Overview

overview

10

Static

static

3

a61dc154af...44.exe

windows7-x64

10

a61dc154af...44.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-08-2024 02:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a61dc154af80d7c67638c50ca91d567ba0f872562c1b6c616e58abdda3bc3544.exe

  • Size

    1.8MB

  • MD5

    fbb7e8266d0875b81f294136bb93f90a

  • SHA1

    88096781cb97d1fb0aab5ea5c59501eeebd06c52

  • SHA256

    a61dc154af80d7c67638c50ca91d567ba0f872562c1b6c616e58abdda3bc3544

  • SHA512

    1d86f4d357daf13b50c08f111fc58126674fe452ee09be4e7ecec23a65e3576e069929c90605a6abebfbcc3755881b76ae0a6112b9ad66fef3d6c6db3b338e28

  • SSDEEP

    49152:6j1W65FNCu4RC+ResbXIYa/FOv/w/uxdvzNdTIss2/6ODKs:6ldCu2rgsbXC/FOgGxH7s21t

Score
10/10
amadeyexelastealerlummapurelogstealerredlinesectopratstealcxworm14082024816fa@cloudytteama51500defaultfed3aalivetrafficnew testpeniscollectioncredential_accessdefense_evasiondiscoveryevasionexecutioninfostealerpersistenceprivilege_escalationratspywarestealertrojan

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

fed3aa

C2

http://185.215.113.16

Attributes
  • install_dir

    44111dbc49

  • install_file

    axplong.exe

  • strings_key

    8d0ad6945b1a30a186ec2d30be6db0b5

  • url_paths

    /Jo89Ku7d/index.php

rc4.plain

Extracted

Family

redline

Botnet

LiveTraffic

C2

95.179.163.21:29257

Extracted

Family

redline

Botnet

@CLOUDYTTEAM

C2

65.21.18.51:45580

Extracted

Family

stealc

Botnet

default

C2

http://185.215.113.17

Attributes
  • url_path

    /2fb6c2cc8dce150a.php

Extracted

Family

redline

Botnet

14082024

C2

185.215.113.67:21405

Extracted

Family

stealc

Botnet

penis

C2

http://185.196.9.140

Attributes
  • url_path

    /c3f845711fab35f8.php

Extracted

Family

xworm

C2

127.0.0.1:7000

beshomandotestbesnd.run.place:7000
Attributes
  • Install_directory

    %Userprofile%

  • install_file

    USB.exe

  • telegram

    https://api.telegram.org/bot2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo/sendMessage?chat_id=966649672

Extracted

Family

redline

Botnet

816FA

C2

88.99.151.68:7200

Extracted

Family

redline

Botnet

NEW TEST

C2

beshomandotestbesnd.run.place:46717

Extracted

Family

amadey

Version

4.41

Botnet

a51500

C2

http://api.garageserviceoperation.com

Attributes
  • install_dir

    0cf505a27f

  • install_file

    ednfovi.exe

  • strings_key

    0044a8b8e295529eaf3743c9bc3171d2

  • url_paths

    /CoreOPT/index.php

rc4.plain

Extracted

Family

lumma

C2

https://deicedosmzj.shop/api

https://potentioallykeos.shop/api

https://interactiedovspm.shop/api

https://charecteristicdxp.shop/api

https://cagedwifedsozm.shop/api

https://southedhiscuso.shop/api

https://consciousourwi.shop/api

https://tenntysjuxmz.shop/api

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Detect Xworm Payload 2 IoCs
  • Exela Stealer

    Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.

    stealerexelastealer
  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • PureLog Stealer

    PureLog Stealer is an infostealer written in C#.

    stealerpurelogstealer
  • PureLog Stealer payload 2 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 7 IoCs
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 1 IoCs
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Grants admin privileges 1 TTPs

    Uses net.exe to modify the user's privileges.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
    evasion
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Downloads MZ/PE file
  • Modifies Windows Firewall 2 TTPs 2 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 6 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 9 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Clipboard Data 1 TTPs 2 IoCs

    Adversaries may collect data stored in the clipboard from users copying information within or between applications.

    collection
  • Drops startup file 4 IoCs
  • Executes dropped EXE 28 IoCs
  • Identifies Wine through registry keys 2 TTPs 3 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 37 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Network Service Discovery 1 TTPs 2 IoCs

    Attempt to gather information on host's network.

    discovery
  • Enumerates processes with tasklist 1 TTPs 10 IoCs
    discovery
  • Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs
    defense_evasion
  • Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
  • Suspicious use of SetThreadContext 5 IoCs
  • Drops file in Windows directory 10 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • Permission Groups Discovery: Local Groups 1 TTPs

    Attempt to find local system groups and permission settings.

    discovery
  • Program crash 22 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 61 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

    Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

    discovery
  • System Network Connections Discovery 1 TTPs 1 IoCs

    Attempt to get a listing of network connections.

    discovery
  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Collects information from the system 1 TTPs 1 IoCs

    Uses WMIC.exe to find detailed system information.

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Gathers network information 2 TTPs 2 IoCs

    Uses commandline utility to view network configuration.

  • Gathers system information 1 TTPs 1 IoCs

    Runs systeminfo.exe.

  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Runs net.exe
  • Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 61 IoCs
  • Suspicious use of SendNotifyMessage 57 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3464
      • C:\Users\Admin\AppData\Local\Temp\a61dc154af80d7c67638c50ca91d567ba0f872562c1b6c616e58abdda3bc3544.exe
        "C:\Users\Admin\AppData\Local\Temp\a61dc154af80d7c67638c50ca91d567ba0f872562c1b6c616e58abdda3bc3544.exe"
        2⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Checks computer location settings
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:3056
        • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
          "C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
          3⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:3640
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c schtasks.exe /create /tn "Invitations" /tr "wscript //B 'C:\Users\Admin\AppData\Local\NeuraMind Innovations\MindLynx.js'" /sc minute /mo 5 /F
        2⤵
        • System Location Discovery: System Language Discovery
        PID:5776
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks.exe /create /tn "Invitations" /tr "wscript //B 'C:\Users\Admin\AppData\Local\NeuraMind Innovations\MindLynx.js'" /sc minute /mo 5 /F
          3⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:5904
      • C:\Windows\SysWOW64\cmd.exe
        cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindLynx.url" & echo URL="C:\Users\Admin\AppData\Local\NeuraMind Innovations\MindLynx.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindLynx.url" & exit
        2⤵
        • Drops startup file
        • System Location Discovery: System Language Discovery
        PID:5940
      • C:\Users\Admin\AppData\Local\Temp\297145\Cultures.pif
        C:\Users\Admin\AppData\Local\Temp\297145\Cultures.pif
        2⤵
        • Executes dropped EXE
        PID:940
      • C:\Users\Admin\AppData\Local\Temp\297145\Cultures.pif
        C:\Users\Admin\AppData\Local\Temp\297145\Cultures.pif
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1000
    • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
      C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4964
      • C:\Users\Admin\AppData\Local\Temp\1000002001\GOLD.exe
        "C:\Users\Admin\AppData\Local\Temp\1000002001\GOLD.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:632
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
          3⤵
          • System Location Discovery: System Language Discovery
          • Modifies system certificate store
          PID:872
      • C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe
        "C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4996
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
          3⤵
          • Checks computer location settings
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3104
          • C:\Users\Admin\AppData\Roaming\vMovAJy60a.exe
            "C:\Users\Admin\AppData\Roaming\vMovAJy60a.exe"
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1972
          • C:\Users\Admin\AppData\Roaming\lA6lx4CDam.exe
            "C:\Users\Admin\AppData\Roaming\lA6lx4CDam.exe"
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1848
      • C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default.exe
        "C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        PID:3584
      • C:\Users\Admin\AppData\Local\Temp\1000129001\clcs.exe
        "C:\Users\Admin\AppData\Local\Temp\1000129001\clcs.exe"
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1444
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=clcs.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
          3⤵
          • Enumerates system info in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:3196
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb993d46f8,0x7ffb993d4708,0x7ffb993d4718
            4⤵
              PID:4984
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,1017485896636015480,4354692426493713010,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2
              4⤵
                PID:4080
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2184,1017485896636015480,4354692426493713010,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
                4⤵
                • Suspicious behavior: EnumeratesProcesses
                PID:4888
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2184,1017485896636015480,4354692426493713010,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2880 /prefetch:8
                4⤵
                  PID:4284
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,1017485896636015480,4354692426493713010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
                  4⤵
                    PID:5004
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,1017485896636015480,4354692426493713010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
                    4⤵
                      PID:1688
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=clcs.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
                    3⤵
                    • Enumerates system info in registry
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                    • Suspicious use of FindShellTrayWindow
                    • Suspicious use of SendNotifyMessage
                    PID:1232
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb993d46f8,0x7ffb993d4708,0x7ffb993d4718
                      4⤵
                        PID:4844
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,9128745804343841996,8055874499146012789,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
                        4⤵
                          PID:3948
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,9128745804343841996,8055874499146012789,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
                          4⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:692
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,9128745804343841996,8055874499146012789,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:8
                          4⤵
                            PID:996
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9128745804343841996,8055874499146012789,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
                            4⤵
                              PID:1500
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9128745804343841996,8055874499146012789,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
                              4⤵
                                PID:5036
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9128745804343841996,8055874499146012789,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4860 /prefetch:1
                                4⤵
                                  PID:4664
                                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,9128745804343841996,8055874499146012789,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5152 /prefetch:8
                                  4⤵
                                    PID:4224
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,9128745804343841996,8055874499146012789,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5152 /prefetch:8
                                    4⤵
                                    • Suspicious behavior: EnumeratesProcesses
                                    PID:1724
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9128745804343841996,8055874499146012789,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
                                    4⤵
                                      PID:4692
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9128745804343841996,8055874499146012789,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
                                      4⤵
                                        PID:3392
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9128745804343841996,8055874499146012789,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4876 /prefetch:1
                                        4⤵
                                          PID:5268
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9128745804343841996,8055874499146012789,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4940 /prefetch:1
                                          4⤵
                                            PID:5276
                                      • C:\Users\Admin\AppData\Local\Temp\1000135001\14082024.exe
                                        "C:\Users\Admin\AppData\Local\Temp\1000135001\14082024.exe"
                                        2⤵
                                        • Executes dropped EXE
                                        • System Location Discovery: System Language Discovery
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:4052
                                      • C:\Users\Admin\AppData\Local\Temp\1000147001\BattleGermany.exe
                                        "C:\Users\Admin\AppData\Local\Temp\1000147001\BattleGermany.exe"
                                        2⤵
                                        • Checks computer location settings
                                        • Executes dropped EXE
                                        • System Location Discovery: System Language Discovery
                                        PID:5692
                                        • C:\Windows\SysWOW64\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /k move Cassette Cassette.cmd & Cassette.cmd & exit
                                          3⤵
                                          • System Location Discovery: System Language Discovery
                                          PID:5788
                                          • C:\Windows\SysWOW64\tasklist.exe
                                            tasklist
                                            4⤵
                                            • Enumerates processes with tasklist
                                            • System Location Discovery: System Language Discovery
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:5900
                                          • C:\Windows\SysWOW64\findstr.exe
                                            findstr /I "wrsa.exe opssvc.exe"
                                            4⤵
                                            • System Location Discovery: System Language Discovery
                                            PID:5908
                                          • C:\Windows\SysWOW64\tasklist.exe
                                            tasklist
                                            4⤵
                                            • Enumerates processes with tasklist
                                            • System Location Discovery: System Language Discovery
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:6004
                                          • C:\Windows\SysWOW64\findstr.exe
                                            findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
                                            4⤵
                                            • System Location Discovery: System Language Discovery
                                            PID:6012
                                          • C:\Windows\SysWOW64\cmd.exe
                                            cmd /c md 177479
                                            4⤵
                                            • System Location Discovery: System Language Discovery
                                            PID:6064
                                          • C:\Windows\SysWOW64\findstr.exe
                                            findstr /V "FoolBurkeRetainedWait" Drop
                                            4⤵
                                            • System Location Discovery: System Language Discovery
                                            PID:6080
                                          • C:\Windows\SysWOW64\cmd.exe
                                            cmd /c copy /b ..\Tracked + ..\Luggage + ..\Prime + ..\Involved + ..\Fluid + ..\Newport + ..\Rod + ..\Society s
                                            4⤵
                                            • System Location Discovery: System Language Discovery
                                            PID:6116
                                          • C:\Users\Admin\AppData\Local\Temp\177479\Community.pif
                                            Community.pif s
                                            4⤵
                                            • Executes dropped EXE
                                            • System Location Discovery: System Language Discovery
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of FindShellTrayWindow
                                            • Suspicious use of SendNotifyMessage
                                            PID:6136
                                            • C:\Windows\SysWOW64\cmd.exe
                                              cmd /c schtasks.exe /create /tn "Capable" /tr "wscript //B 'C:\Users\Admin\AppData\Local\SkyNav Technologies\SkyPilot.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST
                                              5⤵
                                              • System Location Discovery: System Language Discovery
                                              PID:3160
                                              • C:\Windows\SysWOW64\schtasks.exe
                                                schtasks.exe /create /tn "Capable" /tr "wscript //B 'C:\Users\Admin\AppData\Local\SkyNav Technologies\SkyPilot.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST
                                                6⤵
                                                • System Location Discovery: System Language Discovery
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:5116
                                            • C:\Windows\SysWOW64\schtasks.exe
                                              schtasks.exe /create /tn "SkyPilot" /tr "wscript //B 'C:\Users\Admin\AppData\Local\SkyNav Technologies\SkyPilot.js'" /sc onlogon /F /RL HIGHEST
                                              5⤵
                                              • System Location Discovery: System Language Discovery
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:4664
                                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
                                              C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
                                              5⤵
                                              • System Location Discovery: System Language Discovery
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:5920
                                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
                                              C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
                                              5⤵
                                                PID:2508
                                            • C:\Windows\SysWOW64\choice.exe
                                              choice /d y /t 15
                                              4⤵
                                              • System Location Discovery: System Language Discovery
                                              PID:1276
                                        • C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe
                                          "C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe"
                                          2⤵
                                          • Checks computer location settings
                                          • Executes dropped EXE
                                          • Drops file in Windows directory
                                          • System Location Discovery: System Language Discovery
                                          PID:4488
                                          • C:\Windows\SysWOW64\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /k move Continues Continues.cmd & Continues.cmd & exit
                                            3⤵
                                            • System Location Discovery: System Language Discovery
                                            PID:4960
                                            • C:\Windows\SysWOW64\tasklist.exe
                                              tasklist
                                              4⤵
                                              • Enumerates processes with tasklist
                                              • System Location Discovery: System Language Discovery
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:5536
                                            • C:\Windows\SysWOW64\findstr.exe
                                              findstr /I "wrsa.exe opssvc.exe"
                                              4⤵
                                              • System Location Discovery: System Language Discovery
                                              PID:5544
                                            • C:\Windows\SysWOW64\tasklist.exe
                                              tasklist
                                              4⤵
                                              • Enumerates processes with tasklist
                                              • System Location Discovery: System Language Discovery
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:4196
                                            • C:\Windows\SysWOW64\findstr.exe
                                              findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
                                              4⤵
                                              • System Location Discovery: System Language Discovery
                                              PID:4420
                                            • C:\Windows\SysWOW64\cmd.exe
                                              cmd /c md 40365
                                              4⤵
                                              • System Location Discovery: System Language Discovery
                                              PID:5564
                                            • C:\Windows\SysWOW64\findstr.exe
                                              findstr /V "HopeBuildersGeniusIslam" Sonic
                                              4⤵
                                              • System Location Discovery: System Language Discovery
                                              PID:2872
                                            • C:\Windows\SysWOW64\cmd.exe
                                              cmd /c copy /b ..\Mr + ..\Minister + ..\Template + ..\Dietary + ..\Speak + ..\Mobile + ..\Zinc + ..\Continue s
                                              4⤵
                                              • System Location Discovery: System Language Discovery
                                              PID:5624
                                            • C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif
                                              Beijing.pif s
                                              4⤵
                                              • Suspicious use of NtCreateUserProcessOtherParentProcess
                                              • Checks computer location settings
                                              • Executes dropped EXE
                                              • System Location Discovery: System Language Discovery
                                              • Suspicious use of FindShellTrayWindow
                                              • Suspicious use of SendNotifyMessage
                                              PID:5680
                                              • C:\Users\Admin\AppData\Local\Temp\1000064001\kitty.exe
                                                "C:\Users\Admin\AppData\Local\Temp\1000064001\kitty.exe"
                                                5⤵
                                                • Executes dropped EXE
                                                • System Location Discovery: System Language Discovery
                                                PID:3364
                                                • C:\Windows\SysWOW64\WerFault.exe
                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 3364 -s 488
                                                  6⤵
                                                  • Program crash
                                                  PID:3420
                                              • C:\Users\Admin\AppData\Local\Temp\1000142101\build2.exe
                                                "C:\Users\Admin\AppData\Local\Temp\1000142101\build2.exe"
                                                5⤵
                                                • Checks computer location settings
                                                • Executes dropped EXE
                                                • Drops file in Windows directory
                                                • System Location Discovery: System Language Discovery
                                                • Suspicious use of FindShellTrayWindow
                                                PID:3024
                                                • C:\Windows\SysWOW64\WerFault.exe
                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 752
                                                  6⤵
                                                  • Program crash
                                                  PID:5212
                                                • C:\Windows\SysWOW64\WerFault.exe
                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 800
                                                  6⤵
                                                  • Program crash
                                                  PID:6104
                                                • C:\Windows\SysWOW64\WerFault.exe
                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 888
                                                  6⤵
                                                  • Program crash
                                                  PID:916
                                                • C:\Windows\SysWOW64\WerFault.exe
                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 924
                                                  6⤵
                                                  • Program crash
                                                  PID:3544
                                                • C:\Windows\SysWOW64\WerFault.exe
                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 964
                                                  6⤵
                                                  • Program crash
                                                  PID:2848
                                                • C:\Windows\SysWOW64\WerFault.exe
                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 1012
                                                  6⤵
                                                  • Program crash
                                                  PID:2012
                                                • C:\Windows\SysWOW64\WerFault.exe
                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 1060
                                                  6⤵
                                                  • Program crash
                                                  PID:3256
                                                • C:\Windows\SysWOW64\WerFault.exe
                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 1148
                                                  6⤵
                                                  • Program crash
                                                  PID:3828
                                                • C:\Users\Admin\AppData\Local\Temp\fed0c9a4d3\Hkbsse.exe
                                                  "C:\Users\Admin\AppData\Local\Temp\fed0c9a4d3\Hkbsse.exe"
                                                  6⤵
                                                  • Executes dropped EXE
                                                  • System Location Discovery: System Language Discovery
                                                  PID:5220
                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 5220 -s 556
                                                    7⤵
                                                    • Program crash
                                                    PID:5716
                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 5220 -s 576
                                                    7⤵
                                                    • Program crash
                                                    PID:1348
                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 5220 -s 600
                                                    7⤵
                                                    • Program crash
                                                    PID:5512
                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 5220 -s 728
                                                    7⤵
                                                    • Program crash
                                                    PID:3852
                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 5220 -s 860
                                                    7⤵
                                                    • Program crash
                                                    PID:5736
                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 5220 -s 892
                                                    7⤵
                                                    • Program crash
                                                    PID:4828
                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 5220 -s 900
                                                    7⤵
                                                    • Program crash
                                                    PID:3224
                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 5220 -s 864
                                                    7⤵
                                                    • Program crash
                                                    PID:4676
                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 5220 -s 860
                                                    7⤵
                                                    • Program crash
                                                    PID:4700
                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 5220 -s 1104
                                                    7⤵
                                                    • Program crash
                                                    PID:1096
                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 5220 -s 1124
                                                    7⤵
                                                    • Program crash
                                                    PID:4360
                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 5220 -s 1320
                                                    7⤵
                                                    • Program crash
                                                    PID:3648
                                                • C:\Windows\SysWOW64\WerFault.exe
                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 768
                                                  6⤵
                                                  • Program crash
                                                  PID:4048
                                            • C:\Windows\SysWOW64\choice.exe
                                              choice /d y /t 5
                                              4⤵
                                              • System Location Discovery: System Language Discovery
                                              PID:5760
                                        • C:\Users\Admin\AppData\Local\Temp\1000157001\coreplugin.exe
                                          "C:\Users\Admin\AppData\Local\Temp\1000157001\coreplugin.exe"
                                          2⤵
                                          • Checks computer location settings
                                          • Executes dropped EXE
                                          • System Location Discovery: System Language Discovery
                                          PID:5568
                                          • C:\Windows\SysWOW64\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /k move Anytime Anytime.cmd & Anytime.cmd & exit
                                            3⤵
                                            • System Location Discovery: System Language Discovery
                                            PID:5672
                                            • C:\Windows\SysWOW64\tasklist.exe
                                              tasklist
                                              4⤵
                                              • Enumerates processes with tasklist
                                              • System Location Discovery: System Language Discovery
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:6080
                                            • C:\Windows\SysWOW64\findstr.exe
                                              findstr /I "wrsa.exe opssvc.exe"
                                              4⤵
                                              • System Location Discovery: System Language Discovery
                                              PID:6096
                                            • C:\Windows\SysWOW64\tasklist.exe
                                              tasklist
                                              4⤵
                                              • Enumerates processes with tasklist
                                              • System Location Discovery: System Language Discovery
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:5892
                                            • C:\Windows\SysWOW64\findstr.exe
                                              findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
                                              4⤵
                                              • System Location Discovery: System Language Discovery
                                              PID:5992
                                            • C:\Windows\SysWOW64\cmd.exe
                                              cmd /c md 297145
                                              4⤵
                                              • System Location Discovery: System Language Discovery
                                              PID:5848
                                            • C:\Windows\SysWOW64\findstr.exe
                                              findstr /V "CorkBkConditionsMoon" Scary
                                              4⤵
                                              • System Location Discovery: System Language Discovery
                                              PID:3272
                                            • C:\Windows\SysWOW64\cmd.exe
                                              cmd /c copy /b ..\Dependence + ..\Nsw + ..\Developmental + ..\Shared + ..\Ranges + ..\Notify + ..\Pending + ..\Previously k
                                              4⤵
                                              • System Location Discovery: System Language Discovery
                                              PID:1892
                                            • C:\Users\Admin\AppData\Local\Temp\297145\Cultures.pif
                                              Cultures.pif k
                                              4⤵
                                              • Suspicious use of NtCreateUserProcessOtherParentProcess
                                              • Executes dropped EXE
                                              • Suspicious use of SetThreadContext
                                              • System Location Discovery: System Language Discovery
                                              • Suspicious use of FindShellTrayWindow
                                              • Suspicious use of SendNotifyMessage
                                              PID:5428
                                            • C:\Windows\SysWOW64\choice.exe
                                              choice /d y /t 5
                                              4⤵
                                              • System Location Discovery: System Language Discovery
                                              PID:5432
                                        • C:\Users\Admin\AppData\Local\Temp\1000167001\crypted8888.exe
                                          "C:\Users\Admin\AppData\Local\Temp\1000167001\crypted8888.exe"
                                          2⤵
                                          • Executes dropped EXE
                                          • Suspicious use of SetThreadContext
                                          • System Location Discovery: System Language Discovery
                                          PID:5116
                                          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                            3⤵
                                              PID:1000
                                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                              3⤵
                                              • Loads dropped DLL
                                              • System Location Discovery: System Language Discovery
                                              • Checks processor information in registry
                                              PID:3256
                                          • C:\Users\Admin\AppData\Local\Temp\1000169001\explorer.exe
                                            "C:\Users\Admin\AppData\Local\Temp\1000169001\explorer.exe"
                                            2⤵
                                            • Checks computer location settings
                                            • Drops startup file
                                            • Executes dropped EXE
                                            • Adds Run key to start application
                                            • Suspicious behavior: AddClipboardFormatListener
                                            • Suspicious use of AdjustPrivilegeToken
                                            • Suspicious use of SetWindowsHookEx
                                            PID:1604
                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1000169001\explorer.exe'
                                              3⤵
                                              • Command and Scripting Interpreter: PowerShell
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:5652
                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'explorer.exe'
                                              3⤵
                                              • Command and Scripting Interpreter: PowerShell
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:5780
                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\explorer'
                                              3⤵
                                              • Command and Scripting Interpreter: PowerShell
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:5260
                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'explorer'
                                              3⤵
                                              • Command and Scripting Interpreter: PowerShell
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:4744
                                            • C:\Windows\System32\schtasks.exe
                                              "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "explorer" /tr "C:\Users\Admin\explorer"
                                              3⤵
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:5752
                                            • C:\Users\Admin\AppData\Local\Temp\1000177001\Mswgoudnv.exe
                                              "C:\Users\Admin\AppData\Local\Temp\1000177001\Mswgoudnv.exe"
                                              3⤵
                                              • Executes dropped EXE
                                              • Drops file in Windows directory
                                              • System Location Discovery: System Language Discovery
                                              PID:4788
                                          • C:\Users\Admin\AppData\Local\Temp\1000170001\LummaC22222.exe
                                            "C:\Users\Admin\AppData\Local\Temp\1000170001\LummaC22222.exe"
                                            2⤵
                                            • Executes dropped EXE
                                            • System Location Discovery: System Language Discovery
                                            PID:5704
                                          • C:\Users\Admin\AppData\Local\Temp\1000174001\5PHCENYBS068Y01.exe
                                            "C:\Users\Admin\AppData\Local\Temp\1000174001\5PHCENYBS068Y01.exe"
                                            2⤵
                                            • Executes dropped EXE
                                            PID:4024
                                            • C:\Users\Admin\AppData\Local\Temp\onefile_4024_133687657549545166\stub.exe
                                              C:\Users\Admin\AppData\Local\Temp\1000174001\5PHCENYBS068Y01.exe
                                              3⤵
                                              • Executes dropped EXE
                                              • Loads dropped DLL
                                              PID:1172
                                              • C:\Windows\system32\cmd.exe
                                                C:\Windows\system32\cmd.exe /c "ver"
                                                4⤵
                                                  PID:5628
                                                • C:\Windows\system32\cmd.exe
                                                  C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
                                                  4⤵
                                                    PID:4616
                                                    • C:\Windows\System32\Wbem\WMIC.exe
                                                      wmic path win32_VideoController get name
                                                      5⤵
                                                      • Detects videocard installed
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:64
                                                  • C:\Windows\system32\cmd.exe
                                                    C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
                                                    4⤵
                                                      PID:5816
                                                      • C:\Windows\System32\Wbem\WMIC.exe
                                                        wmic computersystem get Manufacturer
                                                        5⤵
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:6092
                                                    • C:\Windows\system32\cmd.exe
                                                      C:\Windows\system32\cmd.exe /c "gdb --version"
                                                      4⤵
                                                        PID:5788
                                                      • C:\Windows\system32\cmd.exe
                                                        C:\Windows\system32\cmd.exe /c "tasklist"
                                                        4⤵
                                                          PID:5796
                                                          • C:\Windows\system32\tasklist.exe
                                                            tasklist
                                                            5⤵
                                                            • Enumerates processes with tasklist
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:6076
                                                        • C:\Windows\system32\cmd.exe
                                                          C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
                                                          4⤵
                                                            PID:5936
                                                            • C:\Windows\System32\Wbem\WMIC.exe
                                                              wmic path Win32_ComputerSystem get Manufacturer
                                                              5⤵
                                                                PID:5292
                                                            • C:\Windows\system32\cmd.exe
                                                              C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
                                                              4⤵
                                                                PID:3012
                                                                • C:\Windows\System32\Wbem\WMIC.exe
                                                                  wmic csproduct get uuid
                                                                  5⤵
                                                                    PID:5996
                                                                • C:\Windows\system32\cmd.exe
                                                                  C:\Windows\system32\cmd.exe /c "tasklist"
                                                                  4⤵
                                                                    PID:3224
                                                                    • C:\Windows\system32\tasklist.exe
                                                                      tasklist
                                                                      5⤵
                                                                      • Enumerates processes with tasklist
                                                                      PID:5784
                                                                  • C:\Windows\system32\cmd.exe
                                                                    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe""
                                                                    4⤵
                                                                    • Hide Artifacts: Hidden Files and Directories
                                                                    PID:3344
                                                                    • C:\Windows\system32\attrib.exe
                                                                      attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe"
                                                                      5⤵
                                                                      • Views/modifies file attributes
                                                                      PID:5692
                                                                  • C:\Windows\system32\cmd.exe
                                                                    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""
                                                                    4⤵
                                                                      PID:5868
                                                                      • C:\Windows\system32\mshta.exe
                                                                        mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"
                                                                        5⤵
                                                                          PID:2440
                                                                      • C:\Windows\system32\cmd.exe
                                                                        C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"
                                                                        4⤵
                                                                          PID:6116
                                                                          • C:\Windows\system32\taskkill.exe
                                                                            taskkill /F /IM chrome.exe
                                                                            5⤵
                                                                            • Kills process with taskkill
                                                                            PID:2188
                                                                        • C:\Windows\system32\cmd.exe
                                                                          C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
                                                                          4⤵
                                                                            PID:5144
                                                                            • C:\Windows\system32\tasklist.exe
                                                                              tasklist /FO LIST
                                                                              5⤵
                                                                              • Enumerates processes with tasklist
                                                                              PID:3148
                                                                          • C:\Windows\system32\cmd.exe
                                                                            C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
                                                                            4⤵
                                                                            • Clipboard Data
                                                                            PID:940
                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              powershell.exe Get-Clipboard
                                                                              5⤵
                                                                              • Clipboard Data
                                                                              PID:1904
                                                                          • C:\Windows\system32\cmd.exe
                                                                            C:\Windows\system32\cmd.exe /c "chcp"
                                                                            4⤵
                                                                              PID:3208
                                                                              • C:\Windows\system32\chcp.com
                                                                                chcp
                                                                                5⤵
                                                                                  PID:432
                                                                              • C:\Windows\system32\cmd.exe
                                                                                C:\Windows\system32\cmd.exe /c "chcp"
                                                                                4⤵
                                                                                  PID:2260
                                                                                  • C:\Windows\system32\chcp.com
                                                                                    chcp
                                                                                    5⤵
                                                                                      PID:1500
                                                                                  • C:\Windows\system32\cmd.exe
                                                                                    C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
                                                                                    4⤵
                                                                                    • System Network Configuration Discovery: Wi-Fi Discovery
                                                                                    PID:1384
                                                                                    • C:\Windows\system32\netsh.exe
                                                                                      netsh wlan show profiles
                                                                                      5⤵
                                                                                      • Event Triggered Execution: Netsh Helper DLL
                                                                                      • System Network Configuration Discovery: Wi-Fi Discovery
                                                                                      PID:3912
                                                                                  • C:\Windows\system32\cmd.exe
                                                                                    C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
                                                                                    4⤵
                                                                                    • Network Service Discovery
                                                                                    PID:5732
                                                                                    • C:\Windows\system32\systeminfo.exe
                                                                                      systeminfo
                                                                                      5⤵
                                                                                      • Gathers system information
                                                                                      PID:5328
                                                                                    • C:\Windows\system32\HOSTNAME.EXE
                                                                                      hostname
                                                                                      5⤵
                                                                                        PID:4804
                                                                                      • C:\Windows\System32\Wbem\WMIC.exe
                                                                                        wmic logicaldisk get caption,description,providername
                                                                                        5⤵
                                                                                        • Collects information from the system
                                                                                        PID:2364
                                                                                      • C:\Windows\system32\net.exe
                                                                                        net user
                                                                                        5⤵
                                                                                          PID:3484
                                                                                          • C:\Windows\system32\net1.exe
                                                                                            C:\Windows\system32\net1 user
                                                                                            6⤵
                                                                                              PID:5784
                                                                                          • C:\Windows\system32\query.exe
                                                                                            query user
                                                                                            5⤵
                                                                                              PID:5440
                                                                                              • C:\Windows\system32\quser.exe
                                                                                                "C:\Windows\system32\quser.exe"
                                                                                                6⤵
                                                                                                  PID:2260
                                                                                              • C:\Windows\system32\net.exe
                                                                                                net localgroup
                                                                                                5⤵
                                                                                                  PID:4744
                                                                                                  • C:\Windows\system32\net1.exe
                                                                                                    C:\Windows\system32\net1 localgroup
                                                                                                    6⤵
                                                                                                      PID:3648
                                                                                                  • C:\Windows\system32\net.exe
                                                                                                    net localgroup administrators
                                                                                                    5⤵
                                                                                                      PID:2824
                                                                                                      • C:\Windows\system32\net1.exe
                                                                                                        C:\Windows\system32\net1 localgroup administrators
                                                                                                        6⤵
                                                                                                          PID:2188
                                                                                                      • C:\Windows\system32\net.exe
                                                                                                        net user guest
                                                                                                        5⤵
                                                                                                          PID:3492
                                                                                                          • C:\Windows\system32\net1.exe
                                                                                                            C:\Windows\system32\net1 user guest
                                                                                                            6⤵
                                                                                                              PID:4536
                                                                                                          • C:\Windows\system32\net.exe
                                                                                                            net user administrator
                                                                                                            5⤵
                                                                                                              PID:5160
                                                                                                              • C:\Windows\system32\net1.exe
                                                                                                                C:\Windows\system32\net1 user administrator
                                                                                                                6⤵
                                                                                                                  PID:1504
                                                                                                              • C:\Windows\System32\Wbem\WMIC.exe
                                                                                                                wmic startup get caption,command
                                                                                                                5⤵
                                                                                                                  PID:5780
                                                                                                                • C:\Windows\system32\tasklist.exe
                                                                                                                  tasklist /svc
                                                                                                                  5⤵
                                                                                                                  • Enumerates processes with tasklist
                                                                                                                  PID:5560
                                                                                                                • C:\Windows\system32\ipconfig.exe
                                                                                                                  ipconfig /all
                                                                                                                  5⤵
                                                                                                                  • Gathers network information
                                                                                                                  PID:5168
                                                                                                                • C:\Windows\system32\ROUTE.EXE
                                                                                                                  route print
                                                                                                                  5⤵
                                                                                                                    PID:5152
                                                                                                                  • C:\Windows\system32\ARP.EXE
                                                                                                                    arp -a
                                                                                                                    5⤵
                                                                                                                    • Network Service Discovery
                                                                                                                    PID:3960
                                                                                                                  • C:\Windows\system32\NETSTAT.EXE
                                                                                                                    netstat -ano
                                                                                                                    5⤵
                                                                                                                    • System Network Connections Discovery
                                                                                                                    • Gathers network information
                                                                                                                    PID:2056
                                                                                                                  • C:\Windows\system32\sc.exe
                                                                                                                    sc query type= service state= all
                                                                                                                    5⤵
                                                                                                                    • Launches sc.exe
                                                                                                                    PID:3080
                                                                                                                  • C:\Windows\system32\netsh.exe
                                                                                                                    netsh firewall show state
                                                                                                                    5⤵
                                                                                                                    • Modifies Windows Firewall
                                                                                                                    • Event Triggered Execution: Netsh Helper DLL
                                                                                                                    PID:3508
                                                                                                                  • C:\Windows\system32\netsh.exe
                                                                                                                    netsh firewall show config
                                                                                                                    5⤵
                                                                                                                    • Modifies Windows Firewall
                                                                                                                    • Event Triggered Execution: Netsh Helper DLL
                                                                                                                    PID:1276
                                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                                  C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
                                                                                                                  4⤵
                                                                                                                    PID:5188
                                                                                                                    • C:\Windows\System32\Wbem\WMIC.exe
                                                                                                                      wmic csproduct get uuid
                                                                                                                      5⤵
                                                                                                                        PID:3308
                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
                                                                                                                      4⤵
                                                                                                                        PID:5580
                                                                                                                        • C:\Windows\System32\Wbem\WMIC.exe
                                                                                                                          wmic csproduct get uuid
                                                                                                                          5⤵
                                                                                                                            PID:5964
                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\1000177001\Mswgoudnv.exe
                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\1000177001\Mswgoudnv.exe"
                                                                                                                      2⤵
                                                                                                                      • Suspicious use of NtCreateUserProcessOtherParentProcess
                                                                                                                      • Executes dropped EXE
                                                                                                                      • Adds Run key to start application
                                                                                                                      • Suspicious use of SetThreadContext
                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                      PID:5180
                                                                                                                  • C:\Windows\System32\CompPkgSrv.exe
                                                                                                                    C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                                                                    1⤵
                                                                                                                      PID:5008
                                                                                                                    • C:\Windows\System32\CompPkgSrv.exe
                                                                                                                      C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                                                                      1⤵
                                                                                                                        PID:4912
                                                                                                                      • C:\Windows\System32\CompPkgSrv.exe
                                                                                                                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                                                                        1⤵
                                                                                                                          PID:4080
                                                                                                                        • C:\Windows\System32\CompPkgSrv.exe
                                                                                                                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                                                                          1⤵
                                                                                                                            PID:3528
                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3364 -ip 3364
                                                                                                                            1⤵
                                                                                                                              PID:620
                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 3024 -ip 3024
                                                                                                                              1⤵
                                                                                                                                PID:5720
                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3024 -ip 3024
                                                                                                                                1⤵
                                                                                                                                  PID:5480
                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3024 -ip 3024
                                                                                                                                  1⤵
                                                                                                                                    PID:2260
                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3024 -ip 3024
                                                                                                                                    1⤵
                                                                                                                                      PID:1240
                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3024 -ip 3024
                                                                                                                                      1⤵
                                                                                                                                        PID:5508
                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3024 -ip 3024
                                                                                                                                        1⤵
                                                                                                                                          PID:4536
                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3024 -ip 3024
                                                                                                                                          1⤵
                                                                                                                                            PID:3800
                                                                                                                                          • C:\Users\Admin\explorer
                                                                                                                                            C:\Users\Admin\explorer
                                                                                                                                            1⤵
                                                                                                                                            • Executes dropped EXE
                                                                                                                                            PID:1392
                                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3024 -ip 3024
                                                                                                                                            1⤵
                                                                                                                                              PID:5168
                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3024 -ip 3024
                                                                                                                                              1⤵
                                                                                                                                                PID:5484
                                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5220 -ip 5220
                                                                                                                                                1⤵
                                                                                                                                                  PID:2272
                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5220 -ip 5220
                                                                                                                                                  1⤵
                                                                                                                                                    PID:5452
                                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 5220 -ip 5220
                                                                                                                                                    1⤵
                                                                                                                                                      PID:5968
                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 5220 -ip 5220
                                                                                                                                                      1⤵
                                                                                                                                                        PID:2524
                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 5220 -ip 5220
                                                                                                                                                        1⤵
                                                                                                                                                          PID:5276
                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 5220 -ip 5220
                                                                                                                                                          1⤵
                                                                                                                                                            PID:5240
                                                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 5220 -ip 5220
                                                                                                                                                            1⤵
                                                                                                                                                              PID:2712
                                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 5220 -ip 5220
                                                                                                                                                              1⤵
                                                                                                                                                                PID:2576
                                                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 5220 -ip 5220
                                                                                                                                                                1⤵
                                                                                                                                                                  PID:764
                                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 5220 -ip 5220
                                                                                                                                                                  1⤵
                                                                                                                                                                    PID:2216
                                                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 5220 -ip 5220
                                                                                                                                                                    1⤵
                                                                                                                                                                      PID:5996
                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 5220 -ip 5220
                                                                                                                                                                      1⤵
                                                                                                                                                                        PID:6092

                                                                                                                                                                      Network

                                                                                                                                                                      MITRE ATT&CK Enterprise v15

                                                                                                                                                                      Reconnaissance

                                                                                                                                                                      Resource Development

                                                                                                                                                                      Initial Access

                                                                                                                                                                      Execution

                                                                                                                                                                      Command and Scripting Interpreter

                                                                                                                                                                      2
                                                                                                                                                                      T1059

                                                                                                                                                                      PowerShell

                                                                                                                                                                      1
                                                                                                                                                                      T1059.001

                                                                                                                                                                      Scheduled Task/Job

                                                                                                                                                                      1
                                                                                                                                                                      T1053

                                                                                                                                                                      Scheduled Task

                                                                                                                                                                      1
                                                                                                                                                                      T1053.005

                                                                                                                                                                      Persistence

                                                                                                                                                                      Account Manipulation

                                                                                                                                                                      1
                                                                                                                                                                      T1098

                                                                                                                                                                      Boot or Logon Autostart Execution

                                                                                                                                                                      1
                                                                                                                                                                      T1547

                                                                                                                                                                      Registry Run Keys / Startup Folder

                                                                                                                                                                      1
                                                                                                                                                                      T1547.001

                                                                                                                                                                      Create or Modify System Process

                                                                                                                                                                      1
                                                                                                                                                                      T1543

                                                                                                                                                                      Windows Service

                                                                                                                                                                      1
                                                                                                                                                                      T1543.003

                                                                                                                                                                      Event Triggered Execution

                                                                                                                                                                      1
                                                                                                                                                                      T1546

                                                                                                                                                                      Netsh Helper DLL

                                                                                                                                                                      1
                                                                                                                                                                      T1546.007

                                                                                                                                                                      Scheduled Task/Job

                                                                                                                                                                      1
                                                                                                                                                                      T1053

                                                                                                                                                                      Scheduled Task

                                                                                                                                                                      1
                                                                                                                                                                      T1053.005

                                                                                                                                                                      Privilege Escalation

                                                                                                                                                                      Account Manipulation

                                                                                                                                                                      1
                                                                                                                                                                      T1098

                                                                                                                                                                      Boot or Logon Autostart Execution

                                                                                                                                                                      1
                                                                                                                                                                      T1547

                                                                                                                                                                      Registry Run Keys / Startup Folder

                                                                                                                                                                      1
                                                                                                                                                                      T1547.001

                                                                                                                                                                      Create or Modify System Process

                                                                                                                                                                      1
                                                                                                                                                                      T1543

                                                                                                                                                                      Windows Service

                                                                                                                                                                      1
                                                                                                                                                                      T1543.003

                                                                                                                                                                      Event Triggered Execution

                                                                                                                                                                      1
                                                                                                                                                                      T1546

                                                                                                                                                                      Netsh Helper DLL

                                                                                                                                                                      1
                                                                                                                                                                      T1546.007

                                                                                                                                                                      Scheduled Task/Job

                                                                                                                                                                      1
                                                                                                                                                                      T1053

                                                                                                                                                                      Scheduled Task

                                                                                                                                                                      1
                                                                                                                                                                      T1053.005

                                                                                                                                                                      Defense Evasion

                                                                                                                                                                      Hide Artifacts

                                                                                                                                                                      2
                                                                                                                                                                      T1564

                                                                                                                                                                      Hidden Files and Directories

                                                                                                                                                                      2
                                                                                                                                                                      T1564.001

                                                                                                                                                                      Impair Defenses

                                                                                                                                                                      1
                                                                                                                                                                      T1562

                                                                                                                                                                      Disable or Modify System Firewall

                                                                                                                                                                      1
                                                                                                                                                                      T1562.004

                                                                                                                                                                      Modify Registry

                                                                                                                                                                      2
                                                                                                                                                                      T1112

                                                                                                                                                                      Subvert Trust Controls

                                                                                                                                                                      1
                                                                                                                                                                      T1553

                                                                                                                                                                      Install Root Certificate

                                                                                                                                                                      1
                                                                                                                                                                      T1553.004

                                                                                                                                                                      Virtualization/Sandbox Evasion

                                                                                                                                                                      2
                                                                                                                                                                      T1497

                                                                                                                                                                      Credential Access

                                                                                                                                                                      Credentials from Password Stores

                                                                                                                                                                      1
                                                                                                                                                                      T1555

                                                                                                                                                                      Credentials from Web Browsers

                                                                                                                                                                      1
                                                                                                                                                                      T1555.003

                                                                                                                                                                      Unsecured Credentials

                                                                                                                                                                      4
                                                                                                                                                                      T1552

                                                                                                                                                                      Credentials In Files

                                                                                                                                                                      4
                                                                                                                                                                      T1552.001

                                                                                                                                                                      Discovery

                                                                                                                                                                      Browser Information Discovery

                                                                                                                                                                      1
                                                                                                                                                                      T1217

                                                                                                                                                                      Network Service Discovery

                                                                                                                                                                      1
                                                                                                                                                                      T1046

                                                                                                                                                                      Permission Groups Discovery

                                                                                                                                                                      1
                                                                                                                                                                      T1069

                                                                                                                                                                      Local Groups

                                                                                                                                                                      1
                                                                                                                                                                      T1069.001

                                                                                                                                                                      Process Discovery

                                                                                                                                                                      1
                                                                                                                                                                      T1057

                                                                                                                                                                      Query Registry

                                                                                                                                                                      8
                                                                                                                                                                      T1012

                                                                                                                                                                      System Information Discovery

                                                                                                                                                                      8
                                                                                                                                                                      T1082

                                                                                                                                                                      System Location Discovery

                                                                                                                                                                      1
                                                                                                                                                                      T1614

                                                                                                                                                                      System Language Discovery

                                                                                                                                                                      1
                                                                                                                                                                      T1614.001

                                                                                                                                                                      System Network Configuration Discovery

                                                                                                                                                                      1
                                                                                                                                                                      T1016

                                                                                                                                                                      Wi-Fi Discovery

                                                                                                                                                                      1
                                                                                                                                                                      T1016.002

                                                                                                                                                                      System Network Connections Discovery

                                                                                                                                                                      1
                                                                                                                                                                      T1049

                                                                                                                                                                      Virtualization/Sandbox Evasion

                                                                                                                                                                      2
                                                                                                                                                                      T1497

                                                                                                                                                                      Lateral Movement

                                                                                                                                                                      Collection

                                                                                                                                                                      Clipboard Data

                                                                                                                                                                      1
                                                                                                                                                                      T1115

                                                                                                                                                                      Data from Local System

                                                                                                                                                                      4
                                                                                                                                                                      T1005

                                                                                                                                                                      Command and Control

                                                                                                                                                                      Web Service

                                                                                                                                                                      1
                                                                                                                                                                      T1102

                                                                                                                                                                      Exfiltration

                                                                                                                                                                      Impact

                                                                                                                                                                      Replay Monitor

                                                                                                                                                                      Loading Replay Monitor...

                                                                                                                                                                      Downloads

                                                                                                                                                                      • C:\ProgramData\HDGDHCGC
                                                                                                                                                                        Filesize

                                                                                                                                                                        116KB

                                                                                                                                                                        MD5

                                                                                                                                                                        f70aa3fa04f0536280f872ad17973c3d

                                                                                                                                                                        SHA1

                                                                                                                                                                        50a7b889329a92de1b272d0ecf5fce87395d3123

                                                                                                                                                                        SHA256

                                                                                                                                                                        8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

                                                                                                                                                                        SHA512

                                                                                                                                                                        30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

                                                                                                                                                                        Download Submit

                                                                                                                                                                      • C:\ProgramData\JKKFIIEBKEGIEBFIJKFI
                                                                                                                                                                        Filesize

                                                                                                                                                                        11KB

                                                                                                                                                                        MD5

                                                                                                                                                                        1e8966070362e9c4bd7dc56bfd752b7e

                                                                                                                                                                        SHA1

                                                                                                                                                                        f7c7948328b833559d2c0062657d036905eb216b

                                                                                                                                                                        SHA256

                                                                                                                                                                        58150ef02f7198316c310f44591c6680e2e86c1e262a5f4ba18808665f2e652b

                                                                                                                                                                        SHA512

                                                                                                                                                                        054f0ababbfa8b3a33aa4308585136f84aba2bdbb8164ca985a89b19ac0302a41200d8c40ca6890d451a809a8bc8f435e6968d3bb576b1451426b81f59d7f904

                                                                                                                                                                        Download Submit

                                                                                                                                                                      • C:\ProgramData\KKKJKEBK
                                                                                                                                                                        Filesize

                                                                                                                                                                        114KB

                                                                                                                                                                        MD5

                                                                                                                                                                        503d6b554ee03ef54c8deb8c440f6012

                                                                                                                                                                        SHA1

                                                                                                                                                                        e306b2a07bf87e90c63418024c92933bcc3f4d7f

                                                                                                                                                                        SHA256

                                                                                                                                                                        4c407af4d5326d1ea43e89945eda0b86c81ad0d12bd5465b327c0fd1df56f7d4

                                                                                                                                                                        SHA512

                                                                                                                                                                        3490b51dfe2e8f6efa3cdeee7bc08c03072597861c1a2f88dc830139abb7611c671ddad345c2af97bb1e88927c09467ed92b5feafe6696d7e2b31b3bd3447437

                                                                                                                                                                        Download Submit

                                                                                                                                                                      • C:\ProgramData\mozglue.dll
                                                                                                                                                                        Filesize

                                                                                                                                                                        593KB

                                                                                                                                                                        MD5

                                                                                                                                                                        c8fd9be83bc728cc04beffafc2907fe9

                                                                                                                                                                        SHA1

                                                                                                                                                                        95ab9f701e0024cedfbd312bcfe4e726744c4f2e

                                                                                                                                                                        SHA256

                                                                                                                                                                        ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

                                                                                                                                                                        SHA512

                                                                                                                                                                        fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

                                                                                                                                                                        Download Submit

                                                                                                                                                                      • C:\ProgramData\nss3.dll
                                                                                                                                                                        Filesize

                                                                                                                                                                        2.0MB

                                                                                                                                                                        MD5

                                                                                                                                                                        1cc453cdf74f31e4d913ff9c10acdde2

                                                                                                                                                                        SHA1

                                                                                                                                                                        6e85eae544d6e965f15fa5c39700fa7202f3aafe

                                                                                                                                                                        SHA256

                                                                                                                                                                        ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

                                                                                                                                                                        SHA512

                                                                                                                                                                        dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

                                                                                                                                                                        Download Submit

                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                                                                                                                                        Filesize

                                                                                                                                                                        152B

                                                                                                                                                                        MD5

                                                                                                                                                                        0446fcdd21b016db1f468971fb82a488

                                                                                                                                                                        SHA1

                                                                                                                                                                        726b91562bb75f80981f381e3c69d7d832c87c9d

                                                                                                                                                                        SHA256

                                                                                                                                                                        62c5dc18b25e758f3508582a7c58bb46b734a774d97fc0e8a20614235caa8222

                                                                                                                                                                        SHA512

                                                                                                                                                                        1df7c085042266959f1fe0aedc5f6d40ceba485b54159f51f0c38f17bb250b79ea941b735e1b6faf219f23fe8ab65ac4557f545519d52d5416b89ad0f9047a31

                                                                                                                                                                        Download Submit

                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                                                                                                                                        Filesize

                                                                                                                                                                        152B

                                                                                                                                                                        MD5

                                                                                                                                                                        9b008261dda31857d68792b46af6dd6d

                                                                                                                                                                        SHA1

                                                                                                                                                                        e82dc88e2d1da2df7cb19d79a0346b9bb90d52b3

                                                                                                                                                                        SHA256

                                                                                                                                                                        9ac598d4f8170f7e475d84103aead9e3c23d5f2d292741a7f56a17bde8b6f7da

                                                                                                                                                                        SHA512

                                                                                                                                                                        78853091403a06beeec4998e2e3a4342111895ffd485f7f7cd367741a4883f7a25864cba00a6c86f27dc0c9ce9d04f08011ecc40c8ae9383d33274739ac39f10

                                                                                                                                                                        Download Submit

                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0
                                                                                                                                                                        Filesize

                                                                                                                                                                        44KB

                                                                                                                                                                        MD5

                                                                                                                                                                        a9c6a8bc13896af95e751307d1ed6d0e

                                                                                                                                                                        SHA1

                                                                                                                                                                        6dbf14d4f6d5cf4d70ae745bca28642e20b54e04

                                                                                                                                                                        SHA256

                                                                                                                                                                        cff7e9f33099f3ffd7b254bb274e3081a7e49542994d6729308bf262e6996e76

                                                                                                                                                                        SHA512

                                                                                                                                                                        15adeb016501c0c1e1c6c092fabf9c33058f725f9718b9c2031974d9607ecd4a019fadf04c2bb7fb8f9ee0bd90f7a63c1b9fd8587bfd4eeaf663e8794043db83

                                                                                                                                                                        Download Submit

                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1
                                                                                                                                                                        Filesize

                                                                                                                                                                        264KB

                                                                                                                                                                        MD5

                                                                                                                                                                        037efc9af56bf329d022d14475901ce1

                                                                                                                                                                        SHA1

                                                                                                                                                                        37456874ec3ba5362044ad3e5151ee318aee18fe

                                                                                                                                                                        SHA256

                                                                                                                                                                        4778a266c0e0dd196ef77512e6de1313ee38427eb3f18317376503ad74ffab14

                                                                                                                                                                        SHA512

                                                                                                                                                                        9193fd662c40a6289d104e6ad79e2fbd8ace2d8f44a13240eeb15ed8bdfeeb65a1a3e608620b3d887c7a82e1121dfe571fc42eb4bef46cdb032d444274c9d492

                                                                                                                                                                        Download Submit

                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                                                                                                                                                                        Filesize

                                                                                                                                                                        168B

                                                                                                                                                                        MD5

                                                                                                                                                                        1d93d13fe1aa6b2d360437cb6f82b5de

                                                                                                                                                                        SHA1

                                                                                                                                                                        fd4dca52355c71508e64bc1500ceef7ebd5fc3c7

                                                                                                                                                                        SHA256

                                                                                                                                                                        21190bf6adc3ff6c391af0d9780e27cb6299ef5ce4a5f701f3120fa6dcc24ff2

                                                                                                                                                                        SHA512

                                                                                                                                                                        f896d8190d4b95de935fd4a2611591f81f2c082a8c6c58132fd05f7dcbc1da235f516643a44bcc1b65d31978710405ee34c1ef3b690321040c4d31219e4e9664

                                                                                                                                                                        Download Submit

                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG
                                                                                                                                                                        Filesize

                                                                                                                                                                        322B

                                                                                                                                                                        MD5

                                                                                                                                                                        88c9de760b5256310029aa3887c6706a

                                                                                                                                                                        SHA1

                                                                                                                                                                        6910ad35ee0beb47500dfa2979833fd4bc97365c

                                                                                                                                                                        SHA256

                                                                                                                                                                        54cc3974dec009b865c2566e43b65fa61cbf8835241564db040989bccf502c0e

                                                                                                                                                                        SHA512

                                                                                                                                                                        e7ae40c7c9d29770a5599a2b30877e8efd22aa6ddb7823cc512c24ddc1537aac25ed7de50081c317e1b8b553e41d284d29eb0fd3a0003a172f240f74c211ab32

                                                                                                                                                                        Download Submit

                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG
                                                                                                                                                                        Filesize

                                                                                                                                                                        331B

                                                                                                                                                                        MD5

                                                                                                                                                                        c08515076097b25356307f7f1f9169d6

                                                                                                                                                                        SHA1

                                                                                                                                                                        bedaa5f5965e05d3d4154029ff1b9e50bba9e39b

                                                                                                                                                                        SHA256

                                                                                                                                                                        75bc9269f547823866ceaf7cea9af9756f39a7a540116b90e838d1990ce4e4a6

                                                                                                                                                                        SHA512

                                                                                                                                                                        20d4aee4c5ccbbaf8fc14cb49714c0f17bf14e0ee70334b218a153597014c51ca79541027cb1c8c5ddf49d1806eaf435bd7efe503a6b3da8de8625beadade0db

                                                                                                                                                                        Download Submit

                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                                                                                                                        Filesize

                                                                                                                                                                        5KB

                                                                                                                                                                        MD5

                                                                                                                                                                        d55fa4d332257340e5d6974a2fa30022

                                                                                                                                                                        SHA1

                                                                                                                                                                        442cd617bae4aeb4156bbb790299e21b08bdb0f4

                                                                                                                                                                        SHA256

                                                                                                                                                                        1d8c830e34f7d40afb14fd98bfa5c5270144f879b37cb664ea94496259c284e8

                                                                                                                                                                        SHA512

                                                                                                                                                                        634cebf7199fd5f65522e6f65b9d4d0de0a6bd816c342b969e566f838b1fabd34828eab9a26e2e2595446f6b45e87db65ae7578a7674ec8c669327e1fc929aa9

                                                                                                                                                                        Download Submit

                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                                                                                                                        Filesize

                                                                                                                                                                        6KB

                                                                                                                                                                        MD5

                                                                                                                                                                        c02b7983465f29a2ec689b15a8b7fc62

                                                                                                                                                                        SHA1

                                                                                                                                                                        b414e8c51ca76cd6d1be129ef6aeeaded9218a42

                                                                                                                                                                        SHA256

                                                                                                                                                                        7eaacff788630e6d265ccbd296301f9aea471c806b3e93770cd1324ce634017c

                                                                                                                                                                        SHA512

                                                                                                                                                                        f053ae86cddcff08a9d2d490616c46bb39959cb278a96e51603252c558e0f934e37ca778275642ef3fc27b5fd6464abf3a15c82c2ed967d459abbd9b0a318637

                                                                                                                                                                        Download Submit

                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                                                                                                                        Filesize

                                                                                                                                                                        5KB

                                                                                                                                                                        MD5

                                                                                                                                                                        8400c4f72832c636a8ba6617020cb397

                                                                                                                                                                        SHA1

                                                                                                                                                                        d068e328f1fa1aea093f1c6ff7b25d1dcaa0d4d1

                                                                                                                                                                        SHA256

                                                                                                                                                                        727970d35e6d0e410263ccdcfc9ea2803a3492ab6cef5d1f06835b3acd817a50

                                                                                                                                                                        SHA512

                                                                                                                                                                        77bc253d6ad76082d0b123511c2b1c70cf515341c45dc815854b023316f97503c3c782bef9a1825f26112efcc491e33b198a348cc5109f306cfe1d9a15a3d35a

                                                                                                                                                                        Download Submit

                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log
                                                                                                                                                                        Filesize

                                                                                                                                                                        99B

                                                                                                                                                                        MD5

                                                                                                                                                                        ba92e5bbca79ea378c3376187ae43eae

                                                                                                                                                                        SHA1

                                                                                                                                                                        f0947098577f6d0fe07422acbe3d71510289e2fc

                                                                                                                                                                        SHA256

                                                                                                                                                                        ccf4c13cd2433fe8a7add616c7d8e6b384cf441e4d948de5c6fc73e9315c619f

                                                                                                                                                                        SHA512

                                                                                                                                                                        aa1d8b7eb9add6c5ed5635295f501f950914affc3fa9aa1ee58167ed110f99a1760b05e4efb779df8e432eab1b2a0fc9cf9d67a05b2d5432ff8f82c620a38a62

                                                                                                                                                                        Download Submit

                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG
                                                                                                                                                                        Filesize

                                                                                                                                                                        319B

                                                                                                                                                                        MD5

                                                                                                                                                                        529648493b246790c4ea514e8e6421d1

                                                                                                                                                                        SHA1

                                                                                                                                                                        d6de1696e41351d47a3f3fb28d19fe9ceab41046

                                                                                                                                                                        SHA256

                                                                                                                                                                        738a6048ad5fe47e1e1c592c2afda824117684cf054b806b727c69d393dfbf6d

                                                                                                                                                                        SHA512

                                                                                                                                                                        088df69d04fc3f57ff884cf35845c5eb31b847e5317fdff1c16c2756cb69dabc744b350768be42ff368b3562bdf993e75a4487e214f5f3b3d33e68e364c80314

                                                                                                                                                                        Download Submit

                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Session_13368765704647865
                                                                                                                                                                        Filesize

                                                                                                                                                                        373B

                                                                                                                                                                        MD5

                                                                                                                                                                        1425a1aa5dd20444f139abb941d90431

                                                                                                                                                                        SHA1

                                                                                                                                                                        9924d5f38b6df5ef18940c61465305545a7c4e94

                                                                                                                                                                        SHA256

                                                                                                                                                                        76b19befe298107242ff43cf5a65443ee05a8582f2753d61f15899bffef0e8b3

                                                                                                                                                                        SHA512

                                                                                                                                                                        8f8380bb1fcb40e7d2acc269c7ce3c0e03effc8303f68307652d915b6ec4129ef9cd46dc41ab0a519e71c18ef1ec3c27f00f45e11751ee5502d21e2038746b2d

                                                                                                                                                                        Download Submit

                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG
                                                                                                                                                                        Filesize

                                                                                                                                                                        350B

                                                                                                                                                                        MD5

                                                                                                                                                                        75cc7218cab44ac02c5f39ab04b625e6

                                                                                                                                                                        SHA1

                                                                                                                                                                        179c459adcee49ce4943e57b651e1839d3448fd0

                                                                                                                                                                        SHA256

                                                                                                                                                                        5cbf9d4b3ac4a6093252de2c9b1ec85c1b9943ed3da3ded507d9d088210b1f9b

                                                                                                                                                                        SHA512

                                                                                                                                                                        3e3e1b463daf2d79e0fa7539a614d3d0085cf610f23d1b6d76ae14d4197b14c1942b74ce40e45593c552f341bc5190a3e4c8cc4c4432644cd7d3e2974f49f40a

                                                                                                                                                                        Download Submit

                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG
                                                                                                                                                                        Filesize

                                                                                                                                                                        326B

                                                                                                                                                                        MD5

                                                                                                                                                                        4020d4bd65a1f79e48dc3e851153b28b

                                                                                                                                                                        SHA1

                                                                                                                                                                        b7debf7e98df9dffab477330c93a4948a734960c

                                                                                                                                                                        SHA256

                                                                                                                                                                        5a571841b648826dc6cfac2536191417f0e3fc4c9f8f4689eef6b04552e00d67

                                                                                                                                                                        SHA512

                                                                                                                                                                        6a24c69edf4b7ae1feffafb7d8b99cd52e7ce831638ba98e48836347406c2617a75b24873bd88370207a006d96e052233acc8e15c49d9c614c9cd8cba34f1f92

                                                                                                                                                                        Download Submit

                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                                                                                                                                                        Filesize

                                                                                                                                                                        16B

                                                                                                                                                                        MD5

                                                                                                                                                                        6752a1d65b201c13b62ea44016eb221f

                                                                                                                                                                        SHA1

                                                                                                                                                                        58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                                                                                                                                                        SHA256

                                                                                                                                                                        0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                                                                                                                                                        SHA512

                                                                                                                                                                        9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                                                                                                                                                        Download Submit

                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db-wal
                                                                                                                                                                        Filesize

                                                                                                                                                                        16KB

                                                                                                                                                                        MD5

                                                                                                                                                                        a2a1f7068954e5378e39328df7e6b471

                                                                                                                                                                        SHA1

                                                                                                                                                                        f20a4db2396e4cc222df593e6803d3ac62cea770

                                                                                                                                                                        SHA256

                                                                                                                                                                        02a105afbead8c58922a7a5bf5b99c07830518e971f2f1da0fc60106155b9d3c

                                                                                                                                                                        SHA512

                                                                                                                                                                        0158408e07f3c07833bc4e3b52bdb17a3c00a836515c73468bb1347a071d9a488c91cb49a3bd87a951ea7b537478d26a1dc08dafd74ab6dbd7c9246344ddd847

                                                                                                                                                                        Download Submit

                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG
                                                                                                                                                                        Filesize

                                                                                                                                                                        319B

                                                                                                                                                                        MD5

                                                                                                                                                                        0f880d418b06f3b17fdef711e1b15809

                                                                                                                                                                        SHA1

                                                                                                                                                                        2350c9668335140cfdae3aa50005689ee9f6b0bc

                                                                                                                                                                        SHA256

                                                                                                                                                                        5f4544a36a8611e3f3a4663b9457566439d1693adbbc4996d3cf8af8488007e7

                                                                                                                                                                        SHA512

                                                                                                                                                                        89cef42355e26e0e1c1eae5711ae959ab4ac3f95f4ef6636c0472146119b6c6b9c8d985ce93eb722a36b9381012c93cdbe7d1cc61181221c8ee54c2c44192ff4

                                                                                                                                                                        Download Submit

                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log
                                                                                                                                                                        Filesize

                                                                                                                                                                        194B

                                                                                                                                                                        MD5

                                                                                                                                                                        a48763b50473dbd0a0922258703d673e

                                                                                                                                                                        SHA1

                                                                                                                                                                        5a3572629bcdf5586d79823b6ddbf3d9736aa251

                                                                                                                                                                        SHA256

                                                                                                                                                                        9bb14ea03c24f4c3543b22a8b4e9d306b926d4950cfcc410808ecac2407409fd

                                                                                                                                                                        SHA512

                                                                                                                                                                        536406435e35f8204ce6d3b64850ffb656813aacbc5172af895c16c4f183005d69999c4f48f948875d9837890f290b51a7358ff974fb1efc6ba3d1592426cca1

                                                                                                                                                                        Download Submit

                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG
                                                                                                                                                                        Filesize

                                                                                                                                                                        337B

                                                                                                                                                                        MD5

                                                                                                                                                                        59c96ae3ad4db7ef5280eab876b59ecd

                                                                                                                                                                        SHA1

                                                                                                                                                                        3c091bf77e4a746cc377d1ec3b924e0a4e91a68c

                                                                                                                                                                        SHA256

                                                                                                                                                                        6a4ef34bb71383aff32e236f20ad3a338e4d6332b953d0ce0a4bee808e3b63f6

                                                                                                                                                                        SHA512

                                                                                                                                                                        2e56abc7b1cf1ed69e89b018f66f41a4d0ab291cc68f4e5f39483fefcc9577c3df448fb2be10f94cc80a798462e91aa8548423ba7967e064c7824b553c8a0aaf

                                                                                                                                                                        Download Submit

                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0
                                                                                                                                                                        Filesize

                                                                                                                                                                        44KB

                                                                                                                                                                        MD5

                                                                                                                                                                        6a80e663cb1e0d4131ffff12f118f173

                                                                                                                                                                        SHA1

                                                                                                                                                                        f3f2f8c771e056b3a107670cc9aba19ca6f39814

                                                                                                                                                                        SHA256

                                                                                                                                                                        a9c1792a0b9a50f1dfe8410e9310c2e74a2b4bd54bdf392ca139f337f58185bc

                                                                                                                                                                        SHA512

                                                                                                                                                                        a9a2ac7c77fd2863a1c2631ebba7bc649699b3ee9596daf2fa0d7f0d10998b09e0cb5e62cc777681b41cb40db9c4f4ceae8537bd32b89dc613687353a959b73c

                                                                                                                                                                        Download Submit

                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1
                                                                                                                                                                        Filesize

                                                                                                                                                                        264KB

                                                                                                                                                                        MD5

                                                                                                                                                                        5aba8cb4cab1fd753bb361714ccefc25

                                                                                                                                                                        SHA1

                                                                                                                                                                        1672f26dd5d0f38c3b4901b20a2bcf5e76a51095

                                                                                                                                                                        SHA256

                                                                                                                                                                        c8e0c507d3c5e4c254336d5b543a47851afcc1424d471c8f42952ac6f8e1b91d

                                                                                                                                                                        SHA512

                                                                                                                                                                        3085d690513bdaddc65228b7bfba8a62c2366dedebf633b92e6eb45d46483d83f31aca71a6047f692f5f863bde297f803ad953f2f3baad00b226fe162c77b7ab

                                                                                                                                                                        Download Submit

                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3
                                                                                                                                                                        Filesize

                                                                                                                                                                        4.0MB

                                                                                                                                                                        MD5

                                                                                                                                                                        4459bf26eebf0293b75c624cdf1c6b23

                                                                                                                                                                        SHA1

                                                                                                                                                                        2a0cf63d7d2a2a729b1b84e221955a5ab46f2e47

                                                                                                                                                                        SHA256

                                                                                                                                                                        2ddd13a6fc974d25f11c33a905c39ba8b6d266f7c58a93a41e5ada5975c821c7

                                                                                                                                                                        SHA512

                                                                                                                                                                        f9246c653ea54d90833734d359ebba743e97a7978639a8c48f64f2b026affed9281e65a44d12af2224e0493df1e3ca3dfd8fd101bd4c5170471b5dd6dbaf8f12

                                                                                                                                                                        Download Submit

                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version
                                                                                                                                                                        Filesize

                                                                                                                                                                        11B

                                                                                                                                                                        MD5

                                                                                                                                                                        838a7b32aefb618130392bc7d006aa2e

                                                                                                                                                                        SHA1

                                                                                                                                                                        5159e0f18c9e68f0e75e2239875aa994847b8290

                                                                                                                                                                        SHA256

                                                                                                                                                                        ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

                                                                                                                                                                        SHA512

                                                                                                                                                                        9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

                                                                                                                                                                        Download Submit

                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                                                                                                                        Filesize

                                                                                                                                                                        11KB

                                                                                                                                                                        MD5

                                                                                                                                                                        7bd790d293a05663b1a72414f6c69609

                                                                                                                                                                        SHA1

                                                                                                                                                                        429c6e53dd326263521bd2767ac6168359db106a

                                                                                                                                                                        SHA256

                                                                                                                                                                        2b8525c131a4b7533d7ee4158ceb36c700404cf6213d7093949d592a169fc586

                                                                                                                                                                        SHA512

                                                                                                                                                                        dd54ba2a892747d43f3c69e88f71300a7249a46f714bf24c709ce81ab91a32eb5343b428cb7e181b697825702a67f9dc2c9e946dc54e6ce7656f78cb44218e54

                                                                                                                                                                        Download Submit

                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres
                                                                                                                                                                        Filesize

                                                                                                                                                                        4KB

                                                                                                                                                                        MD5

                                                                                                                                                                        6159e322abc5a93f30b5417f7f71be53

                                                                                                                                                                        SHA1

                                                                                                                                                                        859813c482771f0e0dbb73d08744369a4e31ff19

                                                                                                                                                                        SHA256

                                                                                                                                                                        713d3f5f52dd7f876078b91fa784a57e65dde21c0fbe194fa419cd8c15790016

                                                                                                                                                                        SHA512

                                                                                                                                                                        baba96b18432535f9755eca4636f85554137bd908646d08c1fd7238ca133a7e8dffe025cd05bcfce5d86fc8795b51c1da6f726edc2038335deb9364593e64645

                                                                                                                                                                        Download Submit

                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\1000002001\GOLD.exe
                                                                                                                                                                        Filesize

                                                                                                                                                                        323KB

                                                                                                                                                                        MD5

                                                                                                                                                                        d6fca3cd57293390ccf9d2bc83662dda

                                                                                                                                                                        SHA1

                                                                                                                                                                        94496d01aa91e981846299eeac5631ab8b8c4a93

                                                                                                                                                                        SHA256

                                                                                                                                                                        74e0bf30c9107fa716920c878521037db3ca4eeda5c14d745a2459eb14d1190e

                                                                                                                                                                        SHA512

                                                                                                                                                                        3990a61000c7dad33e75ce1ca670f5a7b66c0ce1215997dccfca5d4163fedfc7b736bca01c2f1064b0c780eccb039dd0de6be001c87399c1d69da0f456db2a8e

                                                                                                                                                                        Download Submit

                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe
                                                                                                                                                                        Filesize

                                                                                                                                                                        1.1MB

                                                                                                                                                                        MD5

                                                                                                                                                                        8e74497aff3b9d2ddb7e7f819dfc69ba

                                                                                                                                                                        SHA1

                                                                                                                                                                        1d18154c206083ead2d30995ce2847cbeb6cdbc1

                                                                                                                                                                        SHA256

                                                                                                                                                                        d8e81d9e336ef37a37cae212e72b6f4ef915db4b0f2a8df73eb584bd25f21e66

                                                                                                                                                                        SHA512

                                                                                                                                                                        9aacc5c130290a72f1087daa9e79984565ccab6dbcad5114bfed0919812b9ba5f8dee9c37d230eeca4df3cca47ba0b355fbf49353e53f10f0ebc266e93f49f97

                                                                                                                                                                        Download Submit

                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\1000064001\kitty.exe
                                                                                                                                                                        Filesize

                                                                                                                                                                        319KB

                                                                                                                                                                        MD5

                                                                                                                                                                        0ec1f7cc17b6402cd2df150e0e5e92ca

                                                                                                                                                                        SHA1

                                                                                                                                                                        8405b9bf28accb6f1907fbe28d2536da4fba9fc9

                                                                                                                                                                        SHA256

                                                                                                                                                                        4c5ca5701285337a96298ebf994f8ba013d290c63afa65b5c2b05771fbbb9ed4

                                                                                                                                                                        SHA512

                                                                                                                                                                        7caa2416bc7878493b62a184ddc844d201a9ab5282abfa77a616316af39ff65309e37bb566b3e29d9e764e08f4eda43a06464acaf9962f911b33e6dbc60c1861

                                                                                                                                                                        Download Submit

                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default.exe
                                                                                                                                                                        Filesize

                                                                                                                                                                        187KB

                                                                                                                                                                        MD5

                                                                                                                                                                        e78239a5b0223499bed12a752b893cad

                                                                                                                                                                        SHA1

                                                                                                                                                                        a429b46db791f433180ae4993ebb656d2f9393a4

                                                                                                                                                                        SHA256

                                                                                                                                                                        80befdb25413d68adbadd8f236a2e8c71b261d8befc04c99749e778b07bcde89

                                                                                                                                                                        SHA512

                                                                                                                                                                        cee5d5d4d32e5575852a412f6b3e17f8c0cbafe97fd92c7024934234a23c240dcc1f7a0452e2e5da949dec09dcfeb006e73862c5bbc549a2ab1cfb0241eaddfc

                                                                                                                                                                        Download Submit

                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\1000129001\clcs.exe
                                                                                                                                                                        Filesize

                                                                                                                                                                        7.9MB

                                                                                                                                                                        MD5

                                                                                                                                                                        d23710b05767ac5d4e1d4754f468599e

                                                                                                                                                                        SHA1

                                                                                                                                                                        6fbe21034afe7850a1e608ea67460c25aebb4232

                                                                                                                                                                        SHA256

                                                                                                                                                                        b78c67f56b7af5533a502fef2ed9b0ce4c9d507214a74f7d0501611941197b75

                                                                                                                                                                        SHA512

                                                                                                                                                                        e021881e5050b14ab78bcaa686d180b88ac620876cd45525b7648b04a8b672010832a3e8f40221c1e6420b9f6ceda1918a2cc04eb56db9dde39aae3c63dc8a37

                                                                                                                                                                        Download Submit

                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\1000135001\14082024.exe
                                                                                                                                                                        Filesize

                                                                                                                                                                        304KB

                                                                                                                                                                        MD5

                                                                                                                                                                        9bba979bb2972a3214a399054242109b

                                                                                                                                                                        SHA1

                                                                                                                                                                        60adcedb0f347580fb2c1faadb92345c602c54e9

                                                                                                                                                                        SHA256

                                                                                                                                                                        17b71b1895978b7aaf5a0184948e33ac3d70ce979030d5a9a195a1c256f6b368

                                                                                                                                                                        SHA512

                                                                                                                                                                        89285f67c4c40365f4028bc18dd658ad40b68ff3bcf15f2547fc8f9d9c3d8021e2950de8565e03451b9b4ebace7ed557df24732af632fdb74cbd9eb02cf08788

                                                                                                                                                                        Download Submit

                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\1000142101\build2.exe
                                                                                                                                                                        Filesize

                                                                                                                                                                        481KB

                                                                                                                                                                        MD5

                                                                                                                                                                        f9a4f6684d1bf48406a42921aebc1596

                                                                                                                                                                        SHA1

                                                                                                                                                                        c9186ff53de4724ede20c6485136b4b2072bb6a6

                                                                                                                                                                        SHA256

                                                                                                                                                                        e0a051f93d4c1e81cc142181d14249e246be4c169645d667267134b664e75042

                                                                                                                                                                        SHA512

                                                                                                                                                                        67294a47dfef6aba404939497c403f93318841e9c5ee28b706f7506b5dff2630381e28e86f6dcbfdff2427092a515db1dc0a04e334e7f8de8b0b682269ff88fd

                                                                                                                                                                        Download Submit

                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\1000147001\BattleGermany.exe
                                                                                                                                                                        Filesize

                                                                                                                                                                        8.3MB

                                                                                                                                                                        MD5

                                                                                                                                                                        b7df5fdcfdc3f46b0b4f28c1ffb82937

                                                                                                                                                                        SHA1

                                                                                                                                                                        3209511839cd917318c754e0105c1d0cf298f25b

                                                                                                                                                                        SHA256

                                                                                                                                                                        7636d2367079eabd9da2bb40935df3da580affc47473fd93ed3b2e01ee6c46e5

                                                                                                                                                                        SHA512

                                                                                                                                                                        8a65c4e2b0755323293736fc01eb445071e04f7e2c345d2838bf7a89887f40c6e3b81df4bb35807d9a47ffa322b42383194baec45fd9b3f1e31cbcb6a72e819f

                                                                                                                                                                        Download Submit

                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe
                                                                                                                                                                        Filesize

                                                                                                                                                                        1.1MB

                                                                                                                                                                        MD5

                                                                                                                                                                        7adfc6a2e7a5daa59d291b6e434a59f3

                                                                                                                                                                        SHA1

                                                                                                                                                                        e21ef8be7b78912bed36121404270e5597a3fe25

                                                                                                                                                                        SHA256

                                                                                                                                                                        fbb957b3e36ba1dda0b65986117fd8555041d747810a100b47da4a90a1dfd693

                                                                                                                                                                        SHA512

                                                                                                                                                                        30f56bd75fe83e8fb60a816c1a0322bc686863d7ab17a763fff977a88f5582c356b4fcfe7c0c9e3e5925bfee7fc44e4ea8b96f82a011ed5e7cd236253187181b

                                                                                                                                                                        Download Submit

                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\1000157001\coreplugin.exe
                                                                                                                                                                        Filesize

                                                                                                                                                                        1.1MB

                                                                                                                                                                        MD5

                                                                                                                                                                        9954f7ed32d9a20cda8545c526036143

                                                                                                                                                                        SHA1

                                                                                                                                                                        8d74385b24155fce660ab0ad076d070f8611024a

                                                                                                                                                                        SHA256

                                                                                                                                                                        a221b40667002cd19eece4e45e5dbb6f3c3dc1890870cf28ebcca0e4850102f5

                                                                                                                                                                        SHA512

                                                                                                                                                                        76ca2c0edc3ffdc0c357f7f43abc17b130618096fa9db41795272c5c6ad9829046194d3657ad41f4afec5a0b2e5ed9750a31e545e36a2fb19e6c50101ab2cabd

                                                                                                                                                                        Download Submit

                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\1000162001\Identification-2.exe
                                                                                                                                                                        Filesize

                                                                                                                                                                        162B

                                                                                                                                                                        MD5

                                                                                                                                                                        1b7c22a214949975556626d7217e9a39

                                                                                                                                                                        SHA1

                                                                                                                                                                        d01c97e2944166ed23e47e4a62ff471ab8fa031f

                                                                                                                                                                        SHA256

                                                                                                                                                                        340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

                                                                                                                                                                        SHA512

                                                                                                                                                                        ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

                                                                                                                                                                        Download Submit

                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\1000167001\crypted8888.exe
                                                                                                                                                                        Filesize

                                                                                                                                                                        208KB

                                                                                                                                                                        MD5

                                                                                                                                                                        031836b5b4c2fc0ba30f29e8a936b24e

                                                                                                                                                                        SHA1

                                                                                                                                                                        adc7e7ec27f548afd50fac684c009cfe5c2e0090

                                                                                                                                                                        SHA256

                                                                                                                                                                        bf4f27f6932ce75b1746f5364af3abacbdafa59913da513a168d86ea0ad3a3a4

                                                                                                                                                                        SHA512

                                                                                                                                                                        ac58ed6b9a3ce4c35366e99e72e4ee1c87048a11979c91f69740d49b3c1f4f4dc3cbaa66287c73530806b8359933e7b6df0bbab01bc3dd4f351988a6a3cd3b6d

                                                                                                                                                                        Download Submit

                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\1000169001\explorer.exe
                                                                                                                                                                        Filesize

                                                                                                                                                                        87KB

                                                                                                                                                                        MD5

                                                                                                                                                                        7bc9e427746a95ed037db5e0b3230780

                                                                                                                                                                        SHA1

                                                                                                                                                                        e5fb0551239eb8edf5b117b04a86742c7780355c

                                                                                                                                                                        SHA256

                                                                                                                                                                        3d8b1b6802f265ff8eb229c38ff81824f3652f271eb97b7bfef86db369902a08

                                                                                                                                                                        SHA512

                                                                                                                                                                        ae6e823d72a1a976401726ba3dfb61919bf529719fc555c680a99b3a58c15c982b9a8024d4ca2dab933acd1cc22c1f66bc0d46e7d0e7422825dad9c77852808b

                                                                                                                                                                        Download Submit

                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\1000170001\LummaC22222.exe
                                                                                                                                                                        Filesize

                                                                                                                                                                        258KB

                                                                                                                                                                        MD5

                                                                                                                                                                        40e9f5e6b35423ed5af9a791fc6b8740

                                                                                                                                                                        SHA1

                                                                                                                                                                        75d24d3d05a855bb347f4e3a94eae4c38981aca9

                                                                                                                                                                        SHA256

                                                                                                                                                                        7fdd7da7975da141ab5a48b856d24fba2ff35f52ad071119f6a83548494ba816

                                                                                                                                                                        SHA512

                                                                                                                                                                        c2150dfb166653a2627aba466a6d98c0f426232542afc6a3c6fb5ebb04b114901233f51d57ea59dbef988d038d4103a637d9a51015104213b0be0fe09c96aea8

                                                                                                                                                                        Download Submit

                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\1000174001\5PHCENYBS068Y01.exe
                                                                                                                                                                        Filesize

                                                                                                                                                                        10.5MB

                                                                                                                                                                        MD5

                                                                                                                                                                        7fffe8702479239234bce6013bcad409

                                                                                                                                                                        SHA1

                                                                                                                                                                        ee7aaecaeff869350ead69c907b77d5b0afd3f09

                                                                                                                                                                        SHA256

                                                                                                                                                                        7870eda6f78bde1ea7c083ddf32a9aabd118b30f6b8617f4b9e6625edba0ff95

                                                                                                                                                                        SHA512

                                                                                                                                                                        8d5932d1fa8006c73e8576383425151439b4bf4637017f104a6c4e5cf202ce1c4a1dbec6d61adb794fd8a30c1300d6635d162df8630f9193c96239ec8b2a6869

                                                                                                                                                                        Download Submit

                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\1000177001\Mswgoudnv.exe
                                                                                                                                                                        Filesize

                                                                                                                                                                        924KB

                                                                                                                                                                        MD5

                                                                                                                                                                        de64bb0f39113e48a8499d3401461cf8

                                                                                                                                                                        SHA1

                                                                                                                                                                        8d78c2d4701e4596e87e3f09adde214a2a2033e8

                                                                                                                                                                        SHA256

                                                                                                                                                                        64b58794801f282e92571676e3571afc5c59033c262406bf0d36e1d6ef3cda6a

                                                                                                                                                                        SHA512

                                                                                                                                                                        35b7cdcfb866dcdc79be34066a9ad5a8058b80e68925aeb23708606149841022de17e9d205389c13803c01e356174a2f657773df7d53f889e4e1fc1d68074179

                                                                                                                                                                        Download Submit

                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif
                                                                                                                                                                        Filesize

                                                                                                                                                                        872KB

                                                                                                                                                                        MD5

                                                                                                                                                                        c56b5f0201a3b3de53e561fe76912bfd

                                                                                                                                                                        SHA1

                                                                                                                                                                        2a4062e10a5de813f5688221dbeb3f3ff33eb417

                                                                                                                                                                        SHA256

                                                                                                                                                                        237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

                                                                                                                                                                        SHA512

                                                                                                                                                                        195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

                                                                                                                                                                        Download Submit

                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
                                                                                                                                                                        Filesize

                                                                                                                                                                        1.8MB

                                                                                                                                                                        MD5

                                                                                                                                                                        fbb7e8266d0875b81f294136bb93f90a

                                                                                                                                                                        SHA1

                                                                                                                                                                        88096781cb97d1fb0aab5ea5c59501eeebd06c52

                                                                                                                                                                        SHA256

                                                                                                                                                                        a61dc154af80d7c67638c50ca91d567ba0f872562c1b6c616e58abdda3bc3544

                                                                                                                                                                        SHA512

                                                                                                                                                                        1d86f4d357daf13b50c08f111fc58126674fe452ee09be4e7ecec23a65e3576e069929c90605a6abebfbcc3755881b76ae0a6112b9ad66fef3d6c6db3b338e28

                                                                                                                                                                        Download Submit

                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\453224882060
                                                                                                                                                                        Filesize

                                                                                                                                                                        85KB

                                                                                                                                                                        MD5

                                                                                                                                                                        a579ca09a89362820b0b15fa98a4a77e

                                                                                                                                                                        SHA1

                                                                                                                                                                        9759bc3a5153cb7ed4eafa49d5797f8f7b5453e4

                                                                                                                                                                        SHA256

                                                                                                                                                                        157966dcd582b82e5a7cee8d0c09a46ee96da7695e92cb5d9fe766cf7741be82

                                                                                                                                                                        SHA512

                                                                                                                                                                        99114a9f627719447bcf14fb1c77c839471d841638e4aae60257d7d49c3159fd76b91f09fbe93024d0d62926a3a2127f263f8286a3a47a79265b5872652e8a29

                                                                                                                                                                        Download Submit

                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\Cassette
                                                                                                                                                                        Filesize

                                                                                                                                                                        6KB

                                                                                                                                                                        MD5

                                                                                                                                                                        4f0abd6588c8c75164b32182d57064d0

                                                                                                                                                                        SHA1

                                                                                                                                                                        ca56a2a18f885325af7a9608fd37bdcfd9928f60

                                                                                                                                                                        SHA256

                                                                                                                                                                        cd27421f2758e883e53d498e3fafba2b519688c1f482489d51ad75a4fbff3b5f

                                                                                                                                                                        SHA512

                                                                                                                                                                        57267ee995b563840ee8d1b29e194b037bf39cc4cd9acf33beb9ce8a43137eaf70405139558e789453ffbcceae176f08cbae653a4635f97358cf5c6c0582f8d0

                                                                                                                                                                        Download Submit

                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\Cookies.db
                                                                                                                                                                        Filesize

                                                                                                                                                                        20KB

                                                                                                                                                                        MD5

                                                                                                                                                                        a603e09d617fea7517059b4924b1df93

                                                                                                                                                                        SHA1

                                                                                                                                                                        31d66e1496e0229c6a312f8be05da3f813b3fa9e

                                                                                                                                                                        SHA256

                                                                                                                                                                        ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7

                                                                                                                                                                        SHA512

                                                                                                                                                                        eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc

                                                                                                                                                                        Download Submit

                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\Drop
                                                                                                                                                                        Filesize

                                                                                                                                                                        241B

                                                                                                                                                                        MD5

                                                                                                                                                                        3b1ee79ec6fe9dfb3629ab806fe1b2d6

                                                                                                                                                                        SHA1

                                                                                                                                                                        d3005fed3fcd45b8242a5c72ac9e96f87b72f6b9

                                                                                                                                                                        SHA256

                                                                                                                                                                        73bdf5cf3e6b23be2ad017516c63467578798c5c9b92923ac5a85fad74687505

                                                                                                                                                                        SHA512

                                                                                                                                                                        b1973db9bab3b551aaf741bfe1cf04ee2e65a7987b89a3027f4a048af0e1d9c14bb5dfe179cb5e9c06adb9fcf64d3c3b5ba0b6e6af5cf62c56e5bf1603468a92

                                                                                                                                                                        Download Submit

                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\Logins.db
                                                                                                                                                                        Filesize

                                                                                                                                                                        40KB

                                                                                                                                                                        MD5

                                                                                                                                                                        a182561a527f929489bf4b8f74f65cd7

                                                                                                                                                                        SHA1

                                                                                                                                                                        8cd6866594759711ea1836e86a5b7ca64ee8911f

                                                                                                                                                                        SHA256

                                                                                                                                                                        42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

                                                                                                                                                                        SHA512

                                                                                                                                                                        9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

                                                                                                                                                                        Download Submit

                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\Logins.db
                                                                                                                                                                        Filesize

                                                                                                                                                                        48KB

                                                                                                                                                                        MD5

                                                                                                                                                                        349e6eb110e34a08924d92f6b334801d

                                                                                                                                                                        SHA1

                                                                                                                                                                        bdfb289daff51890cc71697b6322aa4b35ec9169

                                                                                                                                                                        SHA256

                                                                                                                                                                        c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

                                                                                                                                                                        SHA512

                                                                                                                                                                        2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

                                                                                                                                                                        Download Submit

                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\Strikes
                                                                                                                                                                        Filesize

                                                                                                                                                                        872KB

                                                                                                                                                                        MD5

                                                                                                                                                                        4fe6d24625898f968f3ab23d7d0ad336

                                                                                                                                                                        SHA1

                                                                                                                                                                        bb9d475da747f9bb506607d8c2a0282c629691a1

                                                                                                                                                                        SHA256

                                                                                                                                                                        f1de84e03842252e12584bb031466ddc3070291fdac398ca0f8d000421d34311

                                                                                                                                                                        SHA512

                                                                                                                                                                        681f4b955605423cf91fc191b602d7d69eea123a96c9b78f43e62b34b343825316a70269da4f5c805462f26e538e456670b5e2f2f36c55a76b6d19b51bc37d7c

                                                                                                                                                                        Download Submit

                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\TmpD215.tmp
                                                                                                                                                                        Filesize

                                                                                                                                                                        2KB

                                                                                                                                                                        MD5

                                                                                                                                                                        1420d30f964eac2c85b2ccfe968eebce

                                                                                                                                                                        SHA1

                                                                                                                                                                        bdf9a6876578a3e38079c4f8cf5d6c79687ad750

                                                                                                                                                                        SHA256

                                                                                                                                                                        f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

                                                                                                                                                                        SHA512

                                                                                                                                                                        6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

                                                                                                                                                                        Download Submit

                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kzpl0yfk.dbk.ps1
                                                                                                                                                                        Filesize

                                                                                                                                                                        60B

                                                                                                                                                                        MD5

                                                                                                                                                                        d17fe0a3f47be24a6453e9ef58c94641

                                                                                                                                                                        SHA1

                                                                                                                                                                        6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                                                                                        SHA256

                                                                                                                                                                        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                                                                                        SHA512

                                                                                                                                                                        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                                                                                        Download Submit

                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\tmp4A4D.tmp
                                                                                                                                                                        Filesize

                                                                                                                                                                        20KB

                                                                                                                                                                        MD5

                                                                                                                                                                        aa4a2496e8475bae2e60b9d0937dd6a0

                                                                                                                                                                        SHA1

                                                                                                                                                                        df394090f9663639669933a19e6e8ce0c5de1a9f

                                                                                                                                                                        SHA256

                                                                                                                                                                        e383a1fb2917dce61a3f0f9f2851c7f38f7acb4325b9dba0f9f7a0dda1bb2fa6

                                                                                                                                                                        SHA512

                                                                                                                                                                        3c084d63d0b0d271d7b40749ca83d66929c9b66f93c0975b4afe6e081e87e50830412e4b43f42b0b66fc6d57a9f6b3e6a334ec0256ad71b67d6b6b4f8c91ad5a

                                                                                                                                                                        Download Submit

                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\tmp4A8A.tmp
                                                                                                                                                                        Filesize

                                                                                                                                                                        96KB

                                                                                                                                                                        MD5

                                                                                                                                                                        40f3eb83cc9d4cdb0ad82bd5ff2fb824

                                                                                                                                                                        SHA1

                                                                                                                                                                        d6582ba879235049134fa9a351ca8f0f785d8835

                                                                                                                                                                        SHA256

                                                                                                                                                                        cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0

                                                                                                                                                                        SHA512

                                                                                                                                                                        cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2

                                                                                                                                                                        Download Submit

                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-945322488-2060912225-3527527000-1000\76b53b3ec448f7ccdda2063b15d2bfc3_03d68389-5a68-4d9e-92ac-47b927e624dd
                                                                                                                                                                        Filesize

                                                                                                                                                                        2KB

                                                                                                                                                                        MD5

                                                                                                                                                                        f5b4ba776ad7c9190b88ff4bdb0515dd

                                                                                                                                                                        SHA1

                                                                                                                                                                        9e4af6f6b3f19b3e0d4012f4911c78b32aa4a04f

                                                                                                                                                                        SHA256

                                                                                                                                                                        7bffe1159105b12bec3c578bf335188ba9041ea8f8ce3d3028d20d87e8996618

                                                                                                                                                                        SHA512

                                                                                                                                                                        d29bbbea973a0ee1782b2f9a69bfa923a516e46bfd186e25f13ca6841e458c8f7decf3dd0b4dbaab006932c2777452fe03c50ad805b61ac4b3a2616779dcdc8e

                                                                                                                                                                        Download Submit

                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\lA6lx4CDam.exe
                                                                                                                                                                        Filesize

                                                                                                                                                                        304KB

                                                                                                                                                                        MD5

                                                                                                                                                                        30f46f4476cdc27691c7fdad1c255037

                                                                                                                                                                        SHA1

                                                                                                                                                                        b53415af5d01f8500881c06867a49a5825172e36

                                                                                                                                                                        SHA256

                                                                                                                                                                        3a8f5f6951dad3ba415b23b35422d3c93f865146da3ccf7849b75806e0b67ce0

                                                                                                                                                                        SHA512

                                                                                                                                                                        271aadb524e94ed1019656868a133c9e490cc6f8e4608c8a41c29eff7c12de972895a01f171e8f625d07994ff3b723bb308d362266f96cb20dff82689454c78f

                                                                                                                                                                        Download Submit

                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\vMovAJy60a.exe
                                                                                                                                                                        Filesize

                                                                                                                                                                        544KB

                                                                                                                                                                        MD5

                                                                                                                                                                        88367533c12315805c059e688e7cdfe9

                                                                                                                                                                        SHA1

                                                                                                                                                                        64a107adcbac381c10bd9c5271c2087b7aa369ec

                                                                                                                                                                        SHA256

                                                                                                                                                                        c6fc5c06ad442526a787989bae6ce0d32a2b15a12a41f78baca336b6560997a9

                                                                                                                                                                        SHA512

                                                                                                                                                                        7a8c3d767d19395ce9ffef964b0347a148e517982afcf2fc5e45b4c524fd44ec20857f6be722f57ff57722b952ef7b88f6249339551949b9e89cf60260f0a714

                                                                                                                                                                        Download Submit

                                                                                                                                                                      • C:\Users\Admin\Desktop\Microsoft Edge.lnk
                                                                                                                                                                        Filesize

                                                                                                                                                                        2KB

                                                                                                                                                                        MD5

                                                                                                                                                                        df35b1229e045b7cfd9b9576c7af6a0a

                                                                                                                                                                        SHA1

                                                                                                                                                                        4d685fce7540a4ec10853b20987ca8831e5f184b

                                                                                                                                                                        SHA256

                                                                                                                                                                        8168f2470bb7a27e3a09aaa7e8748b2150e4e96a76f6017214c8392d907ce2bc

                                                                                                                                                                        SHA512

                                                                                                                                                                        8b8ebc2f658180edec34e20337491bd60829832110d1be28e08544afa2707b8b064933ac8662f524b88b4e0c79776df526e44a786ccc04388271ba9013c1dc55

                                                                                                                                                                        Download Submit

                                                                                                                                                                      • C:\Users\Public\Desktop\Google Chrome.lnk
                                                                                                                                                                        Filesize

                                                                                                                                                                        2KB

                                                                                                                                                                        MD5

                                                                                                                                                                        353e9e2fa47d7a9c14a35cceac0360b3

                                                                                                                                                                        SHA1

                                                                                                                                                                        18c41db29a4c28597f096ba252868cb57186eff1

                                                                                                                                                                        SHA256

                                                                                                                                                                        a402c8dac3b12da5d655c7b3dcd6483fa998dc33fb49c8fcf8ec0d63fc4bacbf

                                                                                                                                                                        SHA512

                                                                                                                                                                        60a044bcdff9cdaf3ac7011e5ca6eca8ce4657db73a1d428008ea153f890e679dce2474917666290764545effb6215b4f4a836304c03ebf1e32da354b685c7ed

                                                                                                                                                                        Download Submit

                                                                                                                                                                      • memory/632-47-0x0000000000790000-0x00000000007E4000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        336KB

                                                                                                                                                                        Download

                                                                                                                                                                      • memory/872-51-0x0000000005860000-0x0000000005E04000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        5.6MB

                                                                                                                                                                        Download

                                                                                                                                                                      • memory/872-49-0x0000000000400000-0x0000000000452000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        328KB

                                                                                                                                                                        Download

                                                                                                                                                                      • memory/872-52-0x0000000005350000-0x00000000053E2000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        584KB

                                                                                                                                                                        Download

                                                                                                                                                                      • memory/872-53-0x0000000005340000-0x000000000534A000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        40KB

                                                                                                                                                                        Download

                                                                                                                                                                      • memory/872-70-0x0000000006190000-0x0000000006206000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        472KB

                                                                                                                                                                        Download

                                                                                                                                                                      • memory/872-79-0x0000000006860000-0x000000000687E000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        120KB

                                                                                                                                                                        Download

                                                                                                                                                                      • memory/872-94-0x0000000008A70000-0x0000000008B7A000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        1.0MB

                                                                                                                                                                        Download

                                                                                                                                                                      • memory/872-95-0x00000000070F0000-0x0000000007102000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        72KB

                                                                                                                                                                        Download

                                                                                                                                                                      • memory/872-93-0x00000000071F0000-0x0000000007808000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        6.1MB

                                                                                                                                                                        Download

                                                                                                                                                                      • memory/872-96-0x0000000007150000-0x000000000718C000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        240KB

                                                                                                                                                                        Download

                                                                                                                                                                      • memory/872-97-0x0000000007190000-0x00000000071DC000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        304KB

                                                                                                                                                                        Download

                                                                                                                                                                      • memory/1000-752-0x0000000000D10000-0x0000000000D5C000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        304KB

                                                                                                                                                                        Download

                                                                                                                                                                      • memory/1000-760-0x0000000000D10000-0x0000000000D5C000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        304KB

                                                                                                                                                                        Download

                                                                                                                                                                      • memory/1000-759-0x0000000000D10000-0x0000000000D5C000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        304KB

                                                                                                                                                                        Download

                                                                                                                                                                      • memory/1604-878-0x000000001DF70000-0x000000001E498000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        5.2MB

                                                                                                                                                                        Download

                                                                                                                                                                      • memory/1604-877-0x000000001D870000-0x000000001DA32000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        1.8MB

                                                                                                                                                                        Download

                                                                                                                                                                      • memory/1604-756-0x000000001D5C0000-0x000000001D5DE000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        120KB

                                                                                                                                                                        Download

                                                                                                                                                                      • memory/1604-2102-0x000000001D7A0000-0x000000001D7F0000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        320KB

                                                                                                                                                                        Download

                                                                                                                                                                      • memory/1604-898-0x000000001D640000-0x000000001D65E000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        120KB

                                                                                                                                                                        Download

                                                                                                                                                                      • memory/1604-897-0x000000001D720000-0x000000001D796000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        472KB

                                                                                                                                                                        Download

                                                                                                                                                                      • memory/1604-757-0x000000001D600000-0x000000001D612000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        72KB

                                                                                                                                                                        Download

                                                                                                                                                                      • memory/1604-758-0x000000001D660000-0x000000001D69C000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        240KB

                                                                                                                                                                        Download

                                                                                                                                                                      • memory/1604-592-0x0000000000AD0000-0x0000000000AEC000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        112KB

                                                                                                                                                                        Download

                                                                                                                                                                      • memory/1848-161-0x0000000007490000-0x00000000074E0000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        320KB

                                                                                                                                                                        Download

                                                                                                                                                                      • memory/1848-128-0x0000000000690000-0x00000000006E2000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        328KB

                                                                                                                                                                        Download

                                                                                                                                                                      • memory/1972-156-0x0000000008150000-0x00000000081B6000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        408KB

                                                                                                                                                                        Download

                                                                                                                                                                      • memory/1972-157-0x0000000009A70000-0x0000000009C32000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        1.8MB

                                                                                                                                                                        Download

                                                                                                                                                                      • memory/1972-129-0x0000000000200000-0x000000000028E000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        568KB

                                                                                                                                                                        Download

                                                                                                                                                                      • memory/1972-158-0x000000000A170000-0x000000000A69C000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        5.2MB

                                                                                                                                                                        Download

                                                                                                                                                                      • memory/3056-20-0x00000000008D0000-0x0000000000D96000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        4.8MB

                                                                                                                                                                        Download

                                                                                                                                                                      • memory/3056-2-0x00000000008D1000-0x00000000008FF000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        184KB

                                                                                                                                                                        Download

                                                                                                                                                                      • memory/3056-1-0x0000000077614000-0x0000000077616000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        8KB

                                                                                                                                                                        Download

                                                                                                                                                                      • memory/3056-3-0x00000000008D0000-0x0000000000D96000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        4.8MB

                                                                                                                                                                        Download

                                                                                                                                                                      • memory/3056-4-0x00000000008D0000-0x0000000000D96000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        4.8MB

                                                                                                                                                                        Download

                                                                                                                                                                      • memory/3056-0-0x00000000008D0000-0x0000000000D96000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        4.8MB

                                                                                                                                                                        Download

                                                                                                                                                                      • memory/3104-101-0x0000000000400000-0x000000000050D000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        1.1MB

                                                                                                                                                                        Download

                                                                                                                                                                      • memory/3104-99-0x0000000000400000-0x000000000050D000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        1.1MB

                                                                                                                                                                        Download

                                                                                                                                                                      • memory/3104-124-0x0000000000400000-0x000000000050D000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        1.1MB

                                                                                                                                                                        Download

                                                                                                                                                                      • memory/3104-103-0x0000000000400000-0x000000000050D000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        1.1MB

                                                                                                                                                                        Download

                                                                                                                                                                      • memory/3104-104-0x0000000000400000-0x000000000050D000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        1.1MB

                                                                                                                                                                        Download

                                                                                                                                                                      • memory/3256-571-0x0000000000400000-0x0000000000643000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        2.3MB

                                                                                                                                                                        Download

                                                                                                                                                                      • memory/3256-573-0x0000000000400000-0x0000000000643000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        2.3MB

                                                                                                                                                                        Download

                                                                                                                                                                      • memory/3256-636-0x0000000061E00000-0x0000000061EF3000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        972KB

                                                                                                                                                                        Download

                                                                                                                                                                      • memory/3584-263-0x0000000000D00000-0x0000000000F43000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        2.3MB

                                                                                                                                                                        Download

                                                                                                                                                                      • memory/3584-179-0x0000000000D00000-0x0000000000F43000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        2.3MB

                                                                                                                                                                        Download

                                                                                                                                                                      • memory/3584-181-0x0000000061E00000-0x0000000061EF3000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        972KB

                                                                                                                                                                        Download

                                                                                                                                                                      • memory/3640-25-0x0000000000BC0000-0x0000000001086000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        4.8MB

                                                                                                                                                                        Download

                                                                                                                                                                      • memory/3640-23-0x0000000000BC0000-0x0000000001086000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        4.8MB

                                                                                                                                                                        Download

                                                                                                                                                                      • memory/3640-16-0x0000000000BC0000-0x0000000001086000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        4.8MB

                                                                                                                                                                        Download

                                                                                                                                                                      • memory/3640-27-0x0000000000BC1000-0x0000000000BEF000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        184KB

                                                                                                                                                                        Download

                                                                                                                                                                      • memory/3640-26-0x0000000000BC0000-0x0000000001086000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        4.8MB

                                                                                                                                                                        Download

                                                                                                                                                                      • memory/4052-282-0x0000000000BD0000-0x0000000000C22000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        328KB

                                                                                                                                                                        Download

                                                                                                                                                                      • memory/4964-21-0x0000000000BC1000-0x0000000000BEF000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        184KB

                                                                                                                                                                        Download

                                                                                                                                                                      • memory/4964-223-0x0000000000BC0000-0x0000000001086000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        4.8MB

                                                                                                                                                                        Download

                                                                                                                                                                      • memory/4964-28-0x0000000000BC0000-0x0000000001086000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        4.8MB

                                                                                                                                                                        Download

                                                                                                                                                                      • memory/4964-303-0x0000000000BC0000-0x0000000001086000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        4.8MB

                                                                                                                                                                        Download

                                                                                                                                                                      • memory/4964-22-0x0000000000BC0000-0x0000000001086000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        4.8MB

                                                                                                                                                                        Download

                                                                                                                                                                      • memory/4964-547-0x0000000000BC0000-0x0000000001086000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        4.8MB

                                                                                                                                                                        Download

                                                                                                                                                                      • memory/4964-147-0x0000000000BC0000-0x0000000001086000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        4.8MB

                                                                                                                                                                        Download

                                                                                                                                                                      • memory/4964-395-0x0000000000BC0000-0x0000000001086000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        4.8MB

                                                                                                                                                                        Download

                                                                                                                                                                      • memory/4964-705-0x0000000000BC0000-0x0000000001086000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        4.8MB

                                                                                                                                                                        Download

                                                                                                                                                                      • memory/4964-753-0x0000000000BC0000-0x0000000001086000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        4.8MB

                                                                                                                                                                        Download

                                                                                                                                                                      • memory/4964-17-0x0000000000BC0000-0x0000000001086000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        4.8MB

                                                                                                                                                                        Download

                                                                                                                                                                      • memory/4964-164-0x0000000000BC0000-0x0000000001086000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        4.8MB

                                                                                                                                                                        Download

                                                                                                                                                                      • memory/4964-428-0x0000000000BC0000-0x0000000001086000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        4.8MB

                                                                                                                                                                        Download

                                                                                                                                                                      • memory/4964-153-0x0000000000BC0000-0x0000000001086000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        4.8MB

                                                                                                                                                                        Download

                                                                                                                                                                      • memory/4996-92-0x0000000000540000-0x0000000000652000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        1.1MB

                                                                                                                                                                        Download

                                                                                                                                                                      • memory/5116-569-0x0000000000D60000-0x0000000000D98000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        224KB

                                                                                                                                                                        Download

                                                                                                                                                                      • memory/5180-926-0x0000000005000000-0x00000000050D8000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        864KB

                                                                                                                                                                        Download

                                                                                                                                                                      • memory/5180-922-0x0000000005000000-0x00000000050D8000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        864KB

                                                                                                                                                                        Download

                                                                                                                                                                      • memory/5180-2197-0x0000000005480000-0x00000000054D4000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        336KB

                                                                                                                                                                        Download

                                                                                                                                                                      • memory/5180-916-0x00000000005E0000-0x00000000006CE000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        952KB

                                                                                                                                                                        Download

                                                                                                                                                                      • memory/5180-917-0x0000000004E80000-0x0000000004F5C000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        880KB

                                                                                                                                                                        Download

                                                                                                                                                                      • memory/5180-918-0x0000000005000000-0x00000000050DE000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        888KB

                                                                                                                                                                        Download

                                                                                                                                                                      • memory/5180-919-0x0000000005000000-0x00000000050D8000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        864KB

                                                                                                                                                                        Download

                                                                                                                                                                      • memory/5180-2006-0x0000000005210000-0x000000000525C000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        304KB

                                                                                                                                                                        Download

                                                                                                                                                                      • memory/5180-924-0x0000000005000000-0x00000000050D8000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        864KB

                                                                                                                                                                        Download

                                                                                                                                                                      • memory/5180-2005-0x00000000051B0000-0x0000000005208000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        352KB

                                                                                                                                                                        Download

                                                                                                                                                                      • memory/5180-920-0x0000000005000000-0x00000000050D8000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        864KB

                                                                                                                                                                        Download

                                                                                                                                                                      • memory/5652-615-0x00000268A3700000-0x00000268A3722000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        136KB

                                                                                                                                                                        Download

                                                                                                                                                                      • memory/5680-874-0x0000000000620000-0x000000000068F000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        444KB

                                                                                                                                                                        Download

                                                                                                                                                                      • memory/5680-899-0x0000000000620000-0x000000000068F000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        444KB

                                                                                                                                                                        Download

                                                                                                                                                                      • memory/5680-875-0x0000000000620000-0x000000000068F000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        444KB

                                                                                                                                                                        Download

                                                                                                                                                                      • memory/5680-873-0x0000000000620000-0x000000000068F000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        444KB

                                                                                                                                                                        Download

                                                                                                                                                                      • memory/5680-872-0x0000000000620000-0x000000000068F000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        444KB

                                                                                                                                                                        Download

                                                                                                                                                                      • memory/5680-871-0x0000000000620000-0x000000000068F000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        444KB

                                                                                                                                                                        Download

                                                                                                                                                                      • memory/5680-876-0x0000000000620000-0x000000000068F000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        444KB

                                                                                                                                                                        Download

                                                                                                                                                                      • memory/5920-731-0x0000000000D00000-0x0000000000D52000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        328KB

                                                                                                                                                                        Download