Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/08/2024, 11:25

General

  • Target

    4363463463464363463463463.exe

  • Size

    10KB

  • MD5

    2a94f3960c58c6e70826495f76d00b85

  • SHA1

    e2a1a5641295f5ebf01a37ac1c170ac0814bb71a

  • SHA256

    2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

  • SHA512

    fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f

  • SSDEEP

    192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

c7817d

C2

http://31.41.244.10

Attributes
  • install_dir

    0e8d0864aa

  • install_file

    svoutse.exe

  • strings_key

    5481b88a6ef75bcf21333988a4e47048

  • url_paths

    /Dem7kTu/index.php

rc4.plain

Extracted

Family

stealc

Botnet

nord

C2

http://185.215.113.100

Attributes
  • url_path

    /e2b1563c6670f193.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Detects HijackLoader (aka IDAT Loader) 1 IoCs
  • HijackLoader

    HijackLoader is a multistage loader first seen in 2023.

  • Modifies security service 2 TTPs 1 IoCs
  • Phorphiex payload 3 IoCs
  • Phorphiex, Phorpiex

    Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.

  • Stealc

    Stealc is an infostealer written in C++.

  • Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs
  • Windows security bypass 2 TTPs 6 IoCs
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
  • XMRig Miner payload 5 IoCs
  • Contacts a large (662) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 8 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 22 IoCs
  • Identifies Wine through registry keys 2 TTPs 4 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Loads dropped DLL 6 IoCs
  • Windows security modification 2 TTPs 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 34 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 29 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3424
      • C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
        "C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
        2⤵
        • Checks computer location settings
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3416
        • C:\Users\Admin\AppData\Local\Temp\Files\nxmr.exe
          "C:\Users\Admin\AppData\Local\Temp\Files\nxmr.exe"
          3⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:428
        • C:\Users\Admin\AppData\Local\Temp\Files\m.exe
          "C:\Users\Admin\AppData\Local\Temp\Files\m.exe"
          3⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4296
          • C:\Windows\sysmablsvr.exe
            C:\Windows\sysmablsvr.exe
            4⤵
            • Modifies security service
            • Windows security bypass
            • Executes dropped EXE
            • Windows security modification
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2000
            • C:\Users\Admin\AppData\Local\Temp\849821766.exe
              C:\Users\Admin\AppData\Local\Temp\849821766.exe
              5⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:4172
        • C:\Users\Admin\AppData\Local\Temp\Files\t2.exe
          "C:\Users\Admin\AppData\Local\Temp\Files\t2.exe"
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2788
        • C:\Users\Admin\AppData\Local\Temp\Files\random.exe
          "C:\Users\Admin\AppData\Local\Temp\Files\random.exe"
          3⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Checks computer location settings
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2248
          • C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
            "C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"
            4⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Checks computer location settings
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:4896
            • C:\Users\Admin\AppData\Local\Temp\1000013001\0f3ab47a90.exe
              "C:\Users\Admin\AppData\Local\Temp\1000013001\0f3ab47a90.exe"
              5⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:4772
            • C:\Users\Admin\AppData\Local\Temp\1000015001\e04acc355b.exe
              "C:\Users\Admin\AppData\Local\Temp\1000015001\e04acc355b.exe"
              5⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • Suspicious use of WriteProcessMemory
              PID:820
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
                6⤵
                • Enumerates system info in registry
                • Modifies registry class
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of WriteProcessMemory
                PID:1432
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8840846f8,0x7ff884084708,0x7ff884084718
                  7⤵
                    PID:376
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,16688730495588090926,12020625824626590432,131072 --disable-features=TranslateUI --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
                    7⤵
                      PID:5316
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,16688730495588090926,12020625824626590432,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2480 /prefetch:3
                      7⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:5324
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,16688730495588090926,12020625824626590432,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2424 /prefetch:8
                      7⤵
                        PID:5332
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16688730495588090926,12020625824626590432,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
                        7⤵
                          PID:5448
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16688730495588090926,12020625824626590432,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
                          7⤵
                            PID:5456
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16688730495588090926,12020625824626590432,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3748 /prefetch:1
                            7⤵
                              PID:5624
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16688730495588090926,12020625824626590432,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3760 /prefetch:1
                              7⤵
                                PID:5644
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16688730495588090926,12020625824626590432,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4064 /prefetch:1
                                7⤵
                                  PID:5816
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16688730495588090926,12020625824626590432,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4068 /prefetch:1
                                  7⤵
                                    PID:5824
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16688730495588090926,12020625824626590432,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4200 /prefetch:1
                                    7⤵
                                      PID:5832
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16688730495588090926,12020625824626590432,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4204 /prefetch:1
                                      7⤵
                                        PID:5848
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16688730495588090926,12020625824626590432,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4664 /prefetch:1
                                        7⤵
                                          PID:6032
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16688730495588090926,12020625824626590432,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4636 /prefetch:1
                                          7⤵
                                            PID:6040
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16688730495588090926,12020625824626590432,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4932 /prefetch:1
                                            7⤵
                                              PID:5356
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16688730495588090926,12020625824626590432,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4108 /prefetch:1
                                              7⤵
                                                PID:5372
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16688730495588090926,12020625824626590432,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:1
                                                7⤵
                                                  PID:5340
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16688730495588090926,12020625824626590432,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1
                                                  7⤵
                                                    PID:5348
                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16688730495588090926,12020625824626590432,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1
                                                    7⤵
                                                      PID:5464
                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16688730495588090926,12020625824626590432,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:1
                                                      7⤵
                                                        PID:5476
                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16688730495588090926,12020625824626590432,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:1
                                                        7⤵
                                                          PID:5924
                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16688730495588090926,12020625824626590432,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:1
                                                          7⤵
                                                            PID:6168
                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16688730495588090926,12020625824626590432,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4048 /prefetch:1
                                                            7⤵
                                                              PID:6976
                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16688730495588090926,12020625824626590432,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4372 /prefetch:1
                                                              7⤵
                                                                PID:6984
                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16688730495588090926,12020625824626590432,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
                                                                7⤵
                                                                  PID:7164
                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16688730495588090926,12020625824626590432,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4444 /prefetch:1
                                                                  7⤵
                                                                    PID:5856
                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16688730495588090926,12020625824626590432,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4688 /prefetch:1
                                                                    7⤵
                                                                      PID:5864
                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16688730495588090926,12020625824626590432,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:1
                                                                      7⤵
                                                                        PID:5872
                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16688730495588090926,12020625824626590432,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6396 /prefetch:1
                                                                        7⤵
                                                                          PID:5880
                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16688730495588090926,12020625824626590432,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6400 /prefetch:1
                                                                          7⤵
                                                                            PID:5888
                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16688730495588090926,12020625824626590432,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6408 /prefetch:1
                                                                            7⤵
                                                                              PID:6036
                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16688730495588090926,12020625824626590432,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6604 /prefetch:1
                                                                              7⤵
                                                                                PID:6048
                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16688730495588090926,12020625824626590432,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6688 /prefetch:1
                                                                                7⤵
                                                                                  PID:6056
                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,16688730495588090926,12020625824626590432,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2496 /prefetch:8
                                                                                  7⤵
                                                                                    PID:6376
                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,16688730495588090926,12020625824626590432,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2496 /prefetch:8
                                                                                    7⤵
                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                    PID:348
                                                                          • C:\Users\Admin\AppData\Local\Temp\Files\Dropper.exe
                                                                            "C:\Users\Admin\AppData\Local\Temp\Files\Dropper.exe"
                                                                            3⤵
                                                                            • Suspicious use of NtCreateUserProcessOtherParentProcess
                                                                            • Executes dropped EXE
                                                                            • Checks processor information in registry
                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                            PID:5772
                                                                          • C:\Users\Admin\AppData\Local\Temp\Files\t1.exe
                                                                            "C:\Users\Admin\AppData\Local\Temp\Files\t1.exe"
                                                                            3⤵
                                                                            • Executes dropped EXE
                                                                            • System Location Discovery: System Language Discovery
                                                                            PID:6256
                                                                          • C:\Users\Admin\AppData\Local\Temp\Files\s.exe
                                                                            "C:\Users\Admin\AppData\Local\Temp\Files\s.exe"
                                                                            3⤵
                                                                            • Executes dropped EXE
                                                                            • System Location Discovery: System Language Discovery
                                                                            PID:7232
                                                                          • C:\Users\Admin\AppData\Roaming\netprofm\VBoxSVC.exe
                                                                            "C:\Users\Admin\AppData\Roaming\netprofm\VBoxSVC.exe"
                                                                            3⤵
                                                                            • Executes dropped EXE
                                                                            • Loads dropped DLL
                                                                            • Suspicious use of SetThreadContext
                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                            • Suspicious behavior: MapViewOfSection
                                                                            PID:7444
                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                              "C:\Windows\SysWOW64\cmd.exe"
                                                                              4⤵
                                                                              • System Location Discovery: System Language Discovery
                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                              PID:7532
                                                                          • C:\Users\Admin\AppData\Local\Temp\Files\ZinTask.exe
                                                                            "C:\Users\Admin\AppData\Local\Temp\Files\ZinTask.exe"
                                                                            3⤵
                                                                            • Executes dropped EXE
                                                                            • System Location Discovery: System Language Discovery
                                                                            PID:7588
                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 7588 -s 232
                                                                              4⤵
                                                                              • Program crash
                                                                              PID:7692
                                                                          • C:\Users\Admin\AppData\Local\Temp\Files\tdrpload.exe
                                                                            "C:\Users\Admin\AppData\Local\Temp\Files\tdrpload.exe"
                                                                            3⤵
                                                                            • Executes dropped EXE
                                                                            • System Location Discovery: System Language Discovery
                                                                            PID:7776
                                                                          • C:\Users\Admin\AppData\Local\Temp\Files\pp.exe
                                                                            "C:\Users\Admin\AppData\Local\Temp\Files\pp.exe"
                                                                            3⤵
                                                                            • Executes dropped EXE
                                                                            • System Location Discovery: System Language Discovery
                                                                            PID:5356
                                                                          • C:\Users\Admin\AppData\Local\Temp\Files\pi.exe
                                                                            "C:\Users\Admin\AppData\Local\Temp\Files\pi.exe"
                                                                            3⤵
                                                                            • Executes dropped EXE
                                                                            • System Location Discovery: System Language Discovery
                                                                            PID:6768
                                                                          • C:\Users\Admin\AppData\Local\Temp\Files\pei.exe
                                                                            "C:\Users\Admin\AppData\Local\Temp\Files\pei.exe"
                                                                            3⤵
                                                                            • Executes dropped EXE
                                                                            • System Location Discovery: System Language Discovery
                                                                            PID:7960
                                                                          • C:\Users\Admin\AppData\Local\Temp\Files\npp.exe
                                                                            "C:\Users\Admin\AppData\Local\Temp\Files\npp.exe"
                                                                            3⤵
                                                                            • Executes dropped EXE
                                                                            • System Location Discovery: System Language Discovery
                                                                            PID:4964
                                                                          • C:\Users\Admin\AppData\Local\Temp\Files\11.exe
                                                                            "C:\Users\Admin\AppData\Local\Temp\Files\11.exe"
                                                                            3⤵
                                                                            • Executes dropped EXE
                                                                            • System Location Discovery: System Language Discovery
                                                                            PID:7580
                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#llzqlmcx#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Windows Upgrade Manager' /tr '''C:\Users\Admin\Windows Upgrade\wupgrdsv.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Windows Upgrade Manager' -RunLevel 'Highest' -Force; }
                                                                          2⤵
                                                                          • Command and Scripting Interpreter: PowerShell
                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:3408
                                                                        • C:\Windows\System32\schtasks.exe
                                                                          C:\Windows\System32\schtasks.exe /run /tn "Windows Upgrade Manager"
                                                                          2⤵
                                                                            PID:820
                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#llzqlmcx#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Windows Upgrade Manager' /tr '''C:\Users\Admin\Windows Upgrade\wupgrdsv.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Windows Upgrade Manager' -RunLevel 'Highest' -Force; }
                                                                            2⤵
                                                                            • Command and Scripting Interpreter: PowerShell
                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                            PID:4752
                                                                          • C:\Windows\System32\notepad.exe
                                                                            C:\Windows\System32\notepad.exe
                                                                            2⤵
                                                                            • Suspicious use of FindShellTrayWindow
                                                                            • Suspicious use of SendNotifyMessage
                                                                            PID:3268
                                                                        • C:\Users\Admin\Windows Upgrade\wupgrdsv.exe
                                                                          "C:\Users\Admin\Windows Upgrade\wupgrdsv.exe"
                                                                          1⤵
                                                                          • Suspicious use of NtCreateUserProcessOtherParentProcess
                                                                          • Executes dropped EXE
                                                                          • Suspicious use of SetThreadContext
                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                          • Suspicious use of WriteProcessMemory
                                                                          PID:2440
                                                                        • C:\Windows\System32\CompPkgSrv.exe
                                                                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                          1⤵
                                                                            PID:5988
                                                                          • C:\Windows\System32\CompPkgSrv.exe
                                                                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                            1⤵
                                                                              PID:6676
                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 7588 -ip 7588
                                                                              1⤵
                                                                                PID:7672
                                                                              • C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
                                                                                C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
                                                                                1⤵
                                                                                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                                • Checks BIOS information in registry
                                                                                • Executes dropped EXE
                                                                                • Identifies Wine through registry keys
                                                                                • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                PID:7036

                                                                              Network

                                                                              MITRE ATT&CK Enterprise v15

                                                                              Replay Monitor

                                                                              Loading Replay Monitor...

                                                                              Downloads

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                                                                Filesize

                                                                                3KB

                                                                                MD5

                                                                                fee026663fcb662152188784794028ee

                                                                                SHA1

                                                                                3c02a26a9cb16648fad85c6477b68ced3cb0cb45

                                                                                SHA256

                                                                                dbd4136bc342e3e92902ec3a30d165452c82997a7ae24ac90775e42d88959e6b

                                                                                SHA512

                                                                                7b12bd5c8fc4356b9123d6586b4980cf76012663b41c0dab6f6f21567e2f4005c5bcea2cc2158d157e4f801a281f3e04bad3774cddb3122db309ccf662184bd6

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\settings.dat

                                                                                Filesize

                                                                                152B

                                                                                MD5

                                                                                3fa81296d3f515108fbec8485c90f6d7

                                                                                SHA1

                                                                                cbf4a1547697151c0a4d75a3231151f58e1e7826

                                                                                SHA256

                                                                                e59508b0438be1f76b61eee6746f640cc197b9302ca0895b846e238d1721c2fd

                                                                                SHA512

                                                                                4f5e7c84dd0ce541d680b61ebe91754dd07c4ceae032c4fd703089bc43937b0adbbd8046f9f46a0a798f1c925ad53839262e542bf8cfb970ebd36d1743182fce

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\settings.dat

                                                                                Filesize

                                                                                152B

                                                                                MD5

                                                                                8cb9ae5c6c655316e7091dd9c0ef8e96

                                                                                SHA1

                                                                                dd1d0f9f28638bd3755151efca5cdcf138d92b1e

                                                                                SHA256

                                                                                a76f8534b862e1b7835b801945c7fa968def0ef40210c12aeb0f9461a2a5e37d

                                                                                SHA512

                                                                                5be19385f2e640d0c52f2ad18bb4de9299e3f4c8eba779d287d0be203c3fae500b09517532c5894a8852c2b468aee22879b04c1713d43a60635e127461cdc6a7

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\settings.dat

                                                                                Filesize

                                                                                152B

                                                                                MD5

                                                                                c32e514908d9886e411f21acdc838ba6

                                                                                SHA1

                                                                                f07fc75e557195a6a4178357c50c919b22a7928a

                                                                                SHA256

                                                                                fa5c42d351cf905f4c7fcfb54cf2364d189cf5756a6cf7dd84971a7a14f70827

                                                                                SHA512

                                                                                643460a3dfde989753276a1799c5a69186023c9106463ec0ae3cdb3eb8a1bc66af5e336ce2557cf1e7bceea4b36894ab664613c74e61c3b1f76e971955960db8

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\throttle_store.dat

                                                                                Filesize

                                                                                20B

                                                                                MD5

                                                                                9e4e94633b73f4a7680240a0ffd6cd2c

                                                                                SHA1

                                                                                e68e02453ce22736169a56fdb59043d33668368f

                                                                                SHA256

                                                                                41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304

                                                                                SHA512

                                                                                193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\179de052-da4f-44d1-9808-ce490fb5960c.tmp

                                                                                Filesize

                                                                                4KB

                                                                                MD5

                                                                                fbd5c1b2058d9fca045fe227be11b51d

                                                                                SHA1

                                                                                b58db9f486efdfadccdde1f028229014bbebadfc

                                                                                SHA256

                                                                                6b10f2371beda25cc8485e976a0ea7c78cec05a291ba0e4b691c6865cfcaadc1

                                                                                SHA512

                                                                                61d08b4685724fd51259802e9c2273bb58d0917f53ad90003eb2e1d0ed2a61c8733dd5684cdacd7e08f5ab017dc4754fdf6801887292e226d3838ac4ed2bf72c

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Storage\leveldb\MANIFEST-000001

                                                                                Filesize

                                                                                41B

                                                                                MD5

                                                                                5af87dfd673ba2115e2fcf5cfdb727ab

                                                                                SHA1

                                                                                d5b5bbf396dc291274584ef71f444f420b6056f1

                                                                                SHA256

                                                                                f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

                                                                                SHA512

                                                                                de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Microsoft Edge.lnk

                                                                                Filesize

                                                                                1KB

                                                                                MD5

                                                                                47ccd749c10d5a88ea2a83c6ab19278b

                                                                                SHA1

                                                                                9af41429aecd8753aa5ac8326a14408494969e52

                                                                                SHA256

                                                                                4b2821175bd223f0bb6c5292b69feed47e173a89d35b4d6d2bb6619ddaef464c

                                                                                SHA512

                                                                                8768e3b4f4795b1176f66631b05821ea45709f35d77dc41017f79a0fcf0e8b727b2efae2049aa77723da056929109a006f48c39bb43acfb91cf0a3c0bc677b27

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Preferences

                                                                                Filesize

                                                                                4KB

                                                                                MD5

                                                                                00e7292ef69c2039221e4b2b4e651d98

                                                                                SHA1

                                                                                0aae891c89c3e14a801671581ac2dd87e62f8def

                                                                                SHA256

                                                                                585dec0b686ab6ab6c144f0198ca7e0ea35f1f910eecb6bfb4eb81a164201e84

                                                                                SHA512

                                                                                bf7618d081206c608dbb60cbbf4a517b0922364d6e0a8873959b7fb13d5d2c6298225e6b0a9efcb8fae3e83c528987933960f136e3fdb6b0fa8fa95418602fac

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Secure Preferences

                                                                                Filesize

                                                                                24KB

                                                                                MD5

                                                                                22362179c84bada360aca2400c5fc0cc

                                                                                SHA1

                                                                                4a6eb7f9a4d7599acc905f1ead34012a1a3afc5d

                                                                                SHA256

                                                                                ec250892cf8affa5b066860cffb45139df23dfc02c9fce8e34272ee62a0d1c0f

                                                                                SHA512

                                                                                ef65a5f6851fca46aceb29608f2eea5fe35f6264c59316e4b4935ba20d3642336a58b6290b93c87d21d2ad5fe94dbc5ee7c3091aedee08a638d39c276440c332

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Secure Preferences~RFe59816b.TMP

                                                                                Filesize

                                                                                24KB

                                                                                MD5

                                                                                0963a7eb1eb3476a9380225282304a35

                                                                                SHA1

                                                                                98a449e4a08b0dd8d4191a1f4a1b9381b2357ebc

                                                                                SHA256

                                                                                650adb495f750497cd8a09df8f1859fa7aaa216c364c22aa796d50db8207c02d

                                                                                SHA512

                                                                                11846c9389f39db70be1bd8bf0dc4a2fbba608e5b5864e50d14bc348b60e008b4b43d1aeab923c69cf6c2456fd02a250731f695dabfddf1b59e14128921423d4

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_0

                                                                                Filesize

                                                                                8KB

                                                                                MD5

                                                                                cf89d16bb9107c631daabf0c0ee58efb

                                                                                SHA1

                                                                                3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

                                                                                SHA256

                                                                                d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

                                                                                SHA512

                                                                                8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_1

                                                                                Filesize

                                                                                264KB

                                                                                MD5

                                                                                f50f89a0a91564d0b8a211f8921aa7de

                                                                                SHA1

                                                                                112403a17dd69d5b9018b8cede023cb3b54eab7d

                                                                                SHA256

                                                                                b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

                                                                                SHA512

                                                                                bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_2

                                                                                Filesize

                                                                                8KB

                                                                                MD5

                                                                                0962291d6d367570bee5454721c17e11

                                                                                SHA1

                                                                                59d10a893ef321a706a9255176761366115bedcb

                                                                                SHA256

                                                                                ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

                                                                                SHA512

                                                                                f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_3

                                                                                Filesize

                                                                                8KB

                                                                                MD5

                                                                                41876349cb12d6db992f1309f22df3f0

                                                                                SHA1

                                                                                5cf26b3420fc0302cd0a71e8d029739b8765be27

                                                                                SHA256

                                                                                e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

                                                                                SHA512

                                                                                e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Sync Data\LevelDB\CURRENT

                                                                                Filesize

                                                                                16B

                                                                                MD5

                                                                                46295cac801e5d4857d09837238a6394

                                                                                SHA1

                                                                                44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                                                                SHA256

                                                                                0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                                                                SHA512

                                                                                8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\data_reduction_proxy_leveldb\CURRENT

                                                                                Filesize

                                                                                16B

                                                                                MD5

                                                                                206702161f94c5cd39fadd03f4014d98

                                                                                SHA1

                                                                                bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                                                                SHA256

                                                                                1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                                                                SHA512

                                                                                0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State

                                                                                Filesize

                                                                                9KB

                                                                                MD5

                                                                                9b6e0d047366d97ce4c7a44a0eaa7e58

                                                                                SHA1

                                                                                59f5d279699841654a4232e0848a8bff225e6b6a

                                                                                SHA256

                                                                                2cd947c02bcd81e1d5358ff1320229b66a4f9c00fde20a489c9ddf512a0fb848

                                                                                SHA512

                                                                                d2a56c0febc765a48cb947915bd6b62020595bcbd2be266adb28532aab67f6508976b1aa505b98270e240d31e61cb169a48ddbedf3200ce3e62227095c6cfbf7

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State~RFe59a4e1.TMP

                                                                                Filesize

                                                                                9KB

                                                                                MD5

                                                                                aaae7b34785f09b104426d00f425b6ce

                                                                                SHA1

                                                                                5613fd4c1ebdce331bfbf9b4c87fc1b937a0ba96

                                                                                SHA256

                                                                                06a801f92d5471637e775abccf0f486c4796023d235271e37f3399790d890d4f

                                                                                SHA512

                                                                                887c3591f8394f5968a1649aeee0e4e1c552aa8eaed653799a91268d106299e5dcf99329255852309e8441afe56f82443657ced34f0eb2d8b6c9d33dcd74bc34

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                Filesize

                                                                                1KB

                                                                                MD5

                                                                                2cacea4e19ddf5755e70346cc1cbe27b

                                                                                SHA1

                                                                                d4f7c2950f951857da18cfec490370152983e121

                                                                                SHA256

                                                                                5488c6f47e2e55addf07b920f0ce43ed970515193c4cb1ffb845a9b441bcd9ad

                                                                                SHA512

                                                                                445497cefd12a10e19272b51028a6b19d039b578a2e4d1f4c7f4c4bed447c55b1cd23453e9bed9307aaeb7b57ea8c721d1884eaaafa422df4607cfe3a75f54f7

                                                                              • C:\Users\Admin\AppData\Local\Temp\1000013001\0f3ab47a90.exe

                                                                                Filesize

                                                                                1.7MB

                                                                                MD5

                                                                                952471642155df63bf9dd4bbd2828c45

                                                                                SHA1

                                                                                7de09af139988b2712b7922220a68940ca6379b5

                                                                                SHA256

                                                                                2141d9159c4fca891bba493acba71c5973b9d554e4b0552f4a87be7f3bcd112e

                                                                                SHA512

                                                                                04debdb0c9a6761e0132e78536073c250b4d4b2d1be1e1761c6d2e388713b84dfaa80adc984de548bb42ce2156500d650081c4084b28f03b316ac7a18d996a5a

                                                                              • C:\Users\Admin\AppData\Local\Temp\1000015001\e04acc355b.exe

                                                                                Filesize

                                                                                896KB

                                                                                MD5

                                                                                ba634ed8c1b0b3e688d89f185191f4db

                                                                                SHA1

                                                                                0d000cbf959dd7733074f7c5877f6804dceff3e3

                                                                                SHA256

                                                                                b1787fdef4283ff280276dedfade4495e880ecae949596654edf00976ce3f00f

                                                                                SHA512

                                                                                9bdd5022e3c63eb8f35df5b40d0726689b3a4b7fb9a7abd8a930fc0f633ee82dc428030cd6c2e0ed38654c6902b339fb27ad185345a43ffde620a6e417f3b900

                                                                              • C:\Users\Admin\AppData\Local\Temp\849821766.exe

                                                                                Filesize

                                                                                19KB

                                                                                MD5

                                                                                dce86bff5ca04db752b19245e111a636

                                                                                SHA1

                                                                                f1e3a56d5be946483b5eac047540a37d6af60f03

                                                                                SHA256

                                                                                1467e4763d7a4b66d33c01714e7ed6192c8518688a72f91bf37a51ef35095a6d

                                                                                SHA512

                                                                                448bd6926688f32afef0d759dcdbe10915736e51f0b4b3059d402e58d677b4ed915460809a91680bd2eb640fc830dfaeda02484157a94f1d8ce2447e3a795ef8

                                                                              • C:\Users\Admin\AppData\Local\Temp\Files\02.08.2022.exe

                                                                                Filesize

                                                                                242KB

                                                                                MD5

                                                                                4f8e2d782e4513a311bcb35e9b83cd49

                                                                                SHA1

                                                                                d57d45c9da96e5be19f35ba74ac460a1687aced7

                                                                                SHA256

                                                                                45f5c46ad6a2e15029b2a7048eddd1abb134457673cf75704171d56f9f4eafa3

                                                                                SHA512

                                                                                c292564ac4cc452c1213ea400e599c706f50cf7f7b9ecdd8241cdcce8c26ba7e1a9cf12be2c5ffdcc42b82764f1f24ccfd10781a513a66a79158c66a2a921c9c

                                                                              • C:\Users\Admin\AppData\Local\Temp\Files\11.exe

                                                                                Filesize

                                                                                79KB

                                                                                MD5

                                                                                e2e3268f813a0c5128ff8347cbaa58c8

                                                                                SHA1

                                                                                4952cbfbdec300c048808d79ee431972b8a7ba84

                                                                                SHA256

                                                                                d8b83f78ed905a7948e2e1e371f0f905bcaaabbb314c692fee408a454f8338a3

                                                                                SHA512

                                                                                cb5aeda8378a9a5470f33f2b70c22e77d2df97b162ba953eb16da085b3c434be31a5997eac11501db0cb612cdb30fa9045719fcd10c7227c56cc782558e0c3bc

                                                                              • C:\Users\Admin\AppData\Local\Temp\Files\Dropper.exe

                                                                                Filesize

                                                                                4.0MB

                                                                                MD5

                                                                                5341c5bb13ae2b2753b2fdadcf93aa51

                                                                                SHA1

                                                                                6760d7bb6b84830d89e653847e32f11faef51006

                                                                                SHA256

                                                                                492223cd623e3f64dc873274ac477a1aa2985c50fb5d7b6e45384bf900302d60

                                                                                SHA512

                                                                                dfde0913998931efb749b75657e16a118830b16ddec263ee01f2ac5535e7a6cd832879ce19b9692c8a1458885a0666d06e3a68dcf7905a686b9694490a6d43e6

                                                                              • C:\Users\Admin\AppData\Local\Temp\Files\ZinTask.exe

                                                                                Filesize

                                                                                2.5MB

                                                                                MD5

                                                                                dba7abdb1d2ada8cb51d1c258b1b3531

                                                                                SHA1

                                                                                fa18a0affb277c99e71253bca5834e6fe6cd7135

                                                                                SHA256

                                                                                3d0a544073fc4c02d5634bd33f76f9dae07d9a325340ed747bcfde51ea52e23f

                                                                                SHA512

                                                                                0491865151140a5252a87a771f6552fd527fae3dec3c43ca0b806702e7ad4953b7d16bd1d8f275828f8b094bc337f79ed5c298beed4ec99186e4f4c3bd3cdf2a

                                                                              • C:\Users\Admin\AppData\Local\Temp\Files\m.exe

                                                                                Filesize

                                                                                88KB

                                                                                MD5

                                                                                ababca6d12d96e8dd2f1d7114b406fae

                                                                                SHA1

                                                                                dcd9798e83ec688aacb3de8911492a232cb41a32

                                                                                SHA256

                                                                                a992920e64a64763f3dd8c2a431a0f5e56e5b3782a1496de92bc80ee71cca5ba

                                                                                SHA512

                                                                                b7fc70c176bdc74cf68b14e694f3e53142e64d39bd6d3e0f2e3a74ce3178ea606f92f760d21db69d72ae6677545a47c7bf390fb65cd5247a48e239f6ae8f7b8f

                                                                              • C:\Users\Admin\AppData\Local\Temp\Files\nxmr.exe

                                                                                Filesize

                                                                                5.4MB

                                                                                MD5

                                                                                41ab08c1955fce44bfd0c76a64d1945a

                                                                                SHA1

                                                                                2b9cb05f4de5d98c541d15175d7f0199cbdd0eea

                                                                                SHA256

                                                                                dd12cb27b3867341bf6ca48715756500d3ec56c19b21bb1c1290806aa74cb493

                                                                                SHA512

                                                                                38834ae703a8541b4fec9a1db94cfe296ead58649bb1d4873b517df14d0c6a9d25e49ff04c2bf6bb0188845116a4e894aae930d849f9be8c98d2ce51da1ef116

                                                                              • C:\Users\Admin\AppData\Local\Temp\Files\pei.exe

                                                                                Filesize

                                                                                9KB

                                                                                MD5

                                                                                8d8e6c7952a9dc7c0c73911c4dbc5518

                                                                                SHA1

                                                                                9098da03b33b2c822065b49d5220359c275d5e94

                                                                                SHA256

                                                                                feb4c3ae4566f0acbb9e0f55417b61fefd89dc50a4e684df780813fb01d61278

                                                                                SHA512

                                                                                91a573843c28dd32a9f31a60ba977f9a3d4bb19ffd1b7254333e09bcecef348c1b3220a348ebb2cb08edb57d56cb7737f026519da52199c9dc62c10aea236645

                                                                              • C:\Users\Admin\AppData\Local\Temp\Files\pi.exe

                                                                                Filesize

                                                                                79KB

                                                                                MD5

                                                                                1e8a2ed2e3f35620fb6b8c2a782a57f3

                                                                                SHA1

                                                                                e924ce6d147ecc8b30b7c7cad02e5c9ae09a743a

                                                                                SHA256

                                                                                3f16f4550826076b2c8cd7b392ee649aeb06740328658a2d30c3d2002c6b7879

                                                                                SHA512

                                                                                ce4dc7fdd7f81a7a127d650f9175292b287b4803d815d74b64a4e5125cff66224d75e7ecade1d9c0e42f870bdb49a78e9613b1a49675ab5bc098611b99b49ade

                                                                              • C:\Users\Admin\AppData\Local\Temp\Files\random.exe

                                                                                Filesize

                                                                                1.8MB

                                                                                MD5

                                                                                6e5042ff1ec6df9aee18f4eea7864524

                                                                                SHA1

                                                                                19e4eaaec31c8512b191138a439b6c4c7ba73d18

                                                                                SHA256

                                                                                420a1ba2737e39704e52e1ea0c2494d8c232f10e2b40971923959da4708b3b0c

                                                                                SHA512

                                                                                ac5c8537bfd0a509ab49911cdf180778e9e47f9f9fb600933b2ba03f939f9bc9834db5a106840382ee648b289cddaf69b55cf969f51b9f89c49c678f1edc202c

                                                                              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_14rmxhdf.frq.ps1

                                                                                Filesize

                                                                                60B

                                                                                MD5

                                                                                d17fe0a3f47be24a6453e9ef58c94641

                                                                                SHA1

                                                                                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                SHA256

                                                                                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                SHA512

                                                                                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\A9D554ASH2A9KH55Z6TM.temp

                                                                                Filesize

                                                                                3KB

                                                                                MD5

                                                                                985561b1957df57d906ef6f299be73e8

                                                                                SHA1

                                                                                3cd0eeb4d05db3b944c2862e98158d0086c87767

                                                                                SHA256

                                                                                97eb02292313a961acd266d994e814b3fcf3b8331699eab98468bcd6cc3bbd07

                                                                                SHA512

                                                                                f8052ba707b19197db1f15b364eabff851e6138d3dce41246a478f00ae113cded3a0d955b8fe854269d9d7a28e1f74c686cd55586166b5faff6ee8a2cc6217f6

                                                                              • C:\Users\Admin\AppData\Roaming\netprofm\VBoxDDU.dll

                                                                                Filesize

                                                                                371KB

                                                                                MD5

                                                                                e4f0cae9a98e7d66f99926188b39cf7c

                                                                                SHA1

                                                                                e3b86dabbd2a9729aa0a619a8712d33718bc1408

                                                                                SHA256

                                                                                544087089781dd649501902b25af8a26c10cb10f97676e9eb688b69582419ba0

                                                                                SHA512

                                                                                fd4c272d2187dfda537a7b147dfd9804c2e4e929ae361426c05f4eb173e4d0a7757a782d38de2c356c1710d90197d3386adf0aa7b427ffbe0b597a2dd7d221ac

                                                                              • C:\Users\Admin\AppData\Roaming\netprofm\VBoxRT.dll

                                                                                Filesize

                                                                                4.1MB

                                                                                MD5

                                                                                31e7657643d832681fee0e303e25ee52

                                                                                SHA1

                                                                                0756c911a602cfe2f094104d1c10a2d014c52e59

                                                                                SHA256

                                                                                7328aeb5cec65215e5462c1ea4d69a6383fb77605ccb84c60fdb90d6d0b3c0f4

                                                                                SHA512

                                                                                542ecead0a1d54de9300220799b1bbaf5e304fafa95c4ce130f0003a5c693adcf1c3140d67e6721c1cbc576989597bff7353727cec95ac289f563e1aee1ec9c2

                                                                              • C:\Users\Admin\AppData\Roaming\netprofm\VBoxSVC.exe

                                                                                Filesize

                                                                                3.4MB

                                                                                MD5

                                                                                c8a2de7077f97d4bce1a44317b49ef41

                                                                                SHA1

                                                                                6cb3212ec9be08cb5a29bf8d37e9ca845efc18c9

                                                                                SHA256

                                                                                448402c129a721812fa1c5f279f5ca906b9c8bbca652a91655d144d20ce5e6b4

                                                                                SHA512

                                                                                9815eba1566a8e33734f6a218071ec501dd1f799b1535e25d87c2b416b928ae8d15f8218cf20e685f9907ec39c202cbfc4728fe6ab9d87b3de345109f626845e

                                                                              • C:\Users\Admin\AppData\Roaming\netprofm\msvcp100.dll

                                                                                Filesize

                                                                                593KB

                                                                                MD5

                                                                                d029339c0f59cf662094eddf8c42b2b5

                                                                                SHA1

                                                                                a0b6de44255ce7bfade9a5b559dd04f2972bfdc8

                                                                                SHA256

                                                                                934d882efd3c0f3f1efbc238ef87708f3879f5bb456d30af62f3368d58b6aa4c

                                                                                SHA512

                                                                                021d9af52e68cb7a3b0042d9ed6c9418552ee16df966f9ccedd458567c47d70471cb8851a69d3982d64571369664faeeae3be90e2e88a909005b9cdb73679c82

                                                                              • C:\Users\Admin\AppData\Roaming\netprofm\msvcr100.dll

                                                                                Filesize

                                                                                809KB

                                                                                MD5

                                                                                366fd6f3a451351b5df2d7c4ecf4c73a

                                                                                SHA1

                                                                                50db750522b9630757f91b53df377fd4ed4e2d66

                                                                                SHA256

                                                                                ae3cb6c6afba9a4aa5c85f66023c35338ca579b30326dd02918f9d55259503d5

                                                                                SHA512

                                                                                2de764772b68a85204b7435c87e9409d753c2196cf5b2f46e7796c99a33943e167f62a92e8753eaa184cd81fb14361e83228eb1b474e0c3349ed387ec93e6130

                                                                              • C:\Users\Admin\AppData\Roaming\netprofm\tammy.jpeg

                                                                                Filesize

                                                                                643KB

                                                                                MD5

                                                                                cd0834181a01bd3ea54d454eabe96a5e

                                                                                SHA1

                                                                                4d320c8521f68380e25b08c92e5545e4a90b5618

                                                                                SHA256

                                                                                e63bf972dc2ccb09d5ad7cfd6dca1d3294497619e7c572c7f784c5ff4b2528fa

                                                                                SHA512

                                                                                530296dd8ee1369a148d64ba80c0d03e49f03020a8b09d3ff1fd38298b3626609d6a011b3a35c9f1990d0dac0f2f0f554a8d369088dfd1c51887be9035430a50

                                                                              • memory/428-48-0x00007FF62BD40000-0x00007FF62C2B6000-memory.dmp

                                                                                Filesize

                                                                                5.5MB

                                                                              • memory/2248-93-0x0000000000AF0000-0x0000000000FAF000-memory.dmp

                                                                                Filesize

                                                                                4.7MB

                                                                              • memory/2248-82-0x0000000000AF0000-0x0000000000FAF000-memory.dmp

                                                                                Filesize

                                                                                4.7MB

                                                                              • memory/2440-66-0x00007FF7A2A30000-0x00007FF7A2FA6000-memory.dmp

                                                                                Filesize

                                                                                5.5MB

                                                                              • memory/3268-73-0x00007FF64B320000-0x00007FF64BB0F000-memory.dmp

                                                                                Filesize

                                                                                7.9MB

                                                                              • memory/3268-494-0x00007FF64B320000-0x00007FF64BB0F000-memory.dmp

                                                                                Filesize

                                                                                7.9MB

                                                                              • memory/3268-115-0x00007FF64B320000-0x00007FF64BB0F000-memory.dmp

                                                                                Filesize

                                                                                7.9MB

                                                                              • memory/3268-67-0x0000014BEC1C0000-0x0000014BEC1E0000-memory.dmp

                                                                                Filesize

                                                                                128KB

                                                                              • memory/3268-349-0x00007FF64B320000-0x00007FF64BB0F000-memory.dmp

                                                                                Filesize

                                                                                7.9MB

                                                                              • memory/3408-34-0x000001E6B3E40000-0x000001E6B3E62000-memory.dmp

                                                                                Filesize

                                                                                136KB

                                                                              • memory/3416-0-0x0000000074F3E000-0x0000000074F3F000-memory.dmp

                                                                                Filesize

                                                                                4KB

                                                                              • memory/3416-3-0x0000000074F30000-0x00000000756E0000-memory.dmp

                                                                                Filesize

                                                                                7.7MB

                                                                              • memory/3416-4-0x0000000074F3E000-0x0000000074F3F000-memory.dmp

                                                                                Filesize

                                                                                4KB

                                                                              • memory/3416-2-0x0000000005440000-0x00000000054DC000-memory.dmp

                                                                                Filesize

                                                                                624KB

                                                                              • memory/3416-1-0x0000000000A50000-0x0000000000A58000-memory.dmp

                                                                                Filesize

                                                                                32KB

                                                                              • memory/3416-5-0x0000000074F30000-0x00000000756E0000-memory.dmp

                                                                                Filesize

                                                                                7.7MB

                                                                              • memory/4772-114-0x0000000000360000-0x00000000009DC000-memory.dmp

                                                                                Filesize

                                                                                6.5MB

                                                                              • memory/4772-111-0x0000000000360000-0x00000000009DC000-memory.dmp

                                                                                Filesize

                                                                                6.5MB

                                                                              • memory/4896-96-0x0000000000340000-0x00000000007FF000-memory.dmp

                                                                                Filesize

                                                                                4.7MB

                                                                              • memory/4896-116-0x0000000000340000-0x00000000007FF000-memory.dmp

                                                                                Filesize

                                                                                4.7MB

                                                                              • memory/4896-199-0x0000000000340000-0x00000000007FF000-memory.dmp

                                                                                Filesize

                                                                                4.7MB

                                                                              • memory/4896-479-0x0000000000340000-0x00000000007FF000-memory.dmp

                                                                                Filesize

                                                                                4.7MB

                                                                              • memory/4896-390-0x0000000000340000-0x00000000007FF000-memory.dmp

                                                                                Filesize

                                                                                4.7MB

                                                                              • memory/4896-495-0x0000000000340000-0x00000000007FF000-memory.dmp

                                                                                Filesize

                                                                                4.7MB

                                                                              • memory/5772-360-0x00007FF890C20000-0x00007FF890F4D000-memory.dmp

                                                                                Filesize

                                                                                3.2MB

                                                                              • memory/7036-480-0x0000000000340000-0x00000000007FF000-memory.dmp

                                                                                Filesize

                                                                                4.7MB

                                                                              • memory/7036-482-0x0000000000340000-0x00000000007FF000-memory.dmp

                                                                                Filesize

                                                                                4.7MB

                                                                              • memory/7444-381-0x00007FF87E350000-0x00007FF87F9C7000-memory.dmp

                                                                                Filesize

                                                                                22.5MB

                                                                              • memory/7532-483-0x00007FF8A1DB0000-0x00007FF8A1FA5000-memory.dmp

                                                                                Filesize

                                                                                2.0MB

                                                                              • memory/7588-389-0x0000000000140000-0x0000000000141000-memory.dmp

                                                                                Filesize

                                                                                4KB