Resubmissions

12-12-2024 22:50

241212-2sgwma1rgq 10

12-12-2024 22:48

241212-2q4bva1rek 10

12-12-2024 22:33

241212-2g1jla1pfr 10

Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12-12-2024 22:33

General

  • Target

    91b19fc66774a862fab4409242ddc106aa1b8b03e63d661d540899e16e687f7c.exe

  • Size

    3.1MB

  • MD5

    04142cb142b35b18f836c0f9195fbe59

  • SHA1

    f2f101e03548ca5169b776dc843116e988bca880

  • SHA256

    91b19fc66774a862fab4409242ddc106aa1b8b03e63d661d540899e16e687f7c

  • SHA512

    7baa1c45b8175e94daa21e71a12aa991a0f7455341681377c29887d2e0809c51dc0f54fafabff804e6183ee2ab6924748824c7310e6f831ece028434652100f2

  • SSDEEP

    49152:zWx4U7cvPNFUnTdOEfQpwxWPXApbYMPdbd0:U4KcvPNFsowx1xNd0

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes
  • install_dir

    abc3bc1985

  • install_file

    skotes.exe

  • strings_key

    8a35cf2ea38c2817dba29a4b5b25dcf0

  • url_paths

    /Zu7JuNko/index.php

rc4.plain

Extracted

Family

stealc

Botnet

stok

C2

http://185.215.113.206

Attributes
  • url_path

    /c4becf79229cb002.php

Extracted

Family

lumma

C2

https://drive-connect.cyou/api

https://covery-mover.biz/api

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Amadey family
  • GCleaner

    GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

  • Gcleaner family
  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

  • Lumma family
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
  • Stealc

    Stealc is an infostealer written in C++.

  • Stealc family
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 10 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 26 IoCs
  • Identifies Wine through registry keys 2 TTPs 5 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Loads dropped DLL 47 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

  • Windows security modification 2 TTPs 2 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Start PowerShell.

  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 12 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Kills process with taskkill 5 IoCs
  • Modifies Internet Explorer settings 1 TTPs 44 IoCs
  • Modifies registry class 1 IoCs
  • Modifies system certificate store 2 TTPs 7 IoCs
  • Runs ping.exe 1 TTPs 3 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 49 IoCs
  • Suspicious use of FindShellTrayWindow 16 IoCs
  • Suspicious use of SendNotifyMessage 13 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Views/modifies file attributes 1 TTPs 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\91b19fc66774a862fab4409242ddc106aa1b8b03e63d661d540899e16e687f7c.exe
    "C:\Users\Admin\AppData\Local\Temp\91b19fc66774a862fab4409242ddc106aa1b8b03e63d661d540899e16e687f7c.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:1716
    • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2644
      • C:\Users\Admin\AppData\Local\Temp\1014430001\dwVrTdy.exe
        "C:\Users\Admin\AppData\Local\Temp\1014430001\dwVrTdy.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in Program Files directory
        • Modifies system certificate store
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1808
        • C:\Program Files\Windows Media Player\graph\graph.exe
          "C:\Program Files\Windows Media Player\graph\graph.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:956
      • C:\Users\Admin\AppData\Local\Temp\1014431001\AzVRM7c.exe
        "C:\Users\Admin\AppData\Local\Temp\1014431001\AzVRM7c.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:636
        • C:\Program Files\Windows Media Player\graph\graph.exe
          "C:\Program Files\Windows Media Player\graph\graph.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:1336
      • C:\Users\Admin\AppData\Local\Temp\1014432001\t5abhIx.exe
        "C:\Users\Admin\AppData\Local\Temp\1014432001\t5abhIx.exe"
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        PID:1980
      • C:\Users\Admin\AppData\Local\Temp\1014535001\CuKxXX0.exe
        "C:\Users\Admin\AppData\Local\Temp\1014535001\CuKxXX0.exe"
        3⤵
        • Drops startup file
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2684
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c ipconfig /release
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2168
          • C:\Windows\system32\ipconfig.exe
            ipconfig /release
            5⤵
            • Gathers network information
            PID:2756
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAMQAwADEANAA1ADMANQAwADAAMQBcAEMAdQBLAHgAWABYADAALgBlAHgAZQA7ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUAByAG8AYwBlAHMAcwAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAMQAwADEANAA1ADMANQAwADAAMQBcAEMAdQBLAHgAWABYADAALgBlAHgAZQA7AEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAFcAaQBuAGQAbwBzAEMAUABVAHMAeQBzAHQAZQBtAC4AZQB4AGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAFcAaQBuAGQAbwBzAEMAUABVAHMAeQBzAHQAZQBtAC4AZQB4AGUA
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2960
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Process "https://google.com"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1044
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" https://google.com/
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            PID:2084
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2084 CREDAT:275457 /prefetch:2
              6⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:2980
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -u -p 2684 -s 796
          4⤵
          • Loads dropped DLL
          PID:2028
      • C:\Users\Admin\AppData\Local\Temp\1014543001\8218a5f152.exe
        "C:\Users\Admin\AppData\Local\Temp\1014543001\8218a5f152.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Loads dropped DLL
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2288
      • C:\Users\Admin\AppData\Local\Temp\1014544001\5851a900b9.exe
        "C:\Users\Admin\AppData\Local\Temp\1014544001\5851a900b9.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2256
        • C:\Windows\system32\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
          4⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2464
          • C:\Windows\system32\mode.com
            mode 65,10
            5⤵
              PID:2480
            • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
              7z.exe e file.zip -p24291711423417250691697322505 -oextracted
              5⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of AdjustPrivilegeToken
              PID:2712
            • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
              7z.exe e extracted/file_7.zip -oextracted
              5⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of AdjustPrivilegeToken
              PID:1716
            • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
              7z.exe e extracted/file_6.zip -oextracted
              5⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of AdjustPrivilegeToken
              PID:2980
            • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
              7z.exe e extracted/file_5.zip -oextracted
              5⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of AdjustPrivilegeToken
              PID:1036
            • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
              7z.exe e extracted/file_4.zip -oextracted
              5⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of AdjustPrivilegeToken
              PID:1832
            • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
              7z.exe e extracted/file_3.zip -oextracted
              5⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of AdjustPrivilegeToken
              PID:2180
            • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
              7z.exe e extracted/file_2.zip -oextracted
              5⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of AdjustPrivilegeToken
              PID:1624
            • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
              7z.exe e extracted/file_1.zip -oextracted
              5⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of AdjustPrivilegeToken
              PID:1240
            • C:\Windows\system32\attrib.exe
              attrib +H "in.exe"
              5⤵
              • Views/modifies file attributes
              PID:2188
            • C:\Users\Admin\AppData\Local\Temp\main\in.exe
              "in.exe"
              5⤵
              • Executes dropped EXE
              PID:1672
              • C:\Windows\system32\attrib.exe
                attrib +H +S C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
                6⤵
                • Views/modifies file attributes
                PID:560
              • C:\Windows\system32\attrib.exe
                attrib +H C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
                6⤵
                • Views/modifies file attributes
                PID:944
              • C:\Windows\system32\schtasks.exe
                schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE
                6⤵
                • Scheduled Task/Job: Scheduled Task
                PID:372
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell ping 127.0.0.1; del in.exe
                6⤵
                • System Network Configuration Discovery: Internet Connection Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:992
                • C:\Windows\system32\PING.EXE
                  "C:\Windows\system32\PING.EXE" 127.0.0.1
                  7⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:1684
        • C:\Users\Admin\AppData\Local\Temp\1014545001\9513856a60.exe
          "C:\Users\Admin\AppData\Local\Temp\1014545001\9513856a60.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          PID:1152
          • C:\Users\Admin\AppData\Local\Temp\1014545001\9513856a60.exe
            "C:\Users\Admin\AppData\Local\Temp\1014545001\9513856a60.exe"
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Modifies system certificate store
            PID:628
        • C:\Users\Admin\AppData\Local\Temp\1014546001\1611bfa5de.exe
          "C:\Users\Admin\AppData\Local\Temp\1014546001\1611bfa5de.exe"
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          • Modifies system certificate store
          • Suspicious behavior: EnumeratesProcesses
          PID:2564
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\1014546001\1611bfa5de.exe" & rd /s /q "C:\ProgramData\9000ZCJ5XBIE" & exit
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2488
            • C:\Windows\SysWOW64\timeout.exe
              timeout /t 10
              5⤵
              • System Location Discovery: System Language Discovery
              • Delays execution with timeout.exe
              PID:2664
        • C:\Users\Admin\AppData\Local\Temp\1014547001\337cec4891.exe
          "C:\Users\Admin\AppData\Local\Temp\1014547001\337cec4891.exe"
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:1704
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /F /IM firefox.exe /T
            4⤵
            • System Location Discovery: System Language Discovery
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:560
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /F /IM chrome.exe /T
            4⤵
            • System Location Discovery: System Language Discovery
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2356
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /F /IM msedge.exe /T
            4⤵
            • System Location Discovery: System Language Discovery
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1572
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /F /IM opera.exe /T
            4⤵
            • System Location Discovery: System Language Discovery
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2132
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /F /IM brave.exe /T
            4⤵
            • System Location Discovery: System Language Discovery
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2024
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
            4⤵
              PID:1736
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
                5⤵
                • Checks processor information in registry
                • Modifies registry class
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SendNotifyMessage
                PID:2940
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2940.0.228418799\1742542589" -parentBuildID 20221007134813 -prefsHandle 1212 -prefMapHandle 1176 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {68723f79-6964-4c52-ab67-67a1a1c58592} 2940 "\\.\pipe\gecko-crash-server-pipe.2940" 1288 113d6b58 gpu
                  6⤵
                    PID:2528
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2940.1.660273441\34416897" -parentBuildID 20221007134813 -prefsHandle 1476 -prefMapHandle 1472 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {93fb64ff-69aa-410c-a3c3-a01df60d8a9b} 2940 "\\.\pipe\gecko-crash-server-pipe.2940" 1488 105fbf58 socket
                    6⤵
                      PID:2104
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2940.2.2021938065\250783" -childID 1 -isForBrowser -prefsHandle 1864 -prefMapHandle 1896 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 820 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6edc67fb-9bd1-45c1-837f-4900ea0e1ddb} 2940 "\\.\pipe\gecko-crash-server-pipe.2940" 2192 1a715258 tab
                      6⤵
                        PID:1588
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2940.3.1473554961\1941329834" -childID 2 -isForBrowser -prefsHandle 3008 -prefMapHandle 3004 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 820 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b21b4593-1041-4b50-a3d9-4b0c3daeec3d} 2940 "\\.\pipe\gecko-crash-server-pipe.2940" 3020 1da75b58 tab
                        6⤵
                          PID:1604
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2940.4.346791017\135530094" -childID 3 -isForBrowser -prefsHandle 3828 -prefMapHandle 3824 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 820 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fbe79185-47d4-421d-86b5-480d3f8c705f} 2940 "\\.\pipe\gecko-crash-server-pipe.2940" 3840 20932358 tab
                          6⤵
                            PID:3676
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2940.5.1724362519\1198292866" -childID 4 -isForBrowser -prefsHandle 3944 -prefMapHandle 3948 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 820 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f764326e-e122-4fa3-a23a-7bb9eba37221} 2940 "\\.\pipe\gecko-crash-server-pipe.2940" 3932 20930e58 tab
                            6⤵
                              PID:3684
                            • C:\Program Files\Mozilla Firefox\firefox.exe
                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2940.6.1766938740\1692106964" -childID 5 -isForBrowser -prefsHandle 4108 -prefMapHandle 4112 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 820 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f1b6ca51-17da-478b-94b6-bda4ed9a139d} 2940 "\\.\pipe\gecko-crash-server-pipe.2940" 4092 20932058 tab
                              6⤵
                                PID:3692
                        • C:\Users\Admin\AppData\Local\Temp\1014548001\6241eff098.exe
                          "C:\Users\Admin\AppData\Local\Temp\1014548001\6241eff098.exe"
                          3⤵
                          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                          • Checks BIOS information in registry
                          • Executes dropped EXE
                          • Identifies Wine through registry keys
                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                          • System Location Discovery: System Language Discovery
                          • Suspicious behavior: EnumeratesProcesses
                          PID:2728
                        • C:\Users\Admin\AppData\Local\Temp\1014549001\1c46633ebb.exe
                          "C:\Users\Admin\AppData\Local\Temp\1014549001\1c46633ebb.exe"
                          3⤵
                          • Modifies Windows Defender Real-time Protection settings
                          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                          • Checks BIOS information in registry
                          • Executes dropped EXE
                          • Identifies Wine through registry keys
                          • Windows security modification
                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                          • System Location Discovery: System Language Discovery
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3132
                    • C:\Windows\system32\taskeng.exe
                      taskeng.exe {5423C332-21F7-4F0B-86AD-5656D4E81FD2} S-1-5-21-1846800975-3917212583-2893086201-1000:ZQABOPWE\Admin:Interactive:[1]
                      1⤵
                      • Loads dropped DLL
                      PID:3668
                      • C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
                        C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
                        2⤵
                        • Executes dropped EXE
                        • Suspicious use of SetThreadContext
                        PID:3804
                        • C:\Windows\explorer.exe
                          explorer.exe
                          3⤵
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3872
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
                          3⤵
                          • Drops file in System32 directory
                          • System Network Configuration Discovery: Internet Connection Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4056
                          • C:\Windows\system32\PING.EXE
                            "C:\Windows\system32\PING.EXE" 127.1.10.1
                            4⤵
                            • System Network Configuration Discovery: Internet Connection Discovery
                            • Runs ping.exe
                            PID:3144
                      • C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
                        C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
                        2⤵
                        • Executes dropped EXE
                        • Suspicious use of SetThreadContext
                        PID:2588
                        • C:\Windows\explorer.exe
                          explorer.exe
                          3⤵
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3592
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
                          3⤵
                          • Drops file in System32 directory
                          • System Network Configuration Discovery: Internet Connection Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1616
                          • C:\Windows\system32\PING.EXE
                            "C:\Windows\system32\PING.EXE" 127.1.10.1
                            4⤵
                            • System Network Configuration Discovery: Internet Connection Discovery
                            • Runs ping.exe
                            PID:1384

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f

                      Filesize

                      153KB

                      MD5

                      f89267b24ecf471c16add613cec34473

                      SHA1

                      c3aad9d69a3848cedb8912e237b06d21e1e9974f

                      SHA256

                      21f12abb6de14e72d085bc0bd90d630956c399433e85275c4c144cd9818cbf92

                      SHA512

                      c29176c7e1d58dd4e1deafcbd72956b8c27e923fb79d511ee244c91777d3b3e41d0c3977a8a9fbe094bac371253481dde5b58abf4f2df989f303e5d262e1ce4d

                    • C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip

                      Filesize

                      120KB

                      MD5

                      53e54ac43786c11e0dde9db8f4eb27ab

                      SHA1

                      9c5768d5ee037e90da77f174ef9401970060520e

                      SHA256

                      2f606d24809902af1bb9cb59c16a2c82960d95bff923ea26f6a42076772f1db8

                      SHA512

                      cd1f6d5f4d8cd19226151b6674124ab1e10950af5a049e8c082531867d71bfae9d7bc65641171fd55d203e4fba9756c80d11906d85a30b35ee4e8991adb21950

                    • C:\Program Files\Windows Media Player\graph\graph.exe

                      Filesize

                      245KB

                      MD5

                      7d254439af7b1caaa765420bea7fbd3f

                      SHA1

                      7bd1d979de4a86cb0d8c2ad9e1945bd351339ad0

                      SHA256

                      d6e7ceb5b05634efbd06c3e28233e92f1bd362a36473688fbaf952504b76d394

                      SHA512

                      c3164b2f09dc914066201562be6483f61d3c368675ac5d3466c2d5b754813b8b23fd09af86b1f15ab8cc91be8a52b3488323e7a65198e5b104f9c635ec5ed5cc

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199

                      Filesize

                      854B

                      MD5

                      e935bc5762068caf3e24a2683b1b8a88

                      SHA1

                      82b70eb774c0756837fe8d7acbfeec05ecbf5463

                      SHA256

                      a8accfcfeb51bd73df23b91f4d89ff1a9eb7438ef5b12e8afda1a6ff1769e89d

                      SHA512

                      bed4f6f5357b37662623f1f8afed1a3ebf3810630b2206a0292052a2e754af9dcfe34ee15c289e3d797a8f33330e47c14cbefbc702f74028557ace29bf855f9e

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

                      Filesize

                      717B

                      MD5

                      822467b728b7a66b081c91795373789a

                      SHA1

                      d8f2f02e1eef62485a9feffd59ce837511749865

                      SHA256

                      af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

                      SHA512

                      bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

                      Filesize

                      1KB

                      MD5

                      84525ac2c52cedf67aa38131b3f41efb

                      SHA1

                      080afd23b33aabd0285594d580d21acde7229173

                      SHA256

                      ae524d9d757bed48d552b059f951ffd25a7d963ae44a554cb1f3a9641e524080

                      SHA512

                      d898b0913b4005bbbf22a5457ad1e86345860868bc2e53187ad8267c07824d592160a27d850978ebfe78392db784fffb80b73e27418d3a71708383d738ea1d57

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

                      Filesize

                      914B

                      MD5

                      e4a68ac854ac5242460afd72481b2a44

                      SHA1

                      df3c24f9bfd666761b268073fe06d1cc8d4f82a4

                      SHA256

                      cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

                      SHA512

                      5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6DA548C7E5915679F87E910D6581DEF1_19CA6F55DA8A3B0AB12F649B745C90D5

                      Filesize

                      471B

                      MD5

                      f82d5aca5ed5100b9c82259f5c97bd5f

                      SHA1

                      c5fe6c4d597a84244e0330d53887d7865bc8d430

                      SHA256

                      8484447947db2ae840af4235ae99c704d8048091b0a71f098d18d755759d7178

                      SHA512

                      5a9f1b0cba4a1c6974a1d3929c4cf4d6c2b11041bc61cdeac68f8f5915bc19bf56e589b1a8739c8ff3cd4a6e7912405b35bd7f6dbd5ce66dfd465163d638ef47

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C02877841121CC45139CB51404116B25_6F7C58D8F5DC37AD0C4A3BEB81BE1660

                      Filesize

                      472B

                      MD5

                      6e21d4c7d76f1411934abcec47aa4f6f

                      SHA1

                      6b1ca4ee9524085a35c2f4f99d1603b4a31829e9

                      SHA256

                      a77a50019d85cd5c6ce6592dfa4b8dcc63399f279e15c06288d13e2dde338e13

                      SHA512

                      ad2bdb52d35f926ae93710e5a3c7775787fb1b2c1a2802f502b70954b1b41c5aafb24ef6d98bebce19bad0fe6a8f29b1f169b55fa49bc5592fa196a42d8c2868

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D73CE810F817D372CC78C5824C36E338

                      Filesize

                      504B

                      MD5

                      7534282617c6278db5ebc9da5b2c673b

                      SHA1

                      4d804a0a0e7c4f0ab1791e9c68c58833d7fc7811

                      SHA256

                      2904a768575e22df734148cd01c687a5dd23a6d2b378ad3a972f6e7f38fa77cc

                      SHA512

                      c45746c38c1e8f0d694a05ef0785070b4f7e3df34a264a3693983d555232bc7b61e78e24187fce8e093448d1724f1226afc3baf262860ad75f076bf57f5929a0

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

                      Filesize

                      1KB

                      MD5

                      a266bb7dcc38a562631361bbf61dd11b

                      SHA1

                      3b1efd3a66ea28b16697394703a72ca340a05bd5

                      SHA256

                      df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

                      SHA512

                      0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199

                      Filesize

                      170B

                      MD5

                      4829053fac04ae26958339857a128350

                      SHA1

                      d0fc2b942e45625d138ed965a6cc12cc41c324aa

                      SHA256

                      d99b0bc6411046ffb3311f3b067b24d2d729a3a5103197ffc56051d1b6980735

                      SHA512

                      9f0a9c9b3d133c708060153595c3a374380618a39a78fd722b2f6f06a83af1438470c23d968262923a594450457a65bafa0f7f6293dc758439a676b3867b1af2

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

                      Filesize

                      192B

                      MD5

                      993078c30c92071be5c7a2325be0f976

                      SHA1

                      89a63efd3bc7a4e2b94572891a10cabaf04da5bc

                      SHA256

                      90ebd82badf7a4a55eb7420c50e87745fbb243b2ebcbc0a5523f1f258bbfd799

                      SHA512

                      514e25e3e46c6b6dd35851ca3f33881f322f2d86c64c9a250abeb2ded964a12b434b7b678d8ec3e032978859b8f1ef0c85092e358920035cfd1800d286e02d03

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

                      Filesize

                      410B

                      MD5

                      d39539b47ca69b56cd0cf3535c402f43

                      SHA1

                      acf9228ddea7a4aa8a40b9110b3ee4fc6c417c4f

                      SHA256

                      07223c8e9bd11753042ef1050759368bcdd1ca701ea7f6b2748a39f204384692

                      SHA512

                      7a3aca62c2837e8ec399e40371ad599e204eed92576759f5b5f4766a6f893b45aed8c79015dd26e423612b8477a79f7079f10afed1088e3d38f51550bcc055d8

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

                      Filesize

                      252B

                      MD5

                      8c3b1e229eb514d6fd5286b172c16eb7

                      SHA1

                      8d256830b280e8c54f917e835c2bf7197c2dd80c

                      SHA256

                      a241cd57fb274a112813e2dcc77b11c400aff78dac8968414f3f7af684c4bea5

                      SHA512

                      aa95e4e23889b6676bef592b9a08c9a1df5e50c9b3a225b80df2a9fb5fc1de441abc0073f3640cd55a4d757e7e1940a4714dd333dfc53aa8c56877063e842c5b

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6DA548C7E5915679F87E910D6581DEF1_19CA6F55DA8A3B0AB12F649B745C90D5

                      Filesize

                      402B

                      MD5

                      7eed6d9ab1423546fdb523c6e62b4038

                      SHA1

                      5c5b0d87a5f0995c4632e27a9e0b02192cb11e0a

                      SHA256

                      06646535c1c6fdaf675c6fccae64e3d40e67827b82d45876ad29be165e61a308

                      SHA512

                      ba34773a644f9ae1aa5250f455039df7c2741192cda50a45f26e9fb10af7ce0801f4f769f6ba74bd0403dc9f9b27621894aa1a2c34673b84b2e2aa7ac02fe050

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                      Filesize

                      342B

                      MD5

                      048a2252779ba1f5866eab37436e55d5

                      SHA1

                      3f10a1e4eed38661b30b63fb23c48bd773648548

                      SHA256

                      26aca4fcd7d9a77d4ea4709d40b5920e5ff9a332869255dddb7e3172d320ba50

                      SHA512

                      ccc2912af5e21e75d7e55a350831cab328e92006a350e85387d838aa9e2d32da9240c37befe61249e244f40d9b157046ea8bc35d1cefd8882e8d601b5b624c2b

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                      Filesize

                      342B

                      MD5

                      66d094cd1a944e57e991fee0832db086

                      SHA1

                      694ad37d8a995a567076b1a83928e6ae4801d9cb

                      SHA256

                      5dc21f64f1e5de2a1b6743b30086c27b5c9a8d9170c190f660f0d357340b80f0

                      SHA512

                      cb6790669c0048e38a74c743566a91b6fa28aba9983fcadeb1ac1dc402acac5c65cf6af06fbc50bc5202f458db9a451f186ac4ecc481d037dc9bedd050a4726f

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                      Filesize

                      342B

                      MD5

                      bb44ab07b36a7cf032b3273997d629dc

                      SHA1

                      15953063da0c0cba4be7a1d131e5658e88e2bcbe

                      SHA256

                      42cdd9543dd20c9c1f1da3fc753429ec4fd4a0833045aaf1ac544cf68fd61f62

                      SHA512

                      5d1f4ddb71c8bbda8e19eb2f2f9c75b8fa11b33cede7dd96f18cc474d57d9abda05d52f96954981a01b7aeab17c1f0c778fa7ccbe96e029fc728973d92a6c50d

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                      Filesize

                      342B

                      MD5

                      5653664e1e9d7d4cf38f5f44888458ef

                      SHA1

                      8d19993321bdb58386fbca3ae1c46fa2993d3123

                      SHA256

                      255134a71b0c051ae984eada6974ff794df27cbcd6e7525f4629bfa76bcb8d3b

                      SHA512

                      81803e5937b9d1b546a950a76caf4364bfa0353878a1fe846fd37f9ade36bf08b2447e36ff2aea5744eec18dcd61c92e644ca935702e1e4fe179e6e95605c583

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                      Filesize

                      342B

                      MD5

                      1bad5299660fa2b4d7ff0b4723755170

                      SHA1

                      9e9473589bc9e38ed1e30e29b44a2ec9d3899663

                      SHA256

                      2d6266aef4d7f0c989e1503c8585c61667665d19b76aa2dc9be0cb6488ea6016

                      SHA512

                      ee4bdd7dde0d58689b53982de6b9bb378fcf37d7757238ce8f30b3da21f488f81421251b1a9b5a0255f495221f3ebad7cb84f3be67b292f42d39ec6b775cf5cc

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                      Filesize

                      342B

                      MD5

                      72b83c17771b70081d50d350ccccb4eb

                      SHA1

                      973338acfe699dca64b63b34516020207f82793b

                      SHA256

                      4683f80429df8e14831985ef2709d427dd18df9544bb36e640fd0cb0faa9e606

                      SHA512

                      387324d29c0b3e9397ffa9575b35b84d9f8216ef98a5d48d6a26fde5fda838665a4b4723deba34b8765ef852474ca4ec44ae840f9d247fb589a8e6bc9c5ec635

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                      Filesize

                      342B

                      MD5

                      070256a89a39d817f7d4446c8ad8399c

                      SHA1

                      a62f753cec0eeed5b7c86cb5a706c8ec61ea78e0

                      SHA256

                      4b554754cdb0443a58d93569cbe3c7fe65ae2e55c836caeea433177cd8902861

                      SHA512

                      377e4e07558235688b9455100defeecf038fe3cdf4e5b318e49e2b567e26baa93db2ae36ae8ce54f1e6b5ea0b6b36868783fa7eeaadf5391d11654b4c7e2cc0f

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                      Filesize

                      342B

                      MD5

                      c9b38e71ef94817ab07d97e69e03edd7

                      SHA1

                      61ec5a7323a708d8143ced36de476f3b93d024ca

                      SHA256

                      8849eed10f8fce96da9bb430bcb8bd4a55126454f1f69d36bde94187f4cc686c

                      SHA512

                      008470ff552d712772003015e0301e416a208cbb534ee2a866b380116ab73f32a77878807b3fe37d89acfd532bdcb783e79b23a717c205d7e39757ac72c9b2bb

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                      Filesize

                      342B

                      MD5

                      aaa5b2520dbbb138207728eabc2dc2f9

                      SHA1

                      1b46bd0e9221328f16f9e24ea92140c40a294198

                      SHA256

                      ee7bee508c57e407b1f26f76390d6ac59d1896fe6a80ece3cbb7632fff19439f

                      SHA512

                      33f76de5579f1414dc6002b2897d7203623b5908ddc55d49478b83b4986aa6fe8a6972abf691d28ccfc5ed15300428921a47e9ed025592480844301cc06e71ff

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                      Filesize

                      342B

                      MD5

                      afb94be0e9043a047589ef26ac85439b

                      SHA1

                      a96a87ae5ffa21788219f5f1d2375227b3325be6

                      SHA256

                      5426b42f2e2c3f174d888efbbc0d10130d964424dd4de5f8a5f6610b87897c81

                      SHA512

                      17252b40830e471cfa427936a1652bf24eacb0e917f953eec97b5dab3e699eaa3a1f2edfa66331d21f890b22666f8244df55ada057c917029cfff9c6ea401ba7

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                      Filesize

                      342B

                      MD5

                      f7fdf89d7669846c20d7c1fb516d42cf

                      SHA1

                      d0db2f6183c6d9676630571f7992e46f2eb494a8

                      SHA256

                      9c8abc85d8ee3a70ae4bd2cfeb241cf99121c95f5b4666058201c7a9dc1361ff

                      SHA512

                      a9b35db771b78b56aa09d141cdfc1ed10c1f4317d6815cf86543eb6dc4cae32925875de9ee20745c929db1049a54a9fddd24e4862609d547c54afe2428ced74d

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                      Filesize

                      342B

                      MD5

                      fa6cc189d2d60b457399de5a0af36ffb

                      SHA1

                      263a5b46f8b8ff776f2e70d9c78fa7b3d011ce5a

                      SHA256

                      62fd5899614fa78e4c0eb8d917416f58eacde0735e794b1f3295afe93994aa8b

                      SHA512

                      bc57d7bf8132272b8d0ebdc6715143ddefc34d8ec1ff82958e3837a3d7be324b679a5a23de9f9d7616b9129f0d8f8611629b302b60ffc516c0813f36c5ddcea1

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                      Filesize

                      342B

                      MD5

                      7e13b5bffc9cd90488e57ff0630194a6

                      SHA1

                      669e504783cc33a023c888baa3ca758bdedda218

                      SHA256

                      5ab0e8009a84973b39056ac128595272695e88d23fcd2bd8e723f7ead4eaeb47

                      SHA512

                      c57475497ac7044ddb312e0281c744ba291667ee2153837a36fa32a058a9fa783ab3b9b5d38baf7db0af96ba855a4103b9e4a78347e579a38f54b5d1bcc90f92

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                      Filesize

                      342B

                      MD5

                      e6c871652c3e5c6dbac7b756b0f35ef8

                      SHA1

                      fae3b008554067dc3d138f3c4a62a0b1cdae26c2

                      SHA256

                      2df974b7f831b9f78c8f28a7c7fd081ecd9bb92f7767c26c47f5f7e413cfbde3

                      SHA512

                      ba13a92653c460bce9d6081dd9cb5ed3c69dd0f80f697473ccc8b7a269376c87bc9bd3098a032fe81c7b52580c4811749b62c44e15875b7b046cc5098d486511

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                      Filesize

                      342B

                      MD5

                      6ca5da5398712825b0b034516dce031b

                      SHA1

                      3a9293238e4f088602272081945e22c68c2b917b

                      SHA256

                      8fe8fec8bde829559e0b639c9477787af3a86fd3a0d397c114df977f9d61cf29

                      SHA512

                      3bac4b81a5518c2d08d509df915bd790385f618c51b52c7b98ade9233cf81a9ac61e7b8f05b5ac2b5d39e475393ac06833cb2315d9f92017818bec14bc1cc62f

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                      Filesize

                      342B

                      MD5

                      6776d1168066a958311a04a94f486fcc

                      SHA1

                      45fb0dfc14f120e4cbd1962fe137c59886d865c2

                      SHA256

                      cdbd7e527964851c8ff02ca3da013536fe37a2ca69bc8b84f21ac7e56b4461a9

                      SHA512

                      457fa6e47e45a0dd3d9f76743e73d8503cf305d59846d2f96615ee02f8c089adea58cd4a243cae97b6033136a7230367ada6c64775ddab289c8fe72de457e519

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                      Filesize

                      342B

                      MD5

                      c12964e0ecc169a3e14e943abda14355

                      SHA1

                      601589e28492034b7dfa7958698c0a5c60059ae1

                      SHA256

                      81d5e5a28d7f2af74b8a30c0aa8b7f33cf71b6a5d5ed6961b870cbe9b6969d56

                      SHA512

                      5262d407e7988b1320cd100a0e9a05debbdda27bb3c68cf642e57af92e0cf89fc1e5421d8a0faa7ed5f3a5c8224042cace3658c3519fd3194d72e009a8c37db5

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                      Filesize

                      342B

                      MD5

                      c31d8348db9911bd1aea882b33182f34

                      SHA1

                      ed2a02f56be38a0d867d23d0ac2832238732989e

                      SHA256

                      5f68295d22b56035dac96798dc9a6724c2ed83e2aa4b28a7f2dad762517e377b

                      SHA512

                      fa914aa13f2245f0d08af12a2567f77da47f5ca5781ba00e01816259b7cecdf6ec9182a5c973e87d8ec836e85f9479d9ac2546dba3aaeead6df9d0c56e22d237

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                      Filesize

                      342B

                      MD5

                      f5345f8ddc6a4633d4203018a23fc9ec

                      SHA1

                      e8f580bab52353ace1cfd3ca9e9849b4edd70c64

                      SHA256

                      6facbbd1a003d7cba70de3677cd3aacb9ea6d0ed1cac5daf3718b3ebfee3c643

                      SHA512

                      689c87d0c16bc6d674c3f408633ecba2d78d1f87313ef952dadfe95d782a298730954761341f38cfa29047fcc73f43fdda1ecbec6bc8cb4909be5d7fa76af23e

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                      Filesize

                      342B

                      MD5

                      b156251d7c0edeedfead30860edf1809

                      SHA1

                      a0c26827e3292de7af46b138ad350dab18702e1f

                      SHA256

                      823770c7b16c9f43f04be2c553994edb0781c490830e1a240d85f674f9ab59e9

                      SHA512

                      35b11827c02463e7eb91c83ee3717a114df695c12df63129186460374210fa11dc3cb2fe437cc060bd979e7a1174d2f9e18ad2a585417a6efa4c7ae6468a6c99

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C02877841121CC45139CB51404116B25_6F7C58D8F5DC37AD0C4A3BEB81BE1660

                      Filesize

                      398B

                      MD5

                      40b34da570ca8be980a91b4de767395e

                      SHA1

                      41c0930b449ee81757b45467a1afc647b6aa736e

                      SHA256

                      84edc756366ab17d016beb7a27a410f53c94a9939fcf9dfd532e700e89c729bf

                      SHA512

                      6b9700c247badd4695eb9da028b8d3f02434749091efb5d05527acf3b3ca1540a61f9460e0655c049717091fb90aced06e2c59c24873fddd919b4496d3a40269

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D73CE810F817D372CC78C5824C36E338

                      Filesize

                      550B

                      MD5

                      d76f040e4ccf308bf760a02c4cdb10bc

                      SHA1

                      5069f78ab2e2ad9381dea8fab2679d79ec9b3525

                      SHA256

                      55d78c1a501a909f275f2842c4388d4228c96304c882944890add932afabf838

                      SHA512

                      d59123a37579d8a59b379760abfe2e1e1ebd74511f998c771e97c3402f43869d1290aae6c0274e9fe5c301a02bb10d6b1fc2c7a3a7d2b09a8319f249a0d6ccba

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

                      Filesize

                      242B

                      MD5

                      519b9051c1deb68f601833c64babbb9a

                      SHA1

                      3bf4aabdab3eb00b7ddb399b58c02768c2bd1580

                      SHA256

                      dbc4e11d0c381cd7b3989c60f420af8ec1f1e6eb728a13d54deb958821afeb95

                      SHA512

                      fa316fc3f2b07fa82b18a2c7b50c04dd49651c680fb7eeae69bced4a9c972e53e177dbd36a14e5b3044320a29a633381073ed6be8a9a4d2659a3aa14571f4f6b

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\01LB6K3J\styles__ltr[1].css

                      Filesize

                      76KB

                      MD5

                      c8bc74b65a8a31d4c7af2526b0c75a62

                      SHA1

                      dd1524ca86eb241b31724a9614285a2845880604

                      SHA256

                      3b457e0acfb1d231461936c78086c9ea63de3397cbb019c4fe0182a645d67717

                      SHA512

                      4d7214ac44475cb4d9d848d71caee30a3872cab3957fbb26a0aca13db1933cda1e9799938ba1460581483123dd6f81c3193bbc80989cba7e555f308c212841ae

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CXRG2YQS\recaptcha__en[1].js

                      Filesize

                      546KB

                      MD5

                      81697e6cdd98e37117d7bddcecf07576

                      SHA1

                      0ea9efeb29efc158cd175bb05b72c8516dbaa965

                      SHA256

                      73dd640564004ec8730e7f3433b9dfaa6876ac3a27e6964a17834f07f6d56116

                      SHA512

                      fc29d4a1fd39a7c78b7f57b221596acee9b805a133ce2d6ff4bc497a7b3584ab10e3d4ffde30c86884f1abeac7d521598ebda6e0b01fc92525986c98250fa3f8

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q0WBLVJY\download[1].htm

                      Filesize

                      1B

                      MD5

                      cfcd208495d565ef66e7dff9f98764da

                      SHA1

                      b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

                      SHA256

                      5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

                      SHA512

                      31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q0WBLVJY\favicon[1].ico

                      Filesize

                      5KB

                      MD5

                      f3418a443e7d841097c714d69ec4bcb8

                      SHA1

                      49263695f6b0cdd72f45cf1b775e660fdc36c606

                      SHA256

                      6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

                      SHA512

                      82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

                    • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\activity-stream.discovery_stream.json.tmp

                      Filesize

                      23KB

                      MD5

                      de660c5670b842a26d772c7a8ac1ee68

                      SHA1

                      419f00523766d45f7c5a05fa74f0fb39184b0a3c

                      SHA256

                      3f8ce24688837be80dc6c9eaccc930e59e8feedb5d8f7c91fe549fbda0ecf456

                      SHA512

                      fc60d2d61efb14297fd186ed8eb07e53583a5042f6289c1a38f8bf7e4bc7379a768a1dac7b30beb3dbbad08ed3c761654d0c01e1cd418c0724f0f8f6b3b58579

                    • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

                      Filesize

                      15KB

                      MD5

                      96c542dec016d9ec1ecc4dddfcbaac66

                      SHA1

                      6199f7648bb744efa58acf7b96fee85d938389e4

                      SHA256

                      7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

                      SHA512

                      cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

                    • C:\Users\Admin\AppData\Local\Temp\1014430001\dwVrTdy.exe

                      Filesize

                      591KB

                      MD5

                      3567cb15156760b2f111512ffdbc1451

                      SHA1

                      2fdb1f235fc5a9a32477dab4220ece5fda1539d4

                      SHA256

                      0285d3a6c1ca2e3a993491c44e9cf2d33dbec0fb85fdbf48989a4e3b14b37630

                      SHA512

                      e7a31b016417218387a4702e525d33dd4fe496557539b2ab173cec0cb92052c750cfc4b3e7f02f3c66ac23f19a0c8a4eb6c9d2b590a5e9faeb525e517bc877ba

                    • C:\Users\Admin\AppData\Local\Temp\1014535001\CuKxXX0.exe

                      Filesize

                      5.6MB

                      MD5

                      c72b7c1a451219825e066832e38f92f8

                      SHA1

                      70227f19e7092c41d6699efa2a709fa489bb7847

                      SHA256

                      4e7a2984e68806ab0d4489587aaa2a731171fc968aa7d40532020bf9c26539b3

                      SHA512

                      cbe4a782cb8500fd7d1c3ba641b58964722d978176d3f8d782693d16b7638a24dc472954200dd085484d132c840f3c420cc7393326cef96fd5ae6342403228bb

                    • C:\Users\Admin\AppData\Local\Temp\1014543001\8218a5f152.exe

                      Filesize

                      1.9MB

                      MD5

                      dd44780d69d56d86bd3be9d6ca0f69a9

                      SHA1

                      c9afab3e117153f469723102214a907685a509d6

                      SHA256

                      5cf283b12d73892ee010289b4d554e5b1c7d1aede0a8e6cd0a33415513526b5b

                      SHA512

                      2941a447f343d039f356cd63a009b33f5eb042553143c009a23a4e68e76c59101052fc9a8092f56b81bf61b3c068b3c685c558933a672ec03c0e94fb4b873eff

                    • C:\Users\Admin\AppData\Local\Temp\1014544001\5851a900b9.exe

                      Filesize

                      4.2MB

                      MD5

                      3a425626cbd40345f5b8dddd6b2b9efa

                      SHA1

                      7b50e108e293e54c15dce816552356f424eea97a

                      SHA256

                      ba9212d2d5cd6df5eb7933fb37c1b72a648974c1730bf5c32439987558f8e8b1

                      SHA512

                      a7538c6b7e17c35f053721308b8d6dc53a90e79930ff4ed5cffecaa97f4d0fbc5f9e8b59f1383d8f0699c8d4f1331f226af71d40325022d10b885606a72fe668

                    • C:\Users\Admin\AppData\Local\Temp\1014545001\9513856a60.exe

                      Filesize

                      710KB

                      MD5

                      28e568616a7b792cac1726deb77d9039

                      SHA1

                      39890a418fb391b823ed5084533e2e24dff021e1

                      SHA256

                      9597798f7789adc29fbe97707b1bd8ca913c4d5861b0ad4fdd6b913af7c7a8e2

                      SHA512

                      85048799e6d2756f1d6af77f34e6a1f454c48f2f43042927845931b7ecff2e5de45f864627a3d4aa061252401225bbb6c2caa8532320ccbe401e97c9c79ac8e5

                    • C:\Users\Admin\AppData\Local\Temp\1014546001\1611bfa5de.exe

                      Filesize

                      384KB

                      MD5

                      dfd5f78a711fa92337010ecc028470b4

                      SHA1

                      1a389091178f2be8ce486cd860de16263f8e902e

                      SHA256

                      da96f2eb74e60de791961ef3800c36a5e12202fe97ae5d2fcfc1fe404bc13c0d

                      SHA512

                      a3673074919039a2dc854b0f91d1e1a69724056594e33559741f53594e0f6e61e3d99ec664d541b17f09ffdebc2de1b042eec19ca8477fac86359c703f8c9656

                    • C:\Users\Admin\AppData\Local\Temp\1014547001\337cec4891.exe

                      Filesize

                      949KB

                      MD5

                      e1eb6e279e48e48e1c0021e3dbe01e9b

                      SHA1

                      56fce13b8967a0cd68e48b425f38a50f4a957e18

                      SHA256

                      1935497fd015edb463f3a1a229be949c565a7346521719595a6e46c8552145dd

                      SHA512

                      ca71848d6a95c9ba45b7cf73f11a2b301bf4b24cfa2549ee38ec53307e7c99fa7cdc3884103a7ad281a36b9ebc8567d8fa84ed56f9caeeacefd1a3120d9124be

                    • C:\Users\Admin\AppData\Local\Temp\1014548001\6241eff098.exe

                      Filesize

                      1.8MB

                      MD5

                      bb02eb5eef47a773ae26d60ae263d9fa

                      SHA1

                      283211e861760787a349aefc7b393f41bd00dda6

                      SHA256

                      eb9e0ab7722a28e6c8e797d66593cb11b544ec242c245f9d8d924b255ed539ba

                      SHA512

                      5868e829d7bbb1e3f208631c9b31c93faabc9cb9e197b814364c91459a4d6fd2b84de19552bd36950878c5b54224c1e2cb35c181d9b4115a848386836e140818

                    • C:\Users\Admin\AppData\Local\Temp\1014549001\1c46633ebb.exe

                      Filesize

                      2.7MB

                      MD5

                      c657bf839fb979c5ce29cec72eebf10b

                      SHA1

                      87e7d374570f137582ffcc4d62d71e44380839df

                      SHA256

                      9239680c12bab0e396798fd89cbbab0b8ebbd8b65cf03c73ff246236390d85fe

                      SHA512

                      70098c26906d60437d77fae7bbb6e48f0435e094323d050b23188766bb248d6b77079a44770105b198ddaf439f584f86105c01f32e5f4ad555060870f517295e

                    • C:\Users\Admin\AppData\Local\Temp\Cab1536.tmp

                      Filesize

                      70KB

                      MD5

                      49aebf8cbd62d92ac215b2923fb1b9f5

                      SHA1

                      1723be06719828dda65ad804298d0431f6aff976

                      SHA256

                      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                      SHA512

                      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                    • C:\Users\Admin\AppData\Local\Temp\Tar2389.tmp

                      Filesize

                      181KB

                      MD5

                      4ea6026cf93ec6338144661bf1202cd1

                      SHA1

                      a1dec9044f750ad887935a01430bf49322fbdcb7

                      SHA256

                      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                      SHA512

                      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                    • C:\Users\Admin\AppData\Local\Temp\main\7z.dll

                      Filesize

                      1.6MB

                      MD5

                      72491c7b87a7c2dd350b727444f13bb4

                      SHA1

                      1e9338d56db7ded386878eab7bb44b8934ab1bc7

                      SHA256

                      34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

                      SHA512

                      583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

                    • C:\Users\Admin\AppData\Local\Temp\main\extracted\file_4.zip

                      Filesize

                      1.7MB

                      MD5

                      7187cc2643affab4ca29d92251c96dee

                      SHA1

                      ab0a4de90a14551834e12bb2c8c6b9ee517acaf4

                      SHA256

                      c7e92a1af295307fb92ad534e05fba879a7cf6716f93aefca0ebfcb8cee7a830

                      SHA512

                      27985d317a5c844871ffb2527d04aa50ef7442b2f00d69d5ab6bbb85cd7be1d7057ffd3151d0896f05603677c2f7361ed021eac921e012d74da049ef6949e3a3

                    • C:\Users\Admin\AppData\Local\Temp\main\extracted\file_5.zip

                      Filesize

                      1.7MB

                      MD5

                      b7d1e04629bec112923446fda5391731

                      SHA1

                      814055286f963ddaa5bf3019821cb8a565b56cb8

                      SHA256

                      4da77d4ee30ad0cd56cd620f4e9dc4016244ace015c5b4b43f8f37dd8e3a8789

                      SHA512

                      79fc3606b0fe6a1e31a2ecacc96623caf236bf2be692dadab6ea8ffa4af4231d782094a63b76631068364ac9b6a872b02f1e080636eba40ed019c2949a8e28db

                    • C:\Users\Admin\AppData\Local\Temp\main\extracted\file_6.zip

                      Filesize

                      1.7MB

                      MD5

                      0dc4014facf82aa027904c1be1d403c1

                      SHA1

                      5e6d6c020bfc2e6f24f3d237946b0103fe9b1831

                      SHA256

                      a29ddd29958c64e0af1a848409e97401307277bb6f11777b1cfb0404a6226de7

                      SHA512

                      cbeead189918657cc81e844ed9673ee8f743aed29ad9948e90afdfbecacc9c764fbdbfb92e8c8ceb5ae47cee52e833e386a304db0572c7130d1a54fd9c2cc028

                    • C:\Users\Admin\AppData\Local\Temp\main\extracted\file_7.zip

                      Filesize

                      3.3MB

                      MD5

                      cea368fc334a9aec1ecff4b15612e5b0

                      SHA1

                      493d23f72731bb570d904014ffdacbba2334ce26

                      SHA256

                      07e38cad68b0cdbea62f55f9bc6ee80545c2e1a39983baa222e8af788f028541

                      SHA512

                      bed35a1cc56f32e0109ea5a02578489682a990b5cefa58d7cf778815254af9849e731031e824adba07c86c8425df58a1967ac84ce004c62e316a2e51a75c8748

                    • C:\Users\Admin\AppData\Local\Temp\main\file.bin

                      Filesize

                      3.3MB

                      MD5

                      045b0a3d5be6f10ddf19ae6d92dfdd70

                      SHA1

                      0387715b6681d7097d372cd0005b664f76c933c7

                      SHA256

                      94b392e94fa47d1b9b7ae6a29527727268cc2e3484e818c23608f8835bc1104d

                      SHA512

                      58255a755531791b888ffd9b663cc678c63d5caa932260e9546b1b10a8d54208334725c14529116b067bcf5a5e02da85e015a3bed80092b7698a43dab0168c7b

                    • C:\Users\Admin\AppData\Local\Temp\main\main.bat

                      Filesize

                      440B

                      MD5

                      3626532127e3066df98e34c3d56a1869

                      SHA1

                      5fa7102f02615afde4efd4ed091744e842c63f78

                      SHA256

                      2a0e18ef585db0802269b8c1ddccb95ce4c0bac747e207ee6131dee989788bca

                      SHA512

                      dcce66d6e24d5a4a352874144871cd73c327e04c1b50764399457d8d70a9515f5bc0a650232763bf34d4830bab70ee4539646e7625cfe5336a870e311043b2bd

                    • C:\Users\Admin\AppData\Local\Temp\tmpaddon

                      Filesize

                      442KB

                      MD5

                      85430baed3398695717b0263807cf97c

                      SHA1

                      fffbee923cea216f50fce5d54219a188a5100f41

                      SHA256

                      a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

                      SHA512

                      06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

                    • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

                      Filesize

                      8.0MB

                      MD5

                      a01c5ecd6108350ae23d2cddf0e77c17

                      SHA1

                      c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

                      SHA256

                      345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

                      SHA512

                      b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WQUQMMF2GJUXBF80EAIN.temp

                      Filesize

                      7KB

                      MD5

                      c0aacee69931ee3e2d6e393ef20d10cc

                      SHA1

                      d7f4dc3ae4edd2c2a8ab70a53b33931507e3580a

                      SHA256

                      d1e555047727b2c9bfcf19e5e37889b6067a8ff0f618e567709b1a77d8891124

                      SHA512

                      538bf7b39b497a1edf83bf70c3cf9897de751f315d89bba36a778fe59943366e1604ca47129afdce50b8cdcde5644ea0d94b633d8fed66eefc6bd21683330b6f

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\datareporting\glean\db\data.safe.bin

                      Filesize

                      2KB

                      MD5

                      285f39053cdcdb82a4309e3df6e27d41

                      SHA1

                      fbecfff494801c13f256a8e79b04e9d29188f227

                      SHA256

                      d57c66a6c011a5105a540b063c075ee147a03e2af3caaa18f0676cad50b2487c

                      SHA512

                      55e9d43a01acadd853ebcef69c09bed6b3f69f6394b1ad4454e11e18ea31bd97ecbfc8ad89743cdbdeb0514571d8c8c95704f257e189a5dc4124a7fe6ef5506b

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\datareporting\glean\pending_pings\a4add3cd-ba93-495a-a049-9717a72cd87b

                      Filesize

                      10KB

                      MD5

                      142a4908004ce4699ae30f7424a2407d

                      SHA1

                      ccaaace687055efdeee7bcb8e87506e9543f2c79

                      SHA256

                      51ec365b354ab6e7d4c90fbe6a70907bd68ada13ea5759e12125db704597e46c

                      SHA512

                      b42f3f2a4c40052bf43c924cdb62941b5e5fc3368501751fc78c9cf3e3058943cb5e3eb3a3535db86257fb52b30129b8798a09ee7642c7d3b86d6a116bab488c

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\datareporting\glean\pending_pings\ff00e9ce-7a4a-454c-91a3-38fb0b20dcfd

                      Filesize

                      745B

                      MD5

                      995bb56fe706dc7e7e31073ed02481c6

                      SHA1

                      8c039a8cd80b9dd1b6418589090c29eb972a662b

                      SHA256

                      64aa49dfdb640fdc64828868f06e80998fa5c341d38891e8204de3a2c1033c4c

                      SHA512

                      1e81eca86535e485eb60e179622e8cadec9bcfa4ee690a9fa7054324ba58ceed10da6d1ab42cf05693b6dc62cd4006231a43f2848ba6bf04a89705c254769f4b

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

                      Filesize

                      997KB

                      MD5

                      fe3355639648c417e8307c6d051e3e37

                      SHA1

                      f54602d4b4778da21bc97c7238fc66aa68c8ee34

                      SHA256

                      1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

                      SHA512

                      8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

                      Filesize

                      116B

                      MD5

                      3d33cdc0b3d281e67dd52e14435dd04f

                      SHA1

                      4db88689282fd4f9e9e6ab95fcbb23df6e6485db

                      SHA256

                      f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

                      SHA512

                      a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

                      Filesize

                      479B

                      MD5

                      49ddb419d96dceb9069018535fb2e2fc

                      SHA1

                      62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

                      SHA256

                      2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

                      SHA512

                      48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

                      Filesize

                      372B

                      MD5

                      8be33af717bb1b67fbd61c3f4b807e9e

                      SHA1

                      7cf17656d174d951957ff36810e874a134dd49e0

                      SHA256

                      e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

                      SHA512

                      6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

                      Filesize

                      11.8MB

                      MD5

                      33bf7b0439480effb9fb212efce87b13

                      SHA1

                      cee50f2745edc6dc291887b6075ca64d716f495a

                      SHA256

                      8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

                      SHA512

                      d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

                      Filesize

                      1KB

                      MD5

                      688bed3676d2104e7f17ae1cd2c59404

                      SHA1

                      952b2cdf783ac72fcb98338723e9afd38d47ad8e

                      SHA256

                      33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

                      SHA512

                      7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

                      Filesize

                      1KB

                      MD5

                      937326fead5fd401f6cca9118bd9ade9

                      SHA1

                      4526a57d4ae14ed29b37632c72aef3c408189d91

                      SHA256

                      68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

                      SHA512

                      b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\prefs-1.js

                      Filesize

                      6KB

                      MD5

                      caec1fd3bc768bec45dc307245444e38

                      SHA1

                      0d79c2cb33e664e918ad8173cb3ca43dd4d7969f

                      SHA256

                      7eaf1a23f239dac71a09c313d23fa111e0912a6698acdfb58fa2a82e1d62fd44

                      SHA512

                      1ffa5af4613aeb5bff97bbaabafcd6a94979c3ca614306ed135c0a26565b6fc32cfd62b1af49ed63f9a226ff60c6b750b29d36c79812843c4b02250fa0e459ee

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\prefs-1.js

                      Filesize

                      7KB

                      MD5

                      011b1bfb5db64065d5009651d4881193

                      SHA1

                      1bb9b8eee87ff8786c3848dcfe23c06dfcd81861

                      SHA256

                      279aaea1fcca125adc595b8d23a650dbb48720d560a94ee502e30d04cabec2eb

                      SHA512

                      0330c45f0137c7ca3eb46785c392885a7b1735ef61b9794fa8619032094b8b6031001ee69c2a0b893a872a636adc1e1bfbc547fd8c17baa43840a5a6cf1c6e5f

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\prefs-1.js

                      Filesize

                      7KB

                      MD5

                      acb1babcbfcae6c10d44a2784a7de278

                      SHA1

                      5fac29f1e3c44d0570fc51440e122251136bb8d5

                      SHA256

                      f1804fd23ae2d553f1b0032de1fab6f3bf1c7221e90749fcc7be25966ddc2e73

                      SHA512

                      e3581c395b0903e343881ffca7f63828ac0d4ce98a806046a68e0d2fbbb2684bab48193b33dccca066cff77ac4a19703989bb3cccb7e6dd0ecd470c8cc07a80d

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\sessionstore-backups\recovery.jsonlz4

                      Filesize

                      4KB

                      MD5

                      7e43ffd5bea0fcec31724e554a8abf6c

                      SHA1

                      90814c1ee1ca6aa1d664234757ad171ac2b3f618

                      SHA256

                      ebf7393b0be2575e36a38ddb37787d283a92bd7570e8753eb032fbcae8b758d1

                      SHA512

                      ad2df8d4767cccfd92f8b9ecc1c3a944e285ac033686abc6016d930a2625aac0d33f73a8f1ed44c148d25c022180a4c407a3d0c55161c40f365f077a9c4903f8

                    • \Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

                      Filesize

                      3.1MB

                      MD5

                      04142cb142b35b18f836c0f9195fbe59

                      SHA1

                      f2f101e03548ca5169b776dc843116e988bca880

                      SHA256

                      91b19fc66774a862fab4409242ddc106aa1b8b03e63d661d540899e16e687f7c

                      SHA512

                      7baa1c45b8175e94daa21e71a12aa991a0f7455341681377c29887d2e0809c51dc0f54fafabff804e6183ee2ab6924748824c7310e6f831ece028434652100f2

                    • \Users\Admin\AppData\Local\Temp\main\7z.exe

                      Filesize

                      458KB

                      MD5

                      619f7135621b50fd1900ff24aade1524

                      SHA1

                      6c7ea8bbd435163ae3945cbef30ef6b9872a4591

                      SHA256

                      344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

                      SHA512

                      2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

                    • memory/992-1498-0x00000000028E0000-0x00000000028E8000-memory.dmp

                      Filesize

                      32KB

                    • memory/992-1497-0x000000001B520000-0x000000001B802000-memory.dmp

                      Filesize

                      2.9MB

                    • memory/1044-1785-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

                      Filesize

                      32KB

                    • memory/1044-1784-0x000000001B750000-0x000000001BA32000-memory.dmp

                      Filesize

                      2.9MB

                    • memory/1616-2709-0x0000000002290000-0x0000000002298000-memory.dmp

                      Filesize

                      32KB

                    • memory/1616-2690-0x000000001B900000-0x000000001BBE2000-memory.dmp

                      Filesize

                      2.9MB

                    • memory/1672-1464-0x000000013FA50000-0x000000013FEE0000-memory.dmp

                      Filesize

                      4.6MB

                    • memory/1672-1775-0x000000013FA50000-0x000000013FEE0000-memory.dmp

                      Filesize

                      4.6MB

                    • memory/1716-0-0x0000000001280000-0x00000000015A4000-memory.dmp

                      Filesize

                      3.1MB

                    • memory/1716-3-0x0000000001280000-0x00000000015A4000-memory.dmp

                      Filesize

                      3.1MB

                    • memory/1716-14-0x0000000001280000-0x00000000015A4000-memory.dmp

                      Filesize

                      3.1MB

                    • memory/1716-15-0x0000000006940000-0x0000000006C64000-memory.dmp

                      Filesize

                      3.1MB

                    • memory/1716-18-0x0000000001281000-0x00000000012E9000-memory.dmp

                      Filesize

                      416KB

                    • memory/1716-4-0x0000000001280000-0x00000000015A4000-memory.dmp

                      Filesize

                      3.1MB

                    • memory/1716-2-0x0000000001281000-0x00000000012E9000-memory.dmp

                      Filesize

                      416KB

                    • memory/1716-1-0x0000000077C70000-0x0000000077C72000-memory.dmp

                      Filesize

                      8KB

                    • memory/2288-2550-0x0000000000400000-0x0000000000C65000-memory.dmp

                      Filesize

                      8.4MB

                    • memory/2288-379-0x0000000000400000-0x0000000000C65000-memory.dmp

                      Filesize

                      8.4MB

                    • memory/2288-1368-0x0000000000400000-0x0000000000C65000-memory.dmp

                      Filesize

                      8.4MB

                    • memory/2464-1462-0x000000013FA50000-0x000000013FEE0000-memory.dmp

                      Filesize

                      4.6MB

                    • memory/2464-1460-0x000000013FA50000-0x000000013FEE0000-memory.dmp

                      Filesize

                      4.6MB

                    • memory/2464-1774-0x000000013FA50000-0x000000013FEE0000-memory.dmp

                      Filesize

                      4.6MB

                    • memory/2588-2648-0x000000013FB90000-0x0000000140020000-memory.dmp

                      Filesize

                      4.6MB

                    • memory/2588-2662-0x000000013FB90000-0x0000000140020000-memory.dmp

                      Filesize

                      4.6MB

                    • memory/2644-39-0x00000000010F0000-0x0000000001414000-memory.dmp

                      Filesize

                      3.1MB

                    • memory/2644-1747-0x0000000006BA0000-0x0000000007254000-memory.dmp

                      Filesize

                      6.7MB

                    • memory/2644-1357-0x0000000006BA0000-0x0000000007405000-memory.dmp

                      Filesize

                      8.4MB

                    • memory/2644-377-0x0000000006BA0000-0x0000000007405000-memory.dmp

                      Filesize

                      8.4MB

                    • memory/2644-23-0x00000000010F0000-0x0000000001414000-memory.dmp

                      Filesize

                      3.1MB

                    • memory/2644-20-0x00000000010F0000-0x0000000001414000-memory.dmp

                      Filesize

                      3.1MB

                    • memory/2644-19-0x00000000010F0000-0x0000000001414000-memory.dmp

                      Filesize

                      3.1MB

                    • memory/2644-24-0x00000000010F0000-0x0000000001414000-memory.dmp

                      Filesize

                      3.1MB

                    • memory/2644-37-0x00000000010F0000-0x0000000001414000-memory.dmp

                      Filesize

                      3.1MB

                    • memory/2644-21-0x00000000010F0000-0x0000000001414000-memory.dmp

                      Filesize

                      3.1MB

                    • memory/2644-17-0x00000000010F0000-0x0000000001414000-memory.dmp

                      Filesize

                      3.1MB

                    • memory/2644-372-0x0000000006BA0000-0x0000000007405000-memory.dmp

                      Filesize

                      8.4MB

                    • memory/2644-1981-0x0000000006580000-0x000000000683A000-memory.dmp

                      Filesize

                      2.7MB

                    • memory/2644-1980-0x0000000006580000-0x000000000683A000-memory.dmp

                      Filesize

                      2.7MB

                    • memory/2644-2524-0x0000000006580000-0x000000000683A000-memory.dmp

                      Filesize

                      2.7MB

                    • memory/2644-1746-0x0000000006BA0000-0x0000000007254000-memory.dmp

                      Filesize

                      6.7MB

                    • memory/2644-38-0x00000000010F0000-0x0000000001414000-memory.dmp

                      Filesize

                      3.1MB

                    • memory/2644-144-0x00000000010F0000-0x0000000001414000-memory.dmp

                      Filesize

                      3.1MB

                    • memory/2644-2516-0x0000000006580000-0x000000000683A000-memory.dmp

                      Filesize

                      2.7MB

                    • memory/2644-2030-0x0000000006BA0000-0x0000000007254000-memory.dmp

                      Filesize

                      6.7MB

                    • memory/2684-162-0x000000001CF10000-0x000000001D478000-memory.dmp

                      Filesize

                      5.4MB

                    • memory/2684-180-0x000000001CF10000-0x000000001D478000-memory.dmp

                      Filesize

                      5.4MB

                    • memory/2684-158-0x0000000000C00000-0x00000000011A0000-memory.dmp

                      Filesize

                      5.6MB

                    • memory/2684-159-0x000000001C9A0000-0x000000001CF0C000-memory.dmp

                      Filesize

                      5.4MB

                    • memory/2684-160-0x000000001CF10000-0x000000001D47E000-memory.dmp

                      Filesize

                      5.4MB

                    • memory/2684-186-0x000000001CF10000-0x000000001D478000-memory.dmp

                      Filesize

                      5.4MB

                    • memory/2684-172-0x000000001CF10000-0x000000001D478000-memory.dmp

                      Filesize

                      5.4MB

                    • memory/2684-214-0x000000001CF10000-0x000000001D478000-memory.dmp

                      Filesize

                      5.4MB

                    • memory/2684-216-0x000000001CF10000-0x000000001D478000-memory.dmp

                      Filesize

                      5.4MB

                    • memory/2684-220-0x000000001CF10000-0x000000001D478000-memory.dmp

                      Filesize

                      5.4MB

                    • memory/2684-1776-0x000000001C060000-0x000000001C0B4000-memory.dmp

                      Filesize

                      336KB

                    • memory/2684-212-0x000000001CF10000-0x000000001D478000-memory.dmp

                      Filesize

                      5.4MB

                    • memory/2684-208-0x000000001CF10000-0x000000001D478000-memory.dmp

                      Filesize

                      5.4MB

                    • memory/2684-1359-0x0000000002950000-0x000000000299C000-memory.dmp

                      Filesize

                      304KB

                    • memory/2684-1358-0x000000001D480000-0x000000001D95E000-memory.dmp

                      Filesize

                      4.9MB

                    • memory/2684-161-0x000000001CF10000-0x000000001D478000-memory.dmp

                      Filesize

                      5.4MB

                    • memory/2684-164-0x000000001CF10000-0x000000001D478000-memory.dmp

                      Filesize

                      5.4MB

                    • memory/2684-166-0x000000001CF10000-0x000000001D478000-memory.dmp

                      Filesize

                      5.4MB

                    • memory/2684-168-0x000000001CF10000-0x000000001D478000-memory.dmp

                      Filesize

                      5.4MB

                    • memory/2684-170-0x000000001CF10000-0x000000001D478000-memory.dmp

                      Filesize

                      5.4MB

                    • memory/2684-174-0x000000001CF10000-0x000000001D478000-memory.dmp

                      Filesize

                      5.4MB

                    • memory/2684-204-0x000000001CF10000-0x000000001D478000-memory.dmp

                      Filesize

                      5.4MB

                    • memory/2684-202-0x000000001CF10000-0x000000001D478000-memory.dmp

                      Filesize

                      5.4MB

                    • memory/2684-176-0x000000001CF10000-0x000000001D478000-memory.dmp

                      Filesize

                      5.4MB

                    • memory/2684-178-0x000000001CF10000-0x000000001D478000-memory.dmp

                      Filesize

                      5.4MB

                    • memory/2684-200-0x000000001CF10000-0x000000001D478000-memory.dmp

                      Filesize

                      5.4MB

                    • memory/2684-182-0x000000001CF10000-0x000000001D478000-memory.dmp

                      Filesize

                      5.4MB

                    • memory/2684-184-0x000000001CF10000-0x000000001D478000-memory.dmp

                      Filesize

                      5.4MB

                    • memory/2684-206-0x000000001CF10000-0x000000001D478000-memory.dmp

                      Filesize

                      5.4MB

                    • memory/2684-210-0x000000001CF10000-0x000000001D478000-memory.dmp

                      Filesize

                      5.4MB

                    • memory/2684-218-0x000000001CF10000-0x000000001D478000-memory.dmp

                      Filesize

                      5.4MB

                    • memory/2684-188-0x000000001CF10000-0x000000001D478000-memory.dmp

                      Filesize

                      5.4MB

                    • memory/2684-190-0x000000001CF10000-0x000000001D478000-memory.dmp

                      Filesize

                      5.4MB

                    • memory/2684-192-0x000000001CF10000-0x000000001D478000-memory.dmp

                      Filesize

                      5.4MB

                    • memory/2684-194-0x000000001CF10000-0x000000001D478000-memory.dmp

                      Filesize

                      5.4MB

                    • memory/2684-196-0x000000001CF10000-0x000000001D478000-memory.dmp

                      Filesize

                      5.4MB

                    • memory/2684-198-0x000000001CF10000-0x000000001D478000-memory.dmp

                      Filesize

                      5.4MB

                    • memory/2728-1748-0x0000000000B30000-0x00000000011E4000-memory.dmp

                      Filesize

                      6.7MB

                    • memory/2728-1773-0x0000000000B30000-0x00000000011E4000-memory.dmp

                      Filesize

                      6.7MB

                    • memory/3132-1982-0x0000000001280000-0x000000000153A000-memory.dmp

                      Filesize

                      2.7MB

                    • memory/3132-2531-0x0000000001280000-0x000000000153A000-memory.dmp

                      Filesize

                      2.7MB

                    • memory/3132-2018-0x0000000001280000-0x000000000153A000-memory.dmp

                      Filesize

                      2.7MB

                    • memory/3132-2019-0x0000000001280000-0x000000000153A000-memory.dmp

                      Filesize

                      2.7MB

                    • memory/3668-2534-0x000000013FE10000-0x00000001402A0000-memory.dmp

                      Filesize

                      4.6MB

                    • memory/3668-2647-0x000000013FB90000-0x0000000140020000-memory.dmp

                      Filesize

                      4.6MB

                    • memory/3668-2042-0x000000013FE10000-0x00000001402A0000-memory.dmp

                      Filesize

                      4.6MB

                    • memory/3668-2043-0x000000013FE10000-0x00000001402A0000-memory.dmp

                      Filesize

                      4.6MB

                    • memory/3668-3120-0x000000013FB90000-0x0000000140020000-memory.dmp

                      Filesize

                      4.6MB

                    • memory/3804-2044-0x000000013FE10000-0x00000001402A0000-memory.dmp

                      Filesize

                      4.6MB

                    • memory/3804-2047-0x000000013FE10000-0x00000001402A0000-memory.dmp

                      Filesize

                      4.6MB

                    • memory/4056-2055-0x0000000002860000-0x0000000002868000-memory.dmp

                      Filesize

                      32KB

                    • memory/4056-2054-0x000000001B710000-0x000000001B9F2000-memory.dmp

                      Filesize

                      2.9MB