x000000000877C000-memory.dmp

                                                                    Filesize

                                                                    5.2MB

                                                                    Download

                                                                  • memory/1940-186-0x00000000067E0000-0x00000000067FE000-memory.dmp

                                                                    Filesize

                                                                    120KB

                                                                    Download

                                                                  • memory/1940-211-0x0000000006BC0000-0x0000000006C0C000-memory.dmp

                                                                    Filesize

                                                                    304KB

                                                                    Download

                                                                  • memory/1940-198-0x0000000006AB0000-0x0000000006BBA000-memory.dmp

                                                                    Filesize

                                                                    1.0MB

                                                                    Download

                                                                  • memory/1940-159-0x00000000057D0000-0x0000000005D74000-memory.dmp

                                                                    Filesize

                                                                    5.6MB

                                                                    Download

                                                                  • memory/1940-199-0x00000000069F0000-0x0000000006A02000-memory.dmp

                                                                    Filesize

                                                                    72KB

                                                                    Download

                                                                  • memory/1940-189-0x0000000006F60000-0x0000000007578000-memory.dmp

                                                                    Filesize

                                                                    6.1MB

                                                                    Download

                                                                  • memory/1980-1-0x0000000000CD0000-0x00000000011B2000-memory.dmp

                                                                    Filesize

                                                                    4.9MB

                                                                    Download

                                                                  • memory/1980-6-0x0000000000CD0000-0x00000000011B2000-memory.dmp

                                                                    Filesize

                                                                    4.9MB

                                                                    Download

                                                                  • memory/1980-2-0x0000000000CD0000-0x00000000011B2000-memory.dmp

                                                                    Filesize

                                                                    4.9MB

                                                                    Download

                                                                  • memory/1980-3-0x0000000000CD0000-0x00000000011B2000-memory.dmp

                                                                    Filesize

                                                                    4.9MB

                                                                    Download

                                                                  • memory/1980-7-0x0000000000CD0000-0x00000000011B2000-memory.dmp

                                                                    Filesize

                                                                    4.9MB

                                                                    Download

                                                                  • memory/1980-5-0x0000000000CD0000-0x00000000011B2000-memory.dmp

                                                                    Filesize

                                                                    4.9MB

                                                                    Download

                                                                  • memory/1980-0-0x0000000000CD0000-0x00000000011B2000-memory.dmp

                                                                    Filesize

                                                                    4.9MB

                                                                    Download

                                                                  • memory/1980-8-0x0000000000CD0000-0x00000000011B2000-memory.dmp

                                                                    Filesize

                                                                    4.9MB

                                                                    Download

                                                                  • memory/1980-4-0x0000000000CD0000-0x00000000011B2000-memory.dmp

                                                                    Filesize

                                                                    4.9MB

                                                                    Download

                                                                  • memory/1980-21-0x0000000000CD0000-0x00000000011B2000-memory.dmp

                                                                    Filesize

                                                                    4.9MB

                                                                    Download

                                                                  • memory/2092-357-0x000000001F070000-0x000000001F232000-memory.dmp

                                                                    Filesize

                                                                    1.8MB

                                                                    Download

                                                                  • memory/2092-296-0x000000001C5A0000-0x000000001C5BE000-memory.dmp

                                                                    Filesize

                                                                    120KB

                                                                    Download

                                                                  • memory/2092-295-0x000000001E920000-0x000000001E996000-memory.dmp

                                                                    Filesize

                                                                    472KB

                                                                    Download

                                                                  • memory/2092-164-0x00000000009E0000-0x0000000000AA0000-memory.dmp

                                                                    Filesize

                                                                    768KB

                                                                    Download

                                                                  • memory/2092-289-0x000000001E510000-0x000000001E61A000-memory.dmp

                                                                    Filesize

                                                                    1.0MB

                                                                    Download

                                                                  • memory/2092-358-0x000000001F770000-0x000000001FC98000-memory.dmp

                                                                    Filesize

                                                                    5.2MB

                                                                    Download

                                                                  • memory/2092-291-0x000000001C5E0000-0x000000001C61C000-memory.dmp

                                                                    Filesize

                                                                    240KB

                                                                    Download

                                                                  • memory/2092-290-0x000000001B7F0000-0x000000001B802000-memory.dmp

                                                                    Filesize

                                                                    72KB

                                                                    Download

                                                                  • memory/2112-287-0x0000000000FD0000-0x0000000000FD1000-memory.dmp

                                                                    Filesize

                                                                    4KB

                                                                    Download

                                                                  • memory/2560-636-0x00000000009F0000-0x0000000000EA6000-memory.dmp

                                                                    Filesize

                                                                    4.7MB

                                                                    Download

                                                                  • memory/2560-261-0x00000000009F0000-0x0000000000EA6000-memory.dmp

                                                                    Filesize

                                                                    4.7MB

                                                                    Download

                                                                  • memory/2560-64-0x00000000009F0000-0x0000000000EA6000-memory.dmp

                                                                    Filesize

                                                                    4.7MB

                                                                    Download

                                                                  • memory/2964-262-0x00000000007B0000-0x0000000000E3C000-memory.dmp

                                                                    Filesize

                                                                    6.5MB

                                                                    Download

                                                                  • memory/2964-86-0x00000000007B0000-0x0000000000E3C000-memory.dmp

                                                                    Filesize

                                                                    6.5MB

                                                                    Download

                                                                  • memory/2964-84-0x00000000007B0000-0x0000000000E3C000-memory.dmp

                                                                    Filesize

                                                                    6.5MB

                                                                    Download

                                                                  • memory/2964-92-0x00000000007B0000-0x0000000000E3C000-memory.dmp

                                                                    Filesize

                                                                    6.5MB

                                                                    Download

                                                                  • memory/2964-83-0x00000000007B0000-0x0000000000E3C000-memory.dmp

                                                                    Filesize

                                                                    6.5MB

                                                                    Download

                                                                  • memory/2964-90-0x00000000007B0000-0x0000000000E3C000-memory.dmp

                                                                    Filesize

                                                                    6.5MB

                                                                    Download

                                                                  • memory/2964-87-0x00000000007B0000-0x0000000000E3C000-memory.dmp

                                                                    Filesize

                                                                    6.5MB

                                                                    Download

                                                                  • memory/2964-85-0x00000000007B0000-0x0000000000E3C000-memory.dmp

                                                                    Filesize

                                                                    6.5MB

                                                                    Download

                                                                  • memory/2964-91-0x00000000007B0000-0x0000000000E3C000-memory.dmp

                                                                    Filesize

                                                                    6.5MB

                                                                    Download

                                                                  • memory/2964-88-0x00000000007B0000-0x0000000000E3C000-memory.dmp

                                                                    Filesize

                                                                    6.5MB

                                                                    Download

                                                                  • memory/3068-478-0x00000243ED0D0000-0x00000243ED0F2000-memory.dmp

                                                                    Filesize

                                                                    136KB

                                                                    Download

                                                                  • memory/3116-596-0x0000000006250000-0x00000000062B6000-memory.dmp

                                                                    Filesize

                                                                    408KB

                                                                    Download

                                                                  • memory/3116-673-0x0000000008020000-0x000000000802A000-memory.dmp

                                                                    Filesize

                                                                    40KB

                                                                    Download

                                                                  • memory/3116-595-0x0000000005A70000-0x0000000005A92000-memory.dmp

                                                                    Filesize

                                                                    136KB

                                                                    Download

                                                                  • memory/3116-662-0x0000000073270000-0x00000000732BC000-memory.dmp

                                                                    Filesize

                                                                    304KB

                                                                    Download

                                                                  • memory/3116-594-0x0000000005B20000-0x0000000006148000-memory.dmp

                                                                    Filesize

                                                                    6.2MB

                                                                    Download

                                                                  • memory/3116-679-0x00000000080D0000-0x00000000080D8000-memory.dmp

                                                                    Filesize

                                                                    32KB

                                                                    Download

                                                                  • memory/3116-674-0x00000000080E0000-0x0000000008176000-memory.dmp

                                                                    Filesize

                                                                    600KB

                                                                    Download

                                                                  • memory/3116-663-0x000000006EED0000-0x000000006F224000-memory.dmp

                                                                    Filesize

                                                                    3.3MB

                                                                    Download

                                                                  • memory/3252-212-0x0000000000170000-0x00000000001C2000-memory.dmp

                                                                    Filesize

                                                                    328KB

                                                                    Download

                                                                  • memory/3448-437-0x00000233A33A0000-0x00000233A33AA000-memory.dmp

                                                                    Filesize

                                                                    40KB

                                                                    Download

                                                                  • memory/3448-466-0x00000233A50D0000-0x00000233A512C000-memory.dmp

                                                                    Filesize

                                                                    368KB

                                                                    Download

                                                                  • memory/3688-120-0x0000000000400000-0x0000000000592000-memory.dmp

                                                                    Filesize

                                                                    1.6MB

                                                                    Download

                                                                  • memory/3752-637-0x0000000140000000-0x0000000140C18000-memory.dmp

                                                                    Filesize

                                                                    12.1MB

                                                                    Download

                                                                  • memory/4064-400-0x0000000000400000-0x0000000000458000-memory.dmp

                                                                    Filesize

                                                                    352KB

                                                                    Download

                                                                  • memory/4256-468-0x0000000000400000-0x0000000000408000-memory.dmp

                                                                    Filesize

                                                                    32KB

                                                                    Download

                                                                  • memory/4412-185-0x0000000000400000-0x0000000000457000-memory.dmp

                                                                    Filesize

                                                                    348KB

                                                                    Download

                                                                  • memory/4412-183-0x0000000000400000-0x0000000000457000-memory.dmp

                                                                    Filesize

                                                                    348KB

                                                                    Download

                                                                  • memory/4460-661-0x00000000070E0000-0x0000000007183000-memory.dmp

                                                                    Filesize

                                                                    652KB

                                                                    Download

                                                                  • memory/4460-638-0x0000000007540000-0x0000000007BBA000-memory.dmp

                                                                    Filesize

                                                                    6.5MB

                                                                    Download

                                                                  • memory/4460-678-0x0000000007330000-0x000000000734A000-memory.dmp

                                                                    Filesize

                                                                    104KB

                                                                    Download

                                                                  • memory/4460-677-0x0000000007240000-0x0000000007254000-memory.dmp

                                                                    Filesize

                                                                    80KB

                                                                    Download

                                                                  • memory/4460-593-0x0000000004520000-0x0000000004556000-memory.dmp

                                                                    Filesize

                                                                    216KB

                                                                    Download

                                                                  • memory/4460-676-0x0000000007230000-0x000000000723E000-memory.dmp

                                                                    Filesize

                                                                    56KB

                                                                    Download

                                                                  • memory/4460-675-0x00000000071F0000-0x0000000007201000-memory.dmp

                                                                    Filesize

                                                                    68KB

                                                                    Download

                                                                  • memory/4460-648-0x0000000007080000-0x00000000070B2000-memory.dmp

                                                                    Filesize

                                                                    200KB

                                                                    Download

                                                                  • memory/4460-615-0x0000000005710000-0x0000000005A64000-memory.dmp

                                                                    Filesize

                                                                    3.3MB

                                                                    Download

                                                                  • memory/4460-616-0x0000000005AF0000-0x0000000005B0E000-memory.dmp

                                                                    Filesize

                                                                    120KB

                                                                    Download

                                                                  • memory/4460-617-0x0000000006060000-0x00000000060AC000-memory.dmp

                                                                    Filesize

                                                                    304KB

                                                                    Download

                                                                  • memory/4460-622-0x00000000060B0000-0x00000000060F4000-memory.dmp

                                                                    Filesize

                                                                    272KB

                                                                    Download

                                                                  • memory/4460-650-0x000000006EED0000-0x000000006F224000-memory.dmp

                                                                    Filesize

                                                                    3.3MB

                                                                    Download

                                                                  • memory/4460-660-0x00000000070C0000-0x00000000070DE000-memory.dmp

                                                                    Filesize

                                                                    120KB

                                                                    Download

                                                                  • memory/4460-649-0x0000000073270000-0x00000000732BC000-memory.dmp

                                                                    Filesize

                                                                    304KB

                                                                    Download

                                                                  • memory/4460-639-0x0000000006EC0000-0x0000000006EDA000-memory.dmp

                                                                    Filesize

                                                                    104KB

                                                                    Download

                                                                  • memory/4752-184-0x0000000001090000-0x0000000001091000-memory.dmp

                                                                    Filesize

                                                                    4KB

                                                                    Download

                                                                  • memory/4752-182-0x0000000001090000-0x0000000001091000-memory.dmp

                                                                    Filesize

                                                                    4KB

                                                                    Download

                                                                  • memory/4800-49-0x0000000000500000-0x00000000009E2000-memory.dmp

                                                                    Filesize

                                                                    4.9MB

                                                                    Download

                                                                  • memory/4800-27-0x0000000000500000-0x00000000009E2000-memory.dmp

                                                                    Filesize

                                                                    4.9MB

                                                                    Download

                                                                  • memory/4800-30-0x0000000000500000-0x00000000009E2000-memory.dmp

                                                                    Filesize

                                                                    4.9MB

                                                                    Download

                                                                  • memory/4800-28-0x0000000000500000-0x00000000009E2000-memory.dmp

                                                                    Filesize

                                                                    4.9MB

                                                                    Download

                                                                  • memory/4800-29-0x0000000000500000-0x00000000009E2000-memory.dmp

                                                                    Filesize

                                                                    4.9MB

                                                                    Download

                                                                  • memory/4800-24-0x0000000000500000-0x00000000009E2000-memory.dmp

                                                                    Filesize

                                                                    4.9MB

                                                                    Download

                                                                  • memory/4800-26-0x0000000000500000-0x00000000009E2000-memory.dmp

                                                                    Filesize

                                                                    4.9MB

                                                                    Download

                                                                  • memory/4800-23-0x0000000000500000-0x00000000009E2000-memory.dmp

                                                                    Filesize

                                                                    4.9MB

                                                                    Download

                                                                  • memory/4800-22-0x0000000000500000-0x00000000009E2000-memory.dmp

                                                                    Filesize

                                                                    4.9MB

                                                                    Download

                                                                  • memory/4800-260-0x0000000000500000-0x00000000009E2000-memory.dmp

                                                                    Filesize

                                                                    4.9MB

                                                                    Download

                                                                  • memory/4800-25-0x0000000000500000-0x00000000009E2000-memory.dmp

                                                                    Filesize

                                                                    4.9MB

                                                                    Download

                                                                  • memory/4908-306-0x0000000061E00000-0x0000000061EF3000-memory.dmp

                                                                    Filesize

                                                                    972KB

                                                                    Download

                                                                  • memory/4908-288-0x0000000000400000-0x000000000063B000-memory.dmp

                                                                    Filesize

                                                                    2.2MB

                                                                    Download

                                                                  • memory/4908-286-0x0000000000400000-0x000000000063B000-memory.dmp

                                                                    Filesize

                                                                    2.2MB

                                                                    Download

                                                                  • memory/4948-50-0x0000000077204000-0x0000000077206000-memory.dmp

                                                                    Filesize

                                                                    8KB

                                                                    Download

                                                                  • memory/4948-63-0x0000000000530000-0x00000000009E6000-memory.dmp

                                                                    Filesize

                                                                    4.7MB

                                                                    Download

                                                                  • memory/4948-48-0x0000000000530000-0x00000000009E6000-memory.dmp

                                                                    Filesize

                                                                    4.7MB

                                                                    Download