Overview

overview

10

Static

static

3

c2bee3616c...ly.exe

windows7-x64

10

c2bee3616c...ly.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-12-2024 20:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c2bee3616cf5c0f19ecc5738ee39a8c3d0d0523c2178177b86563d5a3d758d0f_Sigmanly.exe

  • Size

    2.8MB

  • MD5

    61cb850896f4b6aac18c72e82eb9ac90

  • SHA1

    c1fcdd242b13e4c5ad99f7e76da886288622b6dc

  • SHA256

    c2bee3616cf5c0f19ecc5738ee39a8c3d0d0523c2178177b86563d5a3d758d0f

  • SHA512

    d156751d3d9e353a116e55cbc9a9e87da03a4d29efe529344ce996324ec361f0472724bb8162c2be7ea6f291aaf2f7cbbc8659672777e182e40283fa661a2043

  • SSDEEP

    49152:nZNt60MWKf4ZmSXyOQqcxSdj04drGcnaj0GpmeogTOpGg:nZNt66Kf4Zm4yOraSd44ZGEaoGpkzGg

Score
10/10
amadeylummavidar9c9aa5credential_accessdiscoveryevasionexecutionpersistencespywarestealertrojan

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes
  • install_dir

    abc3bc1985

  • install_file

    skotes.exe

  • strings_key

    8a35cf2ea38c2817dba29a4b5b25dcf0

  • url_paths

    /Zu7JuNko/index.php

rc4.plain

Extracted

Family

lumma

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Detect Vidar Stealer 2 IoCs
    stealer
  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Suspicious use of NtCreateUserProcessOtherParentProcess 6 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Vidar family
    vidar
  • Enumerates VirtualBox registry keys 2 TTPs 2 IoCs
    evasion
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 12 IoCs
    evasion
  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Downloads MZ/PE file
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Checks BIOS information in registry 2 TTPs 24 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 12 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 42 IoCs
  • Identifies Wine through registry keys 2 TTPs 12 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Uses the VBS compiler for execution 1 TTPs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Enumerates processes with tasklist 1 TTPs 4 IoCs
    discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger 14 IoCs
  • Suspicious use of SetThreadContext 9 IoCs
  • Drops file in Windows directory 11 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 14 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 3 IoCs
    evasion
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Kills process with taskkill 5 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 36 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 61 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3592
      • C:\Users\Admin\AppData\Local\Temp\c2bee3616cf5c0f19ecc5738ee39a8c3d0d0523c2178177b86563d5a3d758d0f_Sigmanly.exe
        "C:\Users\Admin\AppData\Local\Temp\c2bee3616cf5c0f19ecc5738ee39a8c3d0d0523c2178177b86563d5a3d758d0f_Sigmanly.exe"
        2⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Checks computer location settings
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:1892
        • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
          "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
          3⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Checks computer location settings
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Adds Run key to start application
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1780
          • C:\Users\Admin\AppData\Local\Temp\1018586001\KDLBJP7.exe
            "C:\Users\Admin\AppData\Local\Temp\1018586001\KDLBJP7.exe"
            4⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            PID:2508
          • C:\Users\Admin\AppData\Local\Temp\1018676001\systemetape.exe
            "C:\Users\Admin\AppData\Local\Temp\1018676001\systemetape.exe"
            4⤵
            • Suspicious use of NtCreateUserProcessOtherParentProcess
            • Drops startup file
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4184
          • C:\Users\Admin\AppData\Local\Temp\1018833001\WEX7mCI.exe
            "C:\Users\Admin\AppData\Local\Temp\1018833001\WEX7mCI.exe"
            4⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:916
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c move App App.cmd & App.cmd
              5⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:4760
              • C:\Windows\SysWOW64\tasklist.exe
                tasklist
                6⤵
                • Enumerates processes with tasklist
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                PID:3216
              • C:\Windows\SysWOW64\findstr.exe
                findstr /I "opssvc wrsa"
                6⤵
                  PID:4292
                • C:\Windows\SysWOW64\tasklist.exe
                  tasklist
                  6⤵
                  • Enumerates processes with tasklist
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4376
                • C:\Windows\SysWOW64\findstr.exe
                  findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
                  6⤵
                  • System Location Discovery: System Language Discovery
                  PID:1044
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c md 245347
                  6⤵
                  • System Location Discovery: System Language Discovery
                  PID:2260
                • C:\Windows\SysWOW64\findstr.exe
                  findstr /V "profiles" Organizing
                  6⤵
                    PID:3564
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c copy /b ..\Judy + ..\Sheets + ..\Another + ..\Wanting b
                    6⤵
                    • System Location Discovery: System Language Discovery
                    PID:3936
                  • C:\Users\Admin\AppData\Local\Temp\245347\Dry.com
                    Dry.com b
                    6⤵
                    • Checks computer location settings
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    • Checks processor information in registry
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of FindShellTrayWindow
                    • Suspicious use of SendNotifyMessage
                    PID:1096
                    • C:\Windows\SysWOW64\cmd.exe
                      "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\245347\Dry.com" & rd /s /q "C:\ProgramData\CTRQ9ZCBA1N7" & exit
                      7⤵
                      • System Location Discovery: System Language Discovery
                      PID:3308
                      • C:\Windows\SysWOW64\timeout.exe
                        timeout /t 10
                        8⤵
                        • System Location Discovery: System Language Discovery
                        • Delays execution with timeout.exe
                        PID:5060
                  • C:\Windows\SysWOW64\choice.exe
                    choice /d y /t 5
                    6⤵
                      PID:3896
                • C:\Users\Admin\AppData\Local\Temp\1018838001\c4601f5571.exe
                  "C:\Users\Admin\AppData\Local\Temp\1018838001\c4601f5571.exe"
                  4⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1884
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    "powershell.exe" Add-MpPreference -ExclusionPath "C:\cebym"
                    5⤵
                    • Command and Scripting Interpreter: PowerShell
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4532
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    "powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData"
                    5⤵
                    • Command and Scripting Interpreter: PowerShell
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4904
                  • C:\cebym\5da66ec319e8477aaeb0313b6ce0b9d4.exe
                    "C:\cebym\5da66ec319e8477aaeb0313b6ce0b9d4.exe"
                    5⤵
                    • Executes dropped EXE
                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                    • Suspicious use of SetWindowsHookEx
                    PID:5008
                • C:\Users\Admin\AppData\Local\Temp\1018850001\574839d7c4.exe
                  "C:\Users\Admin\AppData\Local\Temp\1018850001\574839d7c4.exe"
                  4⤵
                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                  • Checks BIOS information in registry
                  • Executes dropped EXE
                  • Identifies Wine through registry keys
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  PID:3808
                • C:\Users\Admin\AppData\Local\Temp\1018851001\015c82ce41.exe
                  "C:\Users\Admin\AppData\Local\Temp\1018851001\015c82ce41.exe"
                  4⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of WriteProcessMemory
                  PID:1592
                  • C:\Users\Admin\AppData\Local\Temp\1018851001\015c82ce41.exe
                    "C:\Users\Admin\AppData\Local\Temp\1018851001\015c82ce41.exe"
                    5⤵
                    • Executes dropped EXE
                    PID:2800
                  • C:\Users\Admin\AppData\Local\Temp\1018851001\015c82ce41.exe
                    "C:\Users\Admin\AppData\Local\Temp\1018851001\015c82ce41.exe"
                    5⤵
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    PID:4764
                • C:\Users\Admin\AppData\Local\Temp\1018852001\003.exe
                  "C:\Users\Admin\AppData\Local\Temp\1018852001\003.exe"
                  4⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  PID:1532
                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
                    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
                    5⤵
                    • Sets service image path in registry
                    • Suspicious behavior: LoadsDriver
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2332
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      powershell Add-MpPreference -ExclusionPath C:\
                      6⤵
                      • Command and Scripting Interpreter: PowerShell
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2468
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      powershell Remove-MpPreference -ExclusionPath C:\
                      6⤵
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2236
                • C:\Users\Admin\AppData\Local\Temp\1018853001\b7e60c38a4.exe
                  "C:\Users\Admin\AppData\Local\Temp\1018853001\b7e60c38a4.exe"
                  4⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4664
                  • C:\Users\Admin\AppData\Local\Temp\1018853001\b7e60c38a4.exe
                    "C:\Users\Admin\AppData\Local\Temp\1018853001\b7e60c38a4.exe"
                    5⤵
                    • Executes dropped EXE
                    PID:2116
                  • C:\Users\Admin\AppData\Local\Temp\1018853001\b7e60c38a4.exe
                    "C:\Users\Admin\AppData\Local\Temp\1018853001\b7e60c38a4.exe"
                    5⤵
                    • Executes dropped EXE
                    PID:4128
                  • C:\Users\Admin\AppData\Local\Temp\1018853001\b7e60c38a4.exe
                    "C:\Users\Admin\AppData\Local\Temp\1018853001\b7e60c38a4.exe"
                    5⤵
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:5256
                • C:\Users\Admin\AppData\Local\Temp\1018854001\0347c97398.exe
                  "C:\Users\Admin\AppData\Local\Temp\1018854001\0347c97398.exe"
                  4⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  PID:1172
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\System32\cmd.exe" /c move App App.cmd & App.cmd
                    5⤵
                    • System Location Discovery: System Language Discovery
                    PID:3240
                    • C:\Windows\SysWOW64\tasklist.exe
                      tasklist
                      6⤵
                      • Enumerates processes with tasklist
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:844
                    • C:\Windows\SysWOW64\findstr.exe
                      findstr /I "opssvc wrsa"
                      6⤵
                      • System Location Discovery: System Language Discovery
                      PID:4056
                    • C:\Windows\SysWOW64\tasklist.exe
                      tasklist
                      6⤵
                      • Enumerates processes with tasklist
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:4944
                    • C:\Windows\SysWOW64\findstr.exe
                      findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
                      6⤵
                      • System Location Discovery: System Language Discovery
                      PID:628
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd /c md 245347
                      6⤵
                      • System Location Discovery: System Language Discovery
                      PID:2628
                    • C:\Windows\SysWOW64\findstr.exe
                      findstr /V "profiles" Organizing
                      6⤵
                      • System Location Discovery: System Language Discovery
                      PID:4812
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd /c copy /b ..\Judy + ..\Sheets + ..\Another + ..\Wanting b
                      6⤵
                        PID:4908
                      • C:\Users\Admin\AppData\Local\Temp\245347\Dry.com
                        Dry.com b
                        6⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        • Checks processor information in registry
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of FindShellTrayWindow
                        • Suspicious use of SendNotifyMessage
                        PID:644
                        • C:\Windows\SysWOW64\cmd.exe
                          "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\245347\Dry.com" & rd /s /q "C:\ProgramData\IEUAAIW47GV3" & exit
                          7⤵
                          • System Location Discovery: System Language Discovery
                          PID:4888
                          • C:\Windows\SysWOW64\timeout.exe
                            timeout /t 10
                            8⤵
                            • System Location Discovery: System Language Discovery
                            • Delays execution with timeout.exe
                            PID:1304
                      • C:\Windows\SysWOW64\choice.exe
                        choice /d y /t 5
                        6⤵
                        • System Location Discovery: System Language Discovery
                        PID:2388
                  • C:\Users\Admin\AppData\Local\Temp\1018855001\33a6e8d770.exe
                    "C:\Users\Admin\AppData\Local\Temp\1018855001\33a6e8d770.exe"
                    4⤵
                    • Enumerates VirtualBox registry keys
                    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                    • Checks BIOS information in registry
                    • Executes dropped EXE
                    • Identifies Wine through registry keys
                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: EnumeratesProcesses
                    PID:3620
                  • C:\Users\Admin\AppData\Local\Temp\1018856001\ab78005b36.exe
                    "C:\Users\Admin\AppData\Local\Temp\1018856001\ab78005b36.exe"
                    4⤵
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: EnumeratesProcesses
                    PID:4368
                  • C:\Users\Admin\AppData\Local\Temp\1018857001\f51416a8ee.exe
                    "C:\Users\Admin\AppData\Local\Temp\1018857001\f51416a8ee.exe"
                    4⤵
                    • Checks computer location settings
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1776
                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      "powershell.exe" Add-MpPreference -ExclusionPath "C:\lnzhun"
                      5⤵
                      • Command and Scripting Interpreter: PowerShell
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:6000
                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      "powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData"
                      5⤵
                      • Command and Scripting Interpreter: PowerShell
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:5692
                    • C:\lnzhun\7df5a524fe8248ff96e8926d0ec6a370.exe
                      "C:\lnzhun\7df5a524fe8248ff96e8926d0ec6a370.exe"
                      5⤵
                      • Checks computer location settings
                      • Executes dropped EXE
                      • Checks processor information in registry
                      PID:664
                      • C:\Windows\SysWOW64\cmd.exe
                        "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\lnzhun\7df5a524fe8248ff96e8926d0ec6a370.exe" & rd /s /q "C:\ProgramData\O8GDBAS0ZU37" & exit
                        6⤵
                        • System Location Discovery: System Language Discovery
                        PID:7088
                        • C:\Windows\SysWOW64\timeout.exe
                          timeout /t 10
                          7⤵
                          • System Location Discovery: System Language Discovery
                          • Delays execution with timeout.exe
                          PID:7792
                    • C:\lnzhun\0daa390795d745439fc18a2370173071.exe
                      "C:\lnzhun\0daa390795d745439fc18a2370173071.exe"
                      5⤵
                      • Checks computer location settings
                      • Executes dropped EXE
                      • Suspicious use of AdjustPrivilegeToken
                      PID:5712
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://apps.microsoft.com/store/detail/9MSZ40SLW145?ocid=&referrer=psi
                        6⤵
                        • Enumerates system info in registry
                        • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                        • Suspicious use of FindShellTrayWindow
                        • Suspicious use of SendNotifyMessage
                        PID:7120
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd889d46f8,0x7ffd889d4708,0x7ffd889d4718
                          7⤵
                            PID:7048
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,13198628172263509006,10627362460837543163,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
                            7⤵
                              PID:6064
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,13198628172263509006,10627362460837543163,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
                              7⤵
                                PID:4872
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,13198628172263509006,10627362460837543163,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2648 /prefetch:8
                                7⤵
                                  PID:5920
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,13198628172263509006,10627362460837543163,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
                                  7⤵
                                    PID:7272
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,13198628172263509006,10627362460837543163,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
                                    7⤵
                                      PID:7288
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,13198628172263509006,10627362460837543163,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5280 /prefetch:8
                                      7⤵
                                        PID:6596
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,13198628172263509006,10627362460837543163,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5280 /prefetch:8
                                        7⤵
                                          PID:2640
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,13198628172263509006,10627362460837543163,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
                                          7⤵
                                            PID:5856
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,13198628172263509006,10627362460837543163,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:1
                                            7⤵
                                              PID:6116
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,13198628172263509006,10627362460837543163,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1
                                              7⤵
                                                PID:5592
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,13198628172263509006,10627362460837543163,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4160 /prefetch:1
                                                7⤵
                                                  PID:6476
                                          • C:\Users\Admin\AppData\Local\Temp\1018859001\896064fdcb.exe
                                            "C:\Users\Admin\AppData\Local\Temp\1018859001\896064fdcb.exe"
                                            4⤵
                                            • Enumerates VirtualBox registry keys
                                            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                            • Checks BIOS information in registry
                                            • Executes dropped EXE
                                            • Identifies Wine through registry keys
                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                            • System Location Discovery: System Language Discovery
                                            PID:5332
                                          • C:\Users\Admin\AppData\Local\Temp\1018860001\c4278bf154.exe
                                            "C:\Users\Admin\AppData\Local\Temp\1018860001\c4278bf154.exe"
                                            4⤵
                                            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                            • Checks BIOS information in registry
                                            • Executes dropped EXE
                                            • Identifies Wine through registry keys
                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                            • System Location Discovery: System Language Discovery
                                            PID:7808
                                            • C:\Windows\SysWOW64\WerFault.exe
                                              C:\Windows\SysWOW64\WerFault.exe -u -p 7808 -s 476
                                              5⤵
                                              • Program crash
                                              PID:5028
                                          • C:\Users\Admin\AppData\Local\Temp\1018861001\af08f98cc0.exe
                                            "C:\Users\Admin\AppData\Local\Temp\1018861001\af08f98cc0.exe"
                                            4⤵
                                            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                            • Checks BIOS information in registry
                                            • Executes dropped EXE
                                            • Identifies Wine through registry keys
                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                            • System Location Discovery: System Language Discovery
                                            PID:2896
                                          • C:\Users\Admin\AppData\Local\Temp\1018862001\1e1ef38d95.exe
                                            "C:\Users\Admin\AppData\Local\Temp\1018862001\1e1ef38d95.exe"
                                            4⤵
                                            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                            • Checks BIOS information in registry
                                            • Executes dropped EXE
                                            • Identifies Wine through registry keys
                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                            • System Location Discovery: System Language Discovery
                                            PID:2800
                                          • C:\Users\Admin\AppData\Local\Temp\1018863001\6e20b0fd76.exe
                                            "C:\Users\Admin\AppData\Local\Temp\1018863001\6e20b0fd76.exe"
                                            4⤵
                                            • Executes dropped EXE
                                            • System Location Discovery: System Language Discovery
                                            • Suspicious use of FindShellTrayWindow
                                            • Suspicious use of SendNotifyMessage
                                            PID:7932
                                            • C:\Windows\SysWOW64\taskkill.exe
                                              taskkill /F /IM firefox.exe /T
                                              5⤵
                                              • System Location Discovery: System Language Discovery
                                              • Kills process with taskkill
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:2836
                                            • C:\Windows\SysWOW64\taskkill.exe
                                              taskkill /F /IM chrome.exe /T
                                              5⤵
                                              • System Location Discovery: System Language Discovery
                                              • Kills process with taskkill
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:1424
                                            • C:\Windows\SysWOW64\taskkill.exe
                                              taskkill /F /IM msedge.exe /T
                                              5⤵
                                              • System Location Discovery: System Language Discovery
                                              • Kills process with taskkill
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:4152
                                            • C:\Windows\SysWOW64\taskkill.exe
                                              taskkill /F /IM opera.exe /T
                                              5⤵
                                              • System Location Discovery: System Language Discovery
                                              • Kills process with taskkill
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:6468
                                            • C:\Windows\SysWOW64\taskkill.exe
                                              taskkill /F /IM brave.exe /T
                                              5⤵
                                              • System Location Discovery: System Language Discovery
                                              • Kills process with taskkill
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:6000
                                            • C:\Program Files\Mozilla Firefox\firefox.exe
                                              "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
                                              5⤵
                                                PID:5936
                                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                                  "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
                                                  6⤵
                                                  • Checks processor information in registry
                                                  • Modifies registry class
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  • Suspicious use of FindShellTrayWindow
                                                  • Suspicious use of SendNotifyMessage
                                                  • Suspicious use of SetWindowsHookEx
                                                  PID:3344
                                                  • C:\Program Files\Mozilla Firefox\firefox.exe
                                                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2000 -parentBuildID 20240401114208 -prefsHandle 1916 -prefMapHandle 1908 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4879da38-b2e4-4752-b181-f64e2e0e59dd} 3344 "\\.\pipe\gecko-crash-server-pipe.3344" gpu
                                                    7⤵
                                                      PID:5684
                                                    • C:\Program Files\Mozilla Firefox\firefox.exe
                                                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2432 -parentBuildID 20240401114208 -prefsHandle 2412 -prefMapHandle 2408 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ffc663c2-627f-44db-84bc-4211b14918c5} 3344 "\\.\pipe\gecko-crash-server-pipe.3344" socket
                                                      7⤵
                                                        PID:7396
                                                      • C:\Program Files\Mozilla Firefox\firefox.exe
                                                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2700 -childID 1 -isForBrowser -prefsHandle 3184 -prefMapHandle 3228 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ca12b59b-03ab-4974-96ed-2ea8d691b787} 3344 "\\.\pipe\gecko-crash-server-pipe.3344" tab
                                                        7⤵
                                                          PID:7312
                                                        • C:\Program Files\Mozilla Firefox\firefox.exe
                                                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3960 -childID 2 -isForBrowser -prefsHandle 3972 -prefMapHandle 3968 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b20a3042-af26-4b3b-a92a-aa003f641ddf} 3344 "\\.\pipe\gecko-crash-server-pipe.3344" tab
                                                          7⤵
                                                            PID:5716
                                                          • C:\Program Files\Mozilla Firefox\firefox.exe
                                                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4732 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4736 -prefMapHandle 4728 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {880389b6-00a6-4ccc-ac69-520aa243a627} 3344 "\\.\pipe\gecko-crash-server-pipe.3344" utility
                                                            7⤵
                                                            • Checks processor information in registry
                                                            PID:3240
                                                          • C:\Program Files\Mozilla Firefox\firefox.exe
                                                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5216 -childID 3 -isForBrowser -prefsHandle 4916 -prefMapHandle 4948 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e07ea885-290d-4ef2-8f61-df017d7eb139} 3344 "\\.\pipe\gecko-crash-server-pipe.3344" tab
                                                            7⤵
                                                              PID:4652
                                                            • C:\Program Files\Mozilla Firefox\firefox.exe
                                                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5532 -childID 4 -isForBrowser -prefsHandle 5200 -prefMapHandle 5204 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {09bf32b6-e0f2-4a2c-ad45-c2e1d3bcafb2} 3344 "\\.\pipe\gecko-crash-server-pipe.3344" tab
                                                              7⤵
                                                                PID:3376
                                                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5772 -childID 5 -isForBrowser -prefsHandle 5764 -prefMapHandle 5760 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6bd349aa-114b-4dd4-a1ed-e11ee49d87bb} 3344 "\\.\pipe\gecko-crash-server-pipe.3344" tab
                                                                7⤵
                                                                  PID:8184
                                                          • C:\Users\Admin\AppData\Local\Temp\1018864001\31c1fa8fe1.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\1018864001\31c1fa8fe1.exe"
                                                            4⤵
                                                            • Modifies Windows Defender Real-time Protection settings
                                                            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                            • Checks BIOS information in registry
                                                            • Executes dropped EXE
                                                            • Identifies Wine through registry keys
                                                            • Windows security modification
                                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                            • System Location Discovery: System Language Discovery
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:7388
                                                      • C:\Users\Admin\AppData\Local\Temp\1018676001\systemetape.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\1018676001\systemetape.exe"
                                                        2⤵
                                                        • Checks computer location settings
                                                        • Executes dropped EXE
                                                        • Drops file in Windows directory
                                                        • System Location Discovery: System Language Discovery
                                                        PID:1716
                                                        • C:\Users\Admin\AppData\Local\Temp\23e3360290\Gxtuum.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\23e3360290\Gxtuum.exe"
                                                          3⤵
                                                          • Suspicious use of NtCreateUserProcessOtherParentProcess
                                                          • Executes dropped EXE
                                                          • Suspicious use of SetThreadContext
                                                          • System Location Discovery: System Language Discovery
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:1588
                                                      • C:\Users\Admin\AppData\Local\Temp\23e3360290\Gxtuum.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\23e3360290\Gxtuum.exe"
                                                        2⤵
                                                        • Checks computer location settings
                                                        • Executes dropped EXE
                                                        • Adds Run key to start application
                                                        • System Location Discovery: System Language Discovery
                                                        PID:7340
                                                        • C:\Windows\SysWOW64\rundll32.exe
                                                          "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\10001320110\terms.dll, Main
                                                          3⤵
                                                          • Blocklisted process makes network request
                                                          • Loads dropped DLL
                                                          • System Location Discovery: System Language Discovery
                                                          PID:6308
                                                        • C:\Users\Admin\AppData\Local\Temp\10001330101\eula.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\10001330101\eula.exe"
                                                          3⤵
                                                          • Suspicious use of NtCreateUserProcessOtherParentProcess
                                                          • Executes dropped EXE
                                                          • Suspicious use of SetThreadContext
                                                          • System Location Discovery: System Language Discovery
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:7224
                                                      • C:\Users\Admin\AppData\Local\Temp\23e3360290\Gxtuum.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\23e3360290\Gxtuum.exe"
                                                        2⤵
                                                        • Executes dropped EXE
                                                        PID:5264
                                                      • C:\Users\Admin\AppData\Local\Temp\10001330101\eula.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\10001330101\eula.exe"
                                                        2⤵
                                                        • Executes dropped EXE
                                                        • Drops file in Windows directory
                                                        • System Location Discovery: System Language Discovery
                                                        PID:3472
                                                      • C:\ProgramData\uwchcfd\fosul.exe
                                                        "C:\ProgramData\uwchcfd\fosul.exe"
                                                        2⤵
                                                        • Executes dropped EXE
                                                        • System Location Discovery: System Language Discovery
                                                        PID:5284
                                                      • C:\Users\Admin\AppData\Local\Temp\23e3360290\Gxtuum.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\23e3360290\Gxtuum.exe"
                                                        2⤵
                                                        • Executes dropped EXE
                                                        PID:5824
                                                    • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                      C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                      1⤵
                                                      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                      • Checks BIOS information in registry
                                                      • Executes dropped EXE
                                                      • Identifies Wine through registry keys
                                                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      PID:2508
                                                    • C:\Users\Admin\AppData\Local\Temp\23e3360290\Gxtuum.exe
                                                      C:\Users\Admin\AppData\Local\Temp\23e3360290\Gxtuum.exe
                                                      1⤵
                                                      • Suspicious use of NtCreateUserProcessOtherParentProcess
                                                      • Executes dropped EXE
                                                      • Suspicious use of SetThreadContext
                                                      • System Location Discovery: System Language Discovery
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:5308
                                                    • C:\Windows\System32\CompPkgSrv.exe
                                                      C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                      1⤵
                                                        PID:7252
                                                      • C:\Windows\System32\CompPkgSrv.exe
                                                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                        1⤵
                                                          PID:7700
                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 7808 -ip 7808
                                                          1⤵
                                                            PID:5560
                                                          • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                            C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                            1⤵
                                                            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                            • Checks BIOS information in registry
                                                            • Executes dropped EXE
                                                            • Identifies Wine through registry keys
                                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                            PID:6964
                                                          • C:\Users\Admin\AppData\Local\Temp\23e3360290\Gxtuum.exe
                                                            C:\Users\Admin\AppData\Local\Temp\23e3360290\Gxtuum.exe
                                                            1⤵
                                                            • Suspicious use of NtCreateUserProcessOtherParentProcess
                                                            • Executes dropped EXE
                                                            • Suspicious use of SetThreadContext
                                                            • System Location Discovery: System Language Discovery
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:4936
                                                          • C:\ProgramData\uwchcfd\fosul.exe
                                                            C:\ProgramData\uwchcfd\fosul.exe
                                                            1⤵
                                                            • Suspicious use of NtCreateUserProcessOtherParentProcess
                                                            • Executes dropped EXE
                                                            • Suspicious use of SetThreadContext
                                                            • System Location Discovery: System Language Discovery
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:7916

                                                          Network

                                                          MITRE ATT&CK Enterprise v15

                                                          Reconnaissance

                                                          Resource Development

                                                          Initial Access

                                                          Execution

                                                          Command and Scripting Interpreter

                                                          2
                                                          T1059

                                                          PowerShell

                                                          1
                                                          T1059.001

                                                          Persistence

                                                          Boot or Logon Autostart Execution

                                                          2
                                                          T1547

                                                          Registry Run Keys / Startup Folder

                                                          2
                                                          T1547.001

                                                          Create or Modify System Process

                                                          1
                                                          T1543

                                                          Windows Service

                                                          1
                                                          T1543.003

                                                          Privilege Escalation

                                                          Boot or Logon Autostart Execution

                                                          2
                                                          T1547

                                                          Registry Run Keys / Startup Folder

                                                          2
                                                          T1547.001

                                                          Create or Modify System Process

                                                          1
                                                          T1543

                                                          Windows Service

                                                          1
                                                          T1543.003

                                                          Defense Evasion

                                                          Impair Defenses

                                                          2
                                                          T1562

                                                          Disable or Modify Tools

                                                          2
                                                          T1562.001

                                                          Modify Registry

                                                          4
                                                          T1112

                                                          Virtualization/Sandbox Evasion

                                                          3
                                                          T1497

                                                          Credential Access

                                                          Unsecured Credentials

                                                          2
                                                          T1552

                                                          Credentials In Files

                                                          2
                                                          T1552.001

                                                          Discovery

                                                          Browser Information Discovery

                                                          1
                                                          T1217

                                                          Process Discovery

                                                          1
                                                          T1057

                                                          Query Registry

                                                          9
                                                          T1012

                                                          System Information Discovery

                                                          5
                                                          T1082

                                                          System Location Discovery

                                                          1
                                                          T1614

                                                          System Language Discovery

                                                          1
                                                          T1614.001

                                                          Virtualization/Sandbox Evasion

                                                          3
                                                          T1497

                                                          Lateral Movement

                                                          Collection

                                                          Data from Local System

                                                          1
                                                          T1005

                                                          Command and Control

                                                          Web Service

                                                          1
                                                          T1102

                                                          Exfiltration

                                                          Impact

                                                          Replay Monitor

                                                          Loading Replay Monitor...

                                                          Downloads

                                                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                                            Filesize

                                                            2KB

                                                            MD5

                                                            d85ba6ff808d9e5444a4b369f5bc2730

                                                            SHA1

                                                            31aa9d96590fff6981b315e0b391b575e4c0804a

                                                            SHA256

                                                            84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                                            SHA512

                                                            8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
                                                            Filesize

                                                            2KB

                                                            MD5

                                                            968cb9309758126772781b83adb8a28f

                                                            SHA1

                                                            8da30e71accf186b2ba11da1797cf67f8f78b47c

                                                            SHA256

                                                            92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

                                                            SHA512

                                                            4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                            Filesize

                                                            152B

                                                            MD5

                                                            34d2c4f40f47672ecdf6f66fea242f4a

                                                            SHA1

                                                            4bcad62542aeb44cae38a907d8b5a8604115ada2

                                                            SHA256

                                                            b214e3affb02a2ea4469a8bbdfa8a179e7cc57cababd83b4bafae9cdbe23fa33

                                                            SHA512

                                                            50fba54ec95d694211a005d0e3e6cf5b5677efa16989cbf854207a1a67e3a139f32b757c6f2ce824a48f621440b93fde60ad1dc790fcec4b76edddd0d92a75d6

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                            Filesize

                                                            152B

                                                            MD5

                                                            8749e21d9d0a17dac32d5aa2027f7a75

                                                            SHA1

                                                            a5d555f8b035c7938a4a864e89218c0402ab7cde

                                                            SHA256

                                                            915193bd331ee9ea7c750398a37fbb552b8c5a1d90edec6293688296bda6f304

                                                            SHA512

                                                            c645a41180ed01e854f197868283f9b40620dbbc813a1c122f6870db574ebc1c4917da4d320bdfd1cc67f23303a2c6d74e4f36dd9d3ffcfa92d3dfca3b7ca31a

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                                                            Filesize

                                                            120B

                                                            MD5

                                                            22a77017f716c756a97b2903ffe94ebb

                                                            SHA1

                                                            676f625a74e5c44a4115d5d274a75eb13382a3d4

                                                            SHA256

                                                            fb12eb2f6ae22f47beb5654640720036d643898871050cd23c8683963de09e3f

                                                            SHA512

                                                            23e9bde53d0f24fde81f6cc63f4d352a5e3e5f91fc71f3aedc25824dffad2f4eebc5d10d1baafc99aa932dd89b3387584bd40908a957d8b9f6d0edf2cee93fce

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                            Filesize

                                                            5KB

                                                            MD5

                                                            747550941b3e4c7be5dddf1b4ec63ba3

                                                            SHA1

                                                            a0760d6ef1b271065a1ce66ca3a20e2ecdf2fa7b

                                                            SHA256

                                                            618dda497929834d4bda366089a1eb56d3184fb219254cab26f7f5966063f42e

                                                            SHA512

                                                            89a9b876cfcf3f9b50f9f6a2ea5af1d03231e556bf1b35763b849be65c9650cb64d822d38f05e0c1b3c7c57df28dff770cdd92403de55aca6af8f2ee74c001d5

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                            Filesize

                                                            6KB

                                                            MD5

                                                            a48da4c6c4f601f5c97009551289d65e

                                                            SHA1

                                                            cfb13275981592585196dbc89d34c236ff44c064

                                                            SHA256

                                                            c89e74831cc0b96c83baf5394465ae5e4424376e9e7bff381c03cc4f682e3e88

                                                            SHA512

                                                            d96eef4e9dd1a5d480988789e8c70a4abc8ba804bd5518ad3a3b60db1ddc33347eaf52411a0d8fb7e422d8741d9486faa1b40bb3d5f428ab23136e11cb34e0be

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\503d1e53-7c9f-43c7-9b38-7f44de6b9364\index-dir\the-real-index
                                                            Filesize

                                                            72B

                                                            MD5

                                                            57d5d3e895f0625323914a76c4b1dc35

                                                            SHA1

                                                            c89961ba84bd86d36188e4efc1de19578f945840

                                                            SHA256

                                                            80e6be13db6f94d00ad6c41b9411ad71f0728bebf06ad1008dcdac3e304ad295

                                                            SHA512

                                                            3eda61576fc1c1847b75755da14fca986e1a83c07b0b11520b68c0878fa65a7f14d8a508719bda5976904bd5ad6066b66919fceb7df06c1c8d2cee1ed7acfe5e

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\503d1e53-7c9f-43c7-9b38-7f44de6b9364\index-dir\the-real-index~RFe58dc32.TMP
                                                            Filesize

                                                            48B

                                                            MD5

                                                            6fcdd2a9dc1d182fe3992169e4a6dbec

                                                            SHA1

                                                            e4b3a441fb9f4a96d3babf46a69bc66597f3fd62

                                                            SHA256

                                                            8cb1af895c7c4c5b5759c254e6d1a19a0093641f3865101c3b9855d25ef5c08d

                                                            SHA512

                                                            02a850858c7eb51231acc60bd4bb5e8a6bcfb5e003c28ec2d61253e2697902a82bdcccc879ab714b29f4e44868bf29b1b3290b60c7e4f4e9d65f43c5f9d789c7

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\index.txt
                                                            Filesize

                                                            109B

                                                            MD5

                                                            601c84588eaacc0da032c24d914b65e9

                                                            SHA1

                                                            e6ab5241592ac502ff3b8f2e592befe3b2581ee0

                                                            SHA256

                                                            963c1e1af8b05d91d03365a8f84b28bb3e2d54c98248c7b54da05b0e472f99d4

                                                            SHA512

                                                            b247884073a809c69609ad3ae93b894ab15fbd51bceeaed6b57c7375e00d5c0a47c9368f295c2eae93a8d52a817d7e5472f3918ed9a0c9cde8b1cea473145c6d

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\index.txt
                                                            Filesize

                                                            204B

                                                            MD5

                                                            eac3db37c28abbd13a39baac0d921bb7

                                                            SHA1

                                                            a7a9860df8d9b1e2d754391b3d54bf2103292044

                                                            SHA256

                                                            b7439a9984a4dc445d470de69b4188843a86bf58d8d2e618b2c3850af1358cf0

                                                            SHA512

                                                            141d2de7ee4702fa52b49fc62bc9c9d14b4e742af81c4cf889ea204dfd40fd3f4ca566c22a08d957f7d80ddcdc7ab1bb8f7ff4d04f39caaae7a8e70ad317b6cc

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
                                                            Filesize

                                                            72B

                                                            MD5

                                                            a91c622aaf294237704c934961cbaf74

                                                            SHA1

                                                            350d5feda35bb8a6c3e2bc9683b00234b5f1113a

                                                            SHA256

                                                            e7136b3d56e14aca332a9f063f674cdacbe3c8835b3c7d5fadca38f744c243c6

                                                            SHA512

                                                            0a36136e9f76e87267ec1c5a8ea220466214e675036a395b7e32b171e586dc1cad746e6d2c48330dbb35ce513ec4f76f7914a709b69b3a775de7035fd502ce94

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58dbe4.TMP
                                                            Filesize

                                                            48B

                                                            MD5

                                                            2235f7cbb68e6b32da107e27502e08b3

                                                            SHA1

                                                            819633c017c2e5bbdc16393166852375919c4397

                                                            SHA256

                                                            b6c8ddd557717b1e709c18301d2e25eb105ecdd743d8a4d99d6ddd4307129407

                                                            SHA512

                                                            8d1044ffcc1e5ec375c121eac3334efcc9ce85646fd0096c9c56748296d14c9cf014d6f36fc1cf8d1042766374a2c5f55bfaca978cfe44a1ac7d7e858bcb3ada

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                                            Filesize

                                                            204B

                                                            MD5

                                                            7f6af06a9af8503cfff16bb300d9908b

                                                            SHA1

                                                            a381d07e836e1c4efecb6ca2250fbbbcaa157618

                                                            SHA256

                                                            25608cf758bb832fcb322b28c49b850e7e99a94bdfa9d344f4c835942947ec39

                                                            SHA512

                                                            d228778fa4ab1ee56d72c654a6dc009cc7ea79e9f46d3d31611943995eacbb0a56f589638969781057f69a9edcf9b9a7bc27580c5a80d8c2ef2cd5dcc9d72a58

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58d954.TMP
                                                            Filesize

                                                            204B

                                                            MD5

                                                            df970a106ad8763c0d2a51681f350196

                                                            SHA1

                                                            fdeb0b47864a030ecdc7ce23a689385adc1bd10d

                                                            SHA256

                                                            ef36caf44891639ef7a7bb4c59e69567f1779150378827328f4a2f36c58e7fba

                                                            SHA512

                                                            63e400090415bce16f41ae25ffb64fbd38d76f6f884d6b51f8583b117f544b7e0e5e6b06999bb098d690516b3f8afa4dc34050692bf983acf6e9c36d295b96bf

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                                            Filesize

                                                            16B

                                                            MD5

                                                            46295cac801e5d4857d09837238a6394

                                                            SHA1

                                                            44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                                            SHA256

                                                            0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                                            SHA512

                                                            8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                                            Filesize

                                                            16B

                                                            MD5

                                                            206702161f94c5cd39fadd03f4014d98

                                                            SHA1

                                                            bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                                            SHA256

                                                            1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                                            SHA512

                                                            0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                            Filesize

                                                            10KB

                                                            MD5

                                                            771e7c8b28f031776ae4a62b1dc8ffc9

                                                            SHA1

                                                            cee65f013687c7c04874f8253a486554af6b4574

                                                            SHA256

                                                            1d3b449ef937aa90e077e74925348d3959ec4de2bc9b0643f35cbb7ec5c52042

                                                            SHA512

                                                            4ad1a8b4d8d6677be248d0d4f4882a3f3b48a3acc36636728131c3761df2a1d5bd17cfbe6f008beb9ec0e5ebd7f892521f084f4a6c2324baf482433a3116abb1

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8R55UT9S\download[1].htm
                                                            Filesize

                                                            1B

                                                            MD5

                                                            cfcd208495d565ef66e7dff9f98764da

                                                            SHA1

                                                            b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

                                                            SHA256

                                                            5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

                                                            SHA512

                                                            31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                            Filesize

                                                            18KB

                                                            MD5

                                                            c8b46ff833a57e6088161b8a03f84d98

                                                            SHA1

                                                            adb8a03872e1c65f40bf8812b8f305eec5d2a6ac

                                                            SHA256

                                                            3fa8eb62f8be6f6d4c7d5f369df16495324bd46bd49213ff2818cfe7c72e0d9b

                                                            SHA512

                                                            7c7b29950dffa959c8aebfacc9ffdbb0691511c98fd435dad70d0e9337d178965c1794d3078d7de79c367aa122c9d674d6f66ef85aa177c44d4858af1fcf56fe

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                            Filesize

                                                            18KB

                                                            MD5

                                                            878d52b4d76a57387226fa35f508a086

                                                            SHA1

                                                            dadb71d47e035ae6dd8a5fda180127ba6ce2df2d

                                                            SHA256

                                                            0516913e1d8c41b05470e17638bd9795882f255b23286dfbf2d0f1e01c1be558

                                                            SHA512

                                                            1ca06ea0828a7675fca4d8193b6f9410644fd5054424c49005eee4a753618fc1d8d260eb58d429dfb03741b8122430b0cb3c114c0004161eb4f66a1588fa23c8

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                            Filesize

                                                            944B

                                                            MD5

                                                            9b80cd7a712469a4c45fec564313d9eb

                                                            SHA1

                                                            6125c01bc10d204ca36ad1110afe714678655f2d

                                                            SHA256

                                                            5a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d

                                                            SHA512

                                                            ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4ws2kncw.default-release\activity-stream.discovery_stream.json
                                                            Filesize

                                                            18KB

                                                            MD5

                                                            429896aaf5197a3b8c0f492cf2ebc2ed

                                                            SHA1

                                                            c735d9a099f69f8c5d67b741dc51abeb53cdbcad

                                                            SHA256

                                                            e3a4e1ca63859ce27f9d7f5f3251015e143f0e002fd03a20b2b3510209c483b5

                                                            SHA512

                                                            b80832315a25602cdd379c688c59fc29a1a17d4db4fe76ab590695756366b4a1ff42fba412dcb80a6b8ce2480aa02e0493329fa64e844254ce6a562ee0df6f17

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4ws2kncw.default-release\cache2\entries\6653BC7BE242C21AA1988A4A42D1DEDA18231C31
                                                            Filesize

                                                            13KB

                                                            MD5

                                                            4927c9f71dedc8432868ce3c1705d6aa

                                                            SHA1

                                                            386a545348fc5cd0f9369e70047c554c61ad74d8

                                                            SHA256

                                                            2b994857305e86e2465f446abe31cfe57357c47e48bfbe4ae69ed31f7ef5c9dc

                                                            SHA512

                                                            a5c7d40dbdf54f55fd3d6ea50f6ebe890076fa8ac8668771ab3051888c2d3e5bd1cc409f90d1d9a67f71bc6a527317b5528b251314c1c66ba0a0c6b35f03022f

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4ws2kncw.default-release\cache2\entries\92F4D5A4F9CED6E2E644D803AEE3647A0EA4D984
                                                            Filesize

                                                            13KB

                                                            MD5

                                                            de135d214618aa956b871604494dd911

                                                            SHA1

                                                            8233fcf53d12cb061d6230d99e43156c1ae566b8

                                                            SHA256

                                                            8f177148d9986a4da01224c89da2b330c49d9c969218a2affe15a0f49ead796b

                                                            SHA512

                                                            a2a2ea0a5b16fb481e724d0cb6600c8c61b00c629eadd48c7abc4a35ff41f5c445c150797fd5f6d94cc0553cd7cb41999a0f45bb49b66a57a1e8dcf061b7deca

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4ws2kncw.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
                                                            Filesize

                                                            15KB

                                                            MD5

                                                            96c542dec016d9ec1ecc4dddfcbaac66

                                                            SHA1

                                                            6199f7648bb744efa58acf7b96fee85d938389e4

                                                            SHA256

                                                            7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

                                                            SHA512

                                                            cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\10001330101\eula.exe
                                                            Filesize

                                                            2.0MB

                                                            MD5

                                                            cf14dd806489fb5772ebcea711b535a3

                                                            SHA1

                                                            064e5c703dd348e7408bbfbc0351467e624eea9b

                                                            SHA256

                                                            f719bd30d817c69e08d81266a4007c60a8c9ad98ddae27d0fa73f9e530b644ac

                                                            SHA512

                                                            d409ae1228e64f2d311a07e21f04c6a2eea38730db1178e8214725943a1bda31bf9c47d5eba6ea860403b593b98a8ba7ec42dc183385cf659fa64d18a7abb67f

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\10001330101\eula.exe
                                                            Filesize

                                                            1.0MB

                                                            MD5

                                                            73703d5bb617732c13350e6cc99e6c25

                                                            SHA1

                                                            c09633d94f419676a89c525ff7044bee3b27edf5

                                                            SHA256

                                                            e29f810eb7e50e88f466808b49e5068fdef0158c0646c14bada596b4cecdf0e4

                                                            SHA512

                                                            6e25df2bea7571e94258b4e1beca337caa535ab4abe713602a1e50a39c604d332bb82504615b07da799b1e5435dd117ea178dbce0c03992d2e9da6a60dcebde7

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\1018586001\KDLBJP7.exe
                                                            Filesize

                                                            1.8MB

                                                            MD5

                                                            27c1f96d7e1b72b6817b6efeff037f90

                                                            SHA1

                                                            2972cc112fc7e20cbf5952abe07407b8c1fbb2a2

                                                            SHA256

                                                            aec3ec473de321d123e939985579227ee62b53b3b3edb7ab96e2a66c17e9696d

                                                            SHA512

                                                            9a31dc9945889d35aea8710df2f42806c72c422b7b5f4aa8acba6986cbd9ea6a49181a41a50ee21ccbed86cbff87c98a742e681ac3f6a87e2bd4436c9112eb32

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\1018676001\systemetape.exe
                                                            Filesize

                                                            1.2MB

                                                            MD5

                                                            545b933cac5def6ec43ca2cb6eac9d8e

                                                            SHA1

                                                            f2740a1062032cc280d54c4cfe6a1ff3c6ce1c76

                                                            SHA256

                                                            efce8cc629bb9f443613c7ec97b65020b514b9ee497d472ef24fed21bceb86c4

                                                            SHA512

                                                            f4853f10933edbf7df0ca6138bb423e5dfb18cf6431068a776a0c53ea226f176d263b9514066b88861360b161ba922b618f306f1936a95e1071fc70926418caa

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\1018833001\WEX7mCI.exe
                                                            Filesize

                                                            842KB

                                                            MD5

                                                            8eb4f92605e35c57a42b0917c221d65c

                                                            SHA1

                                                            0e64d77ef1b917b3afe512b49710250c71369175

                                                            SHA256

                                                            b57d78d93f74f7ae840ab03d3fda4f22a24ad35afcf9a53128cf82a92a67a085

                                                            SHA512

                                                            4cc5db426c8de3d7afdcfa26440d5bd9a885f5148e4307b8d04c5d56c96672d5c82ed9989bf346ce7aecea07d980735c46a930b885f824ba53738ac76dbb05bf

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\1018838001\c4601f5571.exe
                                                            Filesize

                                                            21KB

                                                            MD5

                                                            14becdf1e2402e9aa6c2be0e6167041e

                                                            SHA1

                                                            72cbbae6878f5e06060a0038b25ede93b445f0df

                                                            SHA256

                                                            7a769963165063758f15f6e0cece25c9d13072f67fa0d3c25a03a5104fe0783a

                                                            SHA512

                                                            16b837615505f352e134afd9d8655c9cabfa5bfcfbee2c0c34f2d7d9588aa71f875e4e5feb8cdf0f7bacc00f7c1ca8dabd3b3d92afc99abf705c05c78e298b4a

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\1018851001\015c82ce41.exe
                                                            Filesize

                                                            758KB

                                                            MD5

                                                            afd936e441bf5cbdb858e96833cc6ed3

                                                            SHA1

                                                            3491edd8c7caf9ae169e21fb58bccd29d95aefef

                                                            SHA256

                                                            c6491d7a6d70c7c51baca7436464667b4894e4989fa7c5e05068dde4699e1cbf

                                                            SHA512

                                                            928c15a1eda602b2a66a53734f3f563ab9626882104e30ee2bf5106cfd6e08ec54f96e3063f1ab89bf13be2c8822a8419f5d8ee0a3583a4c479785226051a325

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\1018852001\003.exe
                                                            Filesize

                                                            2.9MB

                                                            MD5

                                                            cee335f824bab75bbc98d04def73e013

                                                            SHA1

                                                            b6cabea09cb1d37e1919aaf6813d11904e951114

                                                            SHA256

                                                            b8d24eeb78cf1b5a25f35e724a6ed3a444dae5aa1f47df344ff224a9d5d9eefa

                                                            SHA512

                                                            9568270173dd0c10f015584226514c112449988a4d2d6bca60297f47ef7c3ee44d3ac6bc3a287b7ae920c5ee1a2a1285561864882484d719b155eacb65994634

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\1018853001\b7e60c38a4.exe
                                                            Filesize

                                                            1.1MB

                                                            MD5

                                                            ef08a45833a7d881c90ded1952f96cb4

                                                            SHA1

                                                            f04aeeb63a1409bd916558d2c40fab8a5ed8168b

                                                            SHA256

                                                            33c236dc81af2a47d595731d6fa47269b2874b281152530fdffdda9cbeb3b501

                                                            SHA512

                                                            74e84f710c90121527f06d453e9286910f2e8b6ac09d2aeb4ab1f0ead23ea9b410c5d1074d8bc759bc3e766b5bc77d156756c7df093ba94093107393290ced97

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\1018855001\33a6e8d770.exe
                                                            Filesize

                                                            4.2MB

                                                            MD5

                                                            ece3b1a61f2977c90820f0601637020e

                                                            SHA1

                                                            36ec33851c696b440730b3d9c8b59e2ab2e1b0b6

                                                            SHA256

                                                            239eb2c35896d73e83b650bf4c5637188e9bb1a5a85c74a2202cd50c2382d6e6

                                                            SHA512

                                                            e8fbbe975f739a40a97055bdda605bdf72210d6bfaaf7e0f1a78083238dfd816317de56a21590f5e05c1dd1e170b45e2610415c0b7ca3c27c12d037173161df7

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\1018856001\ab78005b36.exe
                                                            Filesize

                                                            1.3MB

                                                            MD5

                                                            669ed3665495a4a52029ff680ec8eba9

                                                            SHA1

                                                            7785e285365a141e307931ca4c4ef00b7ecc8986

                                                            SHA256

                                                            2d2d405409b128eea72a496ccff0ed56f9ed87ee2564ae4815b4b116d4fb74d6

                                                            SHA512

                                                            bedc8f7c1894fc64cdd00ebc58b434b7d931e52c198a0fa55f16f4e3d44a7dc4643eaa78ec55a43cc360571345cd71d91a64037a135663e72eed334fe77a21e6

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\1018857001\f51416a8ee.exe
                                                            Filesize

                                                            21KB

                                                            MD5

                                                            04f57c6fb2b2cd8dcc4b38e4a93d4366

                                                            SHA1

                                                            61770495aa18d480f70b654d1f57998e5bd8c885

                                                            SHA256

                                                            51e4d0cbc184b8abfa6d84e219317cf81bd542286a7cc602c87eb703a39627c2

                                                            SHA512

                                                            53f95e98a5eca472ed6b1dfd6fecd1e28ea66967a1b3aa109fe911dbb935f1abf327438d4b2fe72cf7a0201281e9f56f4548f965b96e3916b9142257627e6ccd

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\1018859001\896064fdcb.exe
                                                            Filesize

                                                            4.2MB

                                                            MD5

                                                            6087d5a01774d89431f633d9b2d1d705

                                                            SHA1

                                                            5c3b075e194fa131fdffdab37ffb4936db50a0d7

                                                            SHA256

                                                            51121d1b988327e1845be7351022f85370a19154989ed3079cf7c202f45a428f

                                                            SHA512

                                                            4acc1431638ad5b1b66137ec1a253ef2eec1655f111fd7edd22692d7e5edadef61dd40ed69180d13b7627822da827e3cdece77d7f868f72e6e0fa28a38b34a91

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\1018860001\c4278bf154.exe
                                                            Filesize

                                                            1.9MB

                                                            MD5

                                                            81c164e0c2d7d36e812fe860548569a1

                                                            SHA1

                                                            97825c34e950ed01f6111b524c114f209a1b9819

                                                            SHA256

                                                            f88321d520c20b67f4fba3b0dcc89003e30d1aabf2e728e5c50773badd64632e

                                                            SHA512

                                                            e13101abd29bc203bfc553056741cc9fadc239350230f92397c74697dd069cc5f6540e1979063b35c18aaab913682104dbe24b17430d359adaaa583e6ef6c548

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\1018861001\af08f98cc0.exe
                                                            Filesize

                                                            1.8MB

                                                            MD5

                                                            184cee9b3f334e2cee2ccc95977e5335

                                                            SHA1

                                                            3c13283ed8c4e0e09ae0e5f361da46f073cd2386

                                                            SHA256

                                                            188e74bab6540e25c1cc694264d96ed609f113267f747be27e09a2420ef90577

                                                            SHA512

                                                            adbe8c840684e0d56f2ab56677548a4dd47a8c8f0810557cbdfd21c27829b7ecf4950bd8ff7008a3c2e6d6ecbac84a368542109d103d493c412751f56748ef6e

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\1018862001\1e1ef38d95.exe
                                                            Filesize

                                                            2.7MB

                                                            MD5

                                                            d7593c78ec8bf3f98603559b67cb3ccd

                                                            SHA1

                                                            4db5fb73dfc7d2067058437eb1e8b6d8da90f742

                                                            SHA256

                                                            5ffb2e33be22c35585ffe74f82986dcd542e9b89fdc9e0e9243c804f17c32521

                                                            SHA512

                                                            69b1b4c1d2691a3fa85d6e04557761b28d8c0f57c1db5f4500a7166717323b1920a429e4c700dca6b5c0badeb40023bb1dfbcbed20040c72b185e0aaba0c8f1a

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\1018863001\6e20b0fd76.exe
                                                            Filesize

                                                            947KB

                                                            MD5

                                                            92755c6663e0aa7af1dd7aaa7abcfcbd

                                                            SHA1

                                                            53097d488facff9896f2adff5399f783314a8cc0

                                                            SHA256

                                                            8a7034c6750914f3a966287a9e97307cf3f83eaca584fec77d7ebf5b2665d4ad

                                                            SHA512

                                                            9a49a39acf2840acbce159401964c4542f81c237259901f57aa45d78fbb2b7f9a9abc046ca20107bf12ca0f8c2afaaa4275c00283df47d9fe8812450e23c6803

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\1018864001\31c1fa8fe1.exe
                                                            Filesize

                                                            2.6MB

                                                            MD5

                                                            f7330ca504d0f0551eff459cd9a4f461

                                                            SHA1

                                                            e3eb3a4d8a7ba4204dd57c95bacc2bcbe425aa1f

                                                            SHA256

                                                            7c2b8c5ec1e07f8b267d81a67e1af69f09a129373d81ca07c8633c5dbefd66c4

                                                            SHA512

                                                            641394e9b238e830d04737e3a898f1c238660b2ebea140ebc95e7647a65f2db2e6a519de357f6c621d124b285e720df7069a24e71456ccf2cecc3a3b57bf96c3

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\245347\Dry.com
                                                            Filesize

                                                            925KB

                                                            MD5

                                                            62d09f076e6e0240548c2f837536a46a

                                                            SHA1

                                                            26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

                                                            SHA256

                                                            1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

                                                            SHA512

                                                            32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\245347\b
                                                            Filesize

                                                            267KB

                                                            MD5

                                                            0c7d5f0db7d1be49fc2285c64d3c45aa

                                                            SHA1

                                                            942803613a17b0735f80d32dab9be6b87a0e472f

                                                            SHA256

                                                            d49d834cb452343c64c7b9716f5b6d6032ce8b81e04995ccd1af130ff863143d

                                                            SHA512

                                                            52c3cacdd5a798243bdf191d0f673c63befd5297284e2841de8ef0588b103b1192e60d50e22e5572fa160834be7d052aa328556ed182a1cc56c9be55ab76ccc8

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\Another
                                                            Filesize

                                                            96KB

                                                            MD5

                                                            5535aa11bb8a32622dadb4cb7d45071c

                                                            SHA1

                                                            76b4b6221174f1b11370d7aa2a89a5996624c7f8

                                                            SHA256

                                                            ead59f9d65f7830e35a9c213b07938b7bc57513692ecbcf66b4be4ac82350eba

                                                            SHA512

                                                            b14a53ea33b6f44ef4fffb76060955f9ae85bfed79ca206359ffcdf80aa33d21abff41d526e43ba55bc33048fd8a237a2c854e92856f292cb4825304acfbe3bd

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\App
                                                            Filesize

                                                            17KB

                                                            MD5

                                                            15687a16a1310bb6dfcb1fb9b8d052b3

                                                            SHA1

                                                            bda139691a5c3f90f7059d84dbad98354748832f

                                                            SHA256

                                                            08f36da3d5e25c26d14e49bc46995aa1a5842ad368a9e02244db850f77d4a70f

                                                            SHA512

                                                            9dfafa0cf6e7a54037cc53c155c7214580a90b4066d3b469a966f53d363ae63a6a4d9bb08a8de64796e8c6b36e6a5e8374069952628a81b13ebfe93abbc51574

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\Critics
                                                            Filesize

                                                            103KB

                                                            MD5

                                                            8496cef888ee804f2b8a44171481e40a

                                                            SHA1

                                                            90fcde8c353d79ae02bfc946d708d35fedfea64f

                                                            SHA256

                                                            0d8671285841832d972ca2576cdb83f412af8433cf33c511f652912e7fd7e29b

                                                            SHA512

                                                            158c70a8804e73dfb25a1265328fadc26903c5b035a991aaa570f0ef98f89d616c635e4820e926fb8e00e1c20cfcf3fd441dcc0ca5eefa109dd5bc23e0e4c61d

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\Doug
                                                            Filesize

                                                            114KB

                                                            MD5

                                                            37f28bccbcaea4719409c72aa6385586

                                                            SHA1

                                                            083ad006b92745c976989bc5fb76e7187d81a597

                                                            SHA256

                                                            7101d14a5fcf7b47a9c6b809155bea70121c61d2df7e2244573204c2190ccf45

                                                            SHA512

                                                            105de3a0358c0e95b573dd1fc590b27c33f8033158b28a523a5ef9bdbfaa1f488e6b0f7556d6e46d96e23f00392f4eebded0dcea31926a05823ea1b5d4fff22f

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\Eleven
                                                            Filesize

                                                            125KB

                                                            MD5

                                                            3b84985152cd93f2bd04bd909d7c902e

                                                            SHA1

                                                            4bd3d6af1e4ed7efe357e707ec7e6ab2e3ff4eee

                                                            SHA256

                                                            9df8e69068b9ce01749fe0a515db1554c05d491c3a5a4f80f8aba060ea89950f

                                                            SHA512

                                                            051d3b9fa3d463d78d1ac971396dcb00d930a9e9c3f7a1278a7dd8027d1ab159f688f912d65d78ada9f059d73526f987a36cac0d5100cae5491959dd059f89dd

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\Eligibility
                                                            Filesize

                                                            88KB

                                                            MD5

                                                            3efe58b3be584c2afe3d64a453f70dac

                                                            SHA1

                                                            ba151bdfa43145dc0e3a495ac5382638cfb0a2c1

                                                            SHA256

                                                            7054a53ce5187d3470517170af3138dc28cec4ed1793574a91cca795fb7e3e10

                                                            SHA512

                                                            929b0a9af43360af0f820fab936650b211978523b9fdef00ee563930e03f2a9830e5c2246be9ace7f95ab78cfb075e82347cafb02472b8a09dc4859c9a5232f3

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\Judy
                                                            Filesize

                                                            70KB

                                                            MD5

                                                            f5c4ea189e763c79767bb2f4bc471f08

                                                            SHA1

                                                            6abe10f27aeb64cb3583ec3549d8f84eb23b05eb

                                                            SHA256

                                                            49b1a81a6965071db23fe804a6293b87fd2ab96cfda6e28d806c1e76a53e723e

                                                            SHA512

                                                            31e79f7a7fc0a5eea3c4d70b152f75573c43c324b317667f41a824ebb2913d7bf4bacbf08a85d6281ec33ada2f2babe2a26d251008288cb6a4ce85e38dbe51d7

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\Organizing
                                                            Filesize

                                                            239B

                                                            MD5

                                                            28a97febfc5cd391bec1e2a3d9d938bf

                                                            SHA1

                                                            adea302b1d73d65c4c2a64f4f10955d5e4d728aa

                                                            SHA256

                                                            2528cd8d1353e6c4dbcc6d2226b5b50ef14027a962a49c4001d2c8c072904773

                                                            SHA512

                                                            7bbb7f7781c77740efc6361c5195a01f854c3ca1afd9ec7870c4f87c5a28432af97d61a41e4af0d2d3cea45fa3565e297fc08cd7aca91831792df0a81efe0f82

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\Origin
                                                            Filesize

                                                            63KB

                                                            MD5

                                                            7bbdcf2829f157f4178ad1a4ea31bfe6

                                                            SHA1

                                                            afc7c5852f104d94fc2726b3230039b696f17fc2

                                                            SHA256

                                                            bac794ee8129a6edaa06fed424a8839d24b6b8e6a75c4f23bc8c3e7735498818

                                                            SHA512

                                                            d2dd73e8f2b965b9bf9bb806c639af654646d76628e5c707f29ede16a1634dd5a699fb239c83c4bcf492b03e2941129affc777c39b9851f948a96f537dc844ff

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\Saved
                                                            Filesize

                                                            66KB

                                                            MD5

                                                            53ab895bb726a4933dd1dc3f2fa2e5f8

                                                            SHA1

                                                            3933c015286de1871305ac17679d7244e0c73a07

                                                            SHA256

                                                            230c6c15bb57bcb9566d03a0940eb2d8cbb52fd2807cb195982c2541ef7ebbc2

                                                            SHA512

                                                            3ffb82fb40e8ff1d98d395601de10beb59af9f77af6300dba79e2436ea787ee7dce026dd43cdda324515f81ec7b5f48e1df396cfc3568128468c3cc5e663682b

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\Sensor
                                                            Filesize

                                                            116KB

                                                            MD5

                                                            3b125d59ce5a2cf242a621511a0fb164

                                                            SHA1

                                                            3ccba09f214b941931d6169ca9959ace2a72aba7

                                                            SHA256

                                                            e4c1fbedc713173bcef5c724f3d64283add852a64f65c87eb3ec8d86c55833aa

                                                            SHA512

                                                            c026f9aa8e83f2c888e2b8336c7ec8380d34873956407e32fae31fd72bda741b72c649b7162587435e3d13b9b9fae8e0552330d710831c774264724c8589f36c

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\Sheets
                                                            Filesize

                                                            61KB

                                                            MD5

                                                            d947e72346c4ac1aba8bbde8bb791f6f

                                                            SHA1

                                                            f6dc2cffbc0b29502cba42d9adee2263a7ff4835

                                                            SHA256

                                                            a6e6fc90d3c04e2461e3017e9f1dbaa27abb9278f5db7bb09a218a3a969feb41

                                                            SHA512

                                                            61e4a6bfb253d4fcf21781324c6dd7b2dff0750075bfe4ccaffff07a4d2fa552016dfb343bb835bfc7e7d6fd80b2b35b9519f2d6958885502758138bab764e9c

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\Show
                                                            Filesize

                                                            54KB

                                                            MD5

                                                            35469ff6842a57bd9788db58a1e1c0cc

                                                            SHA1

                                                            47b76f8ae04aeff8cde18e15a6ab9d072214a54a

                                                            SHA256

                                                            7006a277a8b2ab82ae4409df94e227083287b7678b9ffe79e2e19d534f1335ec

                                                            SHA512

                                                            3b97531e8d41c069dd9a8a6f3fe0fbc498facbb6df823525a726499cf5a4ea40879b7d02138c6d020520df2d59c28efc2f51470bf9aac9f00b6f40101fe51ad0

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\Silent
                                                            Filesize

                                                            50KB

                                                            MD5

                                                            04df53fd74b69c92dba8cd83eafa1180

                                                            SHA1

                                                            275765d9c7e3300c0b7579ae3de32f658e12945c

                                                            SHA256

                                                            db246122e92d7c13ae1050c65c1e1f722f4e98375c9875d719f775cfe1478ee9

                                                            SHA512

                                                            44dfa1ccf0c3b054dac3fadba5a87c7c56f318c74dff83810310e349b80029f19a08133c502dd7b65e543b882e567ac19de54f8a520ff073774894f6f8320ef5

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\Symptoms
                                                            Filesize

                                                            52KB

                                                            MD5

                                                            7847e23cce3770257dd905024cdc5020

                                                            SHA1

                                                            2d2070cb134ccde38544814a1e1e35a08ab95ea6

                                                            SHA256

                                                            75f0206860b962d3636015d98c420ec5ebf4023ca7b75b747aeb388aafe9049a

                                                            SHA512

                                                            97f5b6924c23343f732ab470b8006ef2b25c92fadb3560fd56db6e53b8daf0c65ce66eb416bd03126c3b1ae6fa2cf66178a487c0eabad24263a3de7253c236b0

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\Tmp751B.tmp
                                                            Filesize

                                                            1KB

                                                            MD5

                                                            a10f31fa140f2608ff150125f3687920

                                                            SHA1

                                                            ec411cc7005aaa8e3775cf105fcd4e1239f8ed4b

                                                            SHA256

                                                            28c871238311d40287c51dc09aee6510cac5306329981777071600b1112286c6

                                                            SHA512

                                                            cf915fb34cd5ecfbd6b25171d6e0d3d09af2597edf29f9f24fa474685d4c5ec9bc742ade9f29abac457dd645ee955b1914a635c90af77c519d2ada895e7ecf12

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\Volunteer
                                                            Filesize

                                                            93KB

                                                            MD5

                                                            d9ebae5a1b2f513852f89fdc3d31672d

                                                            SHA1

                                                            dfa418e6fd3c5b16b685ea0e09cc159a5ff6ed14

                                                            SHA256

                                                            b9a3c8e95d261cc9c6b28b58518554120aa2cfa09c2be81c609c0f01b26b313d

                                                            SHA512

                                                            d5a9226ea1152566872669c4072bea6498c930e405db45fb6b7b63cd7a807be814c7a71e983851f5d7a66b131319a850ddb10e1d4661d4cacd3082cb5c1caeac

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\Wanting
                                                            Filesize

                                                            40KB

                                                            MD5

                                                            6f1a940a0159306f679ff4d03524ae0b

                                                            SHA1

                                                            2b48523d0bf3828abd8590e13a03b5946b3d442d

                                                            SHA256

                                                            7e294dd8f93a9a7d79fb118070f548d1e8fda62fa96af973e1a950f150b0331e

                                                            SHA512

                                                            4ddf0afa24b981bac3ca60cb52af73e39bf7155972f49968c8fc85a17f561208d76158cd117948467176696a0ba87b9ac33658c5e7ef1ef3d4201139e959f932

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_txtszztz.lup.ps1
                                                            Filesize

                                                            60B

                                                            MD5

                                                            d17fe0a3f47be24a6453e9ef58c94641

                                                            SHA1

                                                            6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                            SHA256

                                                            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                            SHA512

                                                            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                            Filesize

                                                            2.8MB

                                                            MD5

                                                            61cb850896f4b6aac18c72e82eb9ac90

                                                            SHA1

                                                            c1fcdd242b13e4c5ad99f7e76da886288622b6dc

                                                            SHA256

                                                            c2bee3616cf5c0f19ecc5738ee39a8c3d0d0523c2178177b86563d5a3d758d0f

                                                            SHA512

                                                            d156751d3d9e353a116e55cbc9a9e87da03a4d29efe529344ce996324ec361f0472724bb8162c2be7ea6f291aaf2f7cbbc8659672777e182e40283fa661a2043

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\tmpaddon
                                                            Filesize

                                                            479KB

                                                            MD5

                                                            09372174e83dbbf696ee732fd2e875bb

                                                            SHA1

                                                            ba360186ba650a769f9303f48b7200fb5eaccee1

                                                            SHA256

                                                            c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

                                                            SHA512

                                                            b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
                                                            Filesize

                                                            13.8MB

                                                            MD5

                                                            0a8747a2ac9ac08ae9508f36c6d75692

                                                            SHA1

                                                            b287a96fd6cc12433adb42193dfe06111c38eaf0

                                                            SHA256

                                                            32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

                                                            SHA512

                                                            59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Roaming\10001320110\terms.dll
                                                            Filesize

                                                            27KB

                                                            MD5

                                                            4dff588e6b10db3454aed96bde5764cd

                                                            SHA1

                                                            4bb138f3be2afa756ad64aaabf7183936db20304

                                                            SHA256

                                                            c34dba935e9e13317d2aba4b46c4c602d11658730e6c26c209ff11f2e1dff405

                                                            SHA512

                                                            2a980b5710a4d3e33b12a5507945358428254abe16ec1ef84a43d9fbb4c3764fe8e356ec9d92d5c8f4b8b3137d8a003e10156f57b328cb47d0d6c7791b33b410

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\AlternateServices.bin
                                                            Filesize

                                                            6KB

                                                            MD5

                                                            8b319f6b3bb302e8dc88ded704a4632c

                                                            SHA1

                                                            dd88bf6d59982edcb72a5af684d272eeef7595c3

                                                            SHA256

                                                            c26b68086f39a0af98a3cedfccded4d109d80f6c6269c6b2e944e230c9a78dc0

                                                            SHA512

                                                            d6caaa3f948eafab7a778ec589db8fdf2ee0d7f259995a80a7e58cbf5f8ef623eefb0ad2e51184b2c2b0233e9cbf92e530c09f7a8de79f060070d66eb68c8868

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\AlternateServices.bin
                                                            Filesize

                                                            8KB

                                                            MD5

                                                            af995bbcbe9c2c03601ca6233b7597ac

                                                            SHA1

                                                            d780e26caf0f6a500160ffb7195fdde0bff7bf7c

                                                            SHA256

                                                            590e637cd3e0e71c5392633d1f274e83dda7fd5ba2ad38898aac8099ac286b4d

                                                            SHA512

                                                            7d8c0e08aa3b0423ea8ec0f97aa96de3d1208cc8066a71aa931f605c9b866eab1719d66c9a3d71309a0c5bb045dc0f219219d67f45bc79126910ca61956a21ac

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\AlternateServices.bin
                                                            Filesize

                                                            13KB

                                                            MD5

                                                            c28d1188f9d33168b6184b959dd4562d

                                                            SHA1

                                                            247be09cd6c32816227a5b6c084e69513fb8c804

                                                            SHA256

                                                            d0d591ed8b3ead76e794ad96e83dcc7a9776e5b9b31e56867815a83338464c21

                                                            SHA512

                                                            5aeb30fd4e24c13aaacb77d04b8ea0f44b9f208010d2a989bf9ff047c8dbaafca54f12215395bc7e5fb06f78dc5876d13a5cbf86ab42511272ab1883cff1b422

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\db\data.safe.tmp
                                                            Filesize

                                                            5KB

                                                            MD5

                                                            50b5929243724e5de52156ff514d2da4

                                                            SHA1

                                                            a1abe2c08a52e4e3b8f27133991a7705163229f9

                                                            SHA256

                                                            2f2eca6b7f5c4170114b7f8bbdbce8444e33317643d1472882eb0a23ce3a49ad

                                                            SHA512

                                                            92c728e7d3ceb17be63350aa4f28e401f3e450c62c51388e484faf6475b8b47a3dc5e0830fd1560cc62bbf04297f3e541871639d3b189e538cc296123b613a0d

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\db\data.safe.tmp
                                                            Filesize

                                                            6KB

                                                            MD5

                                                            942fabd1b0d77a5c48b954b9f7d854ef

                                                            SHA1

                                                            04cfcdb116f40272d9ce61e1ecd2badac6afbd5d

                                                            SHA256

                                                            20acff2b1ca70dcf4e58e58f5937ec507525a05130d6df4f1f6fc37be5fc864c

                                                            SHA512

                                                            a0e356a12db8220bd7237c131c42ec5c20d3bc04577c5e4a1495c2e6d6469702b00cb8e2bfcf39c6fa1749694a7462bd39535d8821cbbe0bfda59ec62eed6d5d

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\db\data.safe.tmp
                                                            Filesize

                                                            15KB

                                                            MD5

                                                            f3b3c535d4b09c2ae3bcb7b8745177ef

                                                            SHA1

                                                            567f529fd6c8ff8cc93ad76a12ec704733e92629

                                                            SHA256

                                                            ef3d6b261586bb6ca7acad6835f7c533a10dfad2550b843dbaf031b6496ea93d

                                                            SHA512

                                                            737d175dec7d361d1c79325d4d81d27400f4f8630d6e4a2debd57656753329749354ed66d01ff921c9209bbdacffd350fb7272b573771ace9a907be6bfb69fc8

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\db\data.safe.tmp
                                                            Filesize

                                                            6KB

                                                            MD5

                                                            95ba049335aa4ab714ebd3fb1f565bbc

                                                            SHA1

                                                            55df52b9a953320f8e5572184e1844bd10cc07d8

                                                            SHA256

                                                            db2aab33a46008ca128054947d8471d83b8f0f3f9fba566f4518a64736e7ba2e

                                                            SHA512

                                                            f2554fb4ec0a0b6ff0af28b3fc16d5410e842e0ac70fa941707fdc7b1db487a8171e8947f7b4cf879a8f493dd170dc7fb17776aa2103ba0a9eb8784610366cdc

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\db\data.safe.tmp
                                                            Filesize

                                                            15KB

                                                            MD5

                                                            4bfa1280e149e240573d7aca20140bc5

                                                            SHA1

                                                            931d0a175b5536c19488290182c81dcdefac47a4

                                                            SHA256

                                                            7599fc62cd34ef8204e9ef615f138a80c57d3aa2e35244d017e3b37c30346be4

                                                            SHA512

                                                            caf9a1f5421d35284b01ec59b197da92f31e44b7afe02f4e4f5f6fd8a9077dc7a24cc514cbb21ddcf9ee58dcfff263e064e2743ce7949eb2e2a8c2260ce7df9c

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\pending_pings\4a4c0d3e-096b-4331-a589-89e1f23f9802
                                                            Filesize

                                                            26KB

                                                            MD5

                                                            e4455bc30a9c7718a8d6a962fcea25b7

                                                            SHA1

                                                            1f335d9e208ba8fdd119fb659773bd5190f63aca

                                                            SHA256

                                                            f3dfac5b9d01dde3167fafc79b511195f2436d75b75c7cbb6f29f0197fae0992

                                                            SHA512

                                                            35fb18ff5dfdb6e710d123e23834d372b0788f8635e2272180033a212afb9827ffa0b0ee851d1bbbdb1d61cff8b66c2ad552213c5a74dfdc0654c50f8a71fb83

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\pending_pings\a2c1f271-89c3-4f30-937b-b51e1b0ecc77
                                                            Filesize

                                                            982B

                                                            MD5

                                                            1a322decdc1c031d0f7c57012aa2ec24

                                                            SHA1

                                                            65d3376404d4507268d98fa3f3ca951dda6ba324

                                                            SHA256

                                                            717110f9e5ae6f9594ee47d5ff5d67644b9b2dcddc4371706361f1d5ba44354b

                                                            SHA512

                                                            37c8004bfd5272cd634a0e60ebca83cb218422952ed08a58061fa86f931955c6bdc7c74bf4ec50ceb2d1e8d55d01a2e701084279be4090dd441fb4a680e90b36

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\pending_pings\f5142813-89bb-4c0d-b6ce-278ec7dcb6b3
                                                            Filesize

                                                            671B

                                                            MD5

                                                            3547cc7add5bf6e5949d85fd6fae97f2

                                                            SHA1

                                                            05cf1286e8b2fbdf6712607f7aa7e16cd8a21ca3

                                                            SHA256

                                                            e53907959e209a08408b25ab3a2b7c6b91f7d621771e0d918697d3479db0cc4e

                                                            SHA512

                                                            f584a2e38680ff61e4987d2fad3f9730416e5f7e21401c7aec0d9ed277f51ab82b9cde88e0fd2393a88a5affd9c4d944c38f44f5e73814ea91244d6c2bf98cd8

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
                                                            Filesize

                                                            1.1MB

                                                            MD5

                                                            842039753bf41fa5e11b3a1383061a87

                                                            SHA1

                                                            3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

                                                            SHA256

                                                            d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

                                                            SHA512

                                                            d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
                                                            Filesize

                                                            116B

                                                            MD5

                                                            2a461e9eb87fd1955cea740a3444ee7a

                                                            SHA1

                                                            b10755914c713f5a4677494dbe8a686ed458c3c5

                                                            SHA256

                                                            4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

                                                            SHA512

                                                            34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
                                                            Filesize

                                                            372B

                                                            MD5

                                                            bf957ad58b55f64219ab3f793e374316

                                                            SHA1

                                                            a11adc9d7f2c28e04d9b35e23b7616d0527118a1

                                                            SHA256

                                                            bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

                                                            SHA512

                                                            79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
                                                            Filesize

                                                            17.8MB

                                                            MD5

                                                            daf7ef3acccab478aaa7d6dc1c60f865

                                                            SHA1

                                                            f8246162b97ce4a945feced27b6ea114366ff2ad

                                                            SHA256

                                                            bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

                                                            SHA512

                                                            5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\prefs-1.js
                                                            Filesize

                                                            15KB

                                                            MD5

                                                            109398509f283afc162c9bb28c864250

                                                            SHA1

                                                            18bfbec704f9177d1838f11b0dd248664d5fcd5f

                                                            SHA256

                                                            24fb089da2c00152dacde07322e48a70c628ebf51e89d0558f5ba01eeb329280

                                                            SHA512

                                                            64b7734e02209fa888746ae8788dd3c8a19b40e98fd31a5109419574430b3c59ed4c837292ab3a8c4701ead5a48860673b4f3540583246522531d52f92abb3c8

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\prefs.js
                                                            Filesize

                                                            11KB

                                                            MD5

                                                            90acc95383253dde77f359bd04098af2

                                                            SHA1

                                                            18be68aec5498fdf4783aa43c654d1210ffe072a

                                                            SHA256

                                                            be93611a9e17f6d0abcf4c7a5b443d155366a38db6134e2babe8b1d05558e491

                                                            SHA512

                                                            83ab72d9309f56c7f1be6aedfa7bcd9acf030ca263c2eb2b110a0b729e5593fff610357604a5bb71def1591d6ed42d79ab70b3fffb8474ed41ac88ada3e069cf

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\prefs.js
                                                            Filesize

                                                            10KB

                                                            MD5

                                                            c4032e32564582143075dc49be72d006

                                                            SHA1

                                                            6822b1359190a1008399b8826d3d4ea10ecc20c8

                                                            SHA256

                                                            71bc8b12be46dad3d208f648b0e5f0a66fb6210e6d2d0f1e815eb6a53ce702a3

                                                            SHA512

                                                            fce88174e48c493ae938c73da88fb003b8e19e98c0f8c03d3ce6d5efdfaa8ea5975ab2b04d76419f7a8a63115b4000bc01ed244fa6cc3fceffed3458ae0c81e8

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\prefs.js
                                                            Filesize

                                                            12KB

                                                            MD5

                                                            0ac8507c64437c1cf2a98d3b72e69d91

                                                            SHA1

                                                            779ee12d93a18a8bee776d2915d84708510e5780

                                                            SHA256

                                                            e36c17723adae934f2610e95e667a6c92b0f4df12027e960d04f00fbe5ccaa1c

                                                            SHA512

                                                            9df35ecc3787655af399dc9e870b784e978892cab93092f5afe1b2c10052af22de41d1ec5ddd50ff2f3c59542e492313013a5b2457281af9c6c7cf84fecd14cf

                                                            Download Submit

                                                          • C:\cebym\5da66ec319e8477aaeb0313b6ce0b9d4.exe
                                                            Filesize

                                                            1.2MB

                                                            MD5

                                                            577cd52217da6d7163cea46bb01c107f

                                                            SHA1

                                                            82b31cc52c538238e63bdfc22d1ea306ea0b852a

                                                            SHA256

                                                            139762e396fb930400fab8faab80cb679abbe642144261cba24973fb23bcd728

                                                            SHA512

                                                            8abad4eaf2a302dfd9ead058e8c14d996437975730125c46d034a71028921ff36ff5d157ad3671e328ac667ec8095db19fa14a9e8eaaf1a7738aa3d0120b5474

                                                            Download Submit

                                                          • C:\lnzhun\0daa390795d745439fc18a2370173071.exe
                                                            Filesize

                                                            1.0MB

                                                            MD5

                                                            971b0519b1c0461db6700610e5e9ca8e

                                                            SHA1

                                                            9a262218310f976aaf837e54b4842e53e73be088

                                                            SHA256

                                                            47cf75570c1eca775b2dd1823233d7c40924d3a8d93e0e78c943219cf391d023

                                                            SHA512

                                                            d234a9c5a1da8415cd4d2626797197039f2537e98f8f43d155f815a7867876cbc1bf466be58677c79a9199ea47d146a174998d21ef0aebc29a4b0443f8857cb9

                                                            Download Submit

                                                          • C:\lnzhun\7df5a524fe8248ff96e8926d0ec6a370.exe
                                                            Filesize

                                                            144KB

                                                            MD5

                                                            cc36e2a5a3c64941a79c31ca320e9797

                                                            SHA1

                                                            50c8f5db809cfec84735c9f4dcd6b55d53dfd9f5

                                                            SHA256

                                                            6fec179c363190199c1dcdf822be4d6b1f5c4895ebc7148a8fc9fa9512eeade8

                                                            SHA512

                                                            fcea6d62dc047e40182dc4ff1e0522ca935f9aeefdb1517957977bc5d9ac654285a973261401f3b98abf1f6ed62638b9e31306fd7aaeb67214ca42dfc2888af0

                                                            Download Submit

                                                          • memory/664-6191-0x0000000000400000-0x0000000000639000-memory.dmp

                                                            Filesize

                                                            2.2MB

                                                            Download

                                                          • memory/1532-1447-0x0000000000380000-0x0000000000664000-memory.dmp

                                                            Filesize

                                                            2.9MB

                                                            Download

                                                          • memory/1776-2850-0x00000000004D0000-0x00000000004DC000-memory.dmp

                                                            Filesize

                                                            48KB

                                                            Download

                                                          • memory/1780-19-0x0000000000F70000-0x0000000001284000-memory.dmp

                                                            Filesize

                                                            3.1MB

                                                            Download

                                                          • memory/1780-40-0x0000000000F70000-0x0000000001284000-memory.dmp

                                                            Filesize

                                                            3.1MB

                                                            Download

                                                          • memory/1780-135-0x0000000000F70000-0x0000000001284000-memory.dmp

                                                            Filesize

                                                            3.1MB

                                                            Download

                                                          • memory/1780-21-0x0000000000F70000-0x0000000001284000-memory.dmp

                                                            Filesize

                                                            3.1MB

                                                            Download

                                                          • memory/1780-18-0x0000000000F71000-0x0000000000F9F000-memory.dmp

                                                            Filesize

                                                            184KB

                                                            Download

                                                          • memory/1780-20-0x0000000000F70000-0x0000000001284000-memory.dmp

                                                            Filesize

                                                            3.1MB

                                                            Download

                                                          • memory/1780-16-0x0000000000F70000-0x0000000001284000-memory.dmp

                                                            Filesize

                                                            3.1MB

                                                            Download

                                                          • memory/1884-1297-0x00000000001A0000-0x00000000001AC000-memory.dmp

                                                            Filesize

                                                            48KB

                                                            Download

                                                          • memory/1892-0-0x0000000000790000-0x0000000000AA4000-memory.dmp

                                                            Filesize

                                                            3.1MB

                                                            Download

                                                          • memory/1892-1-0x00000000779A4000-0x00000000779A6000-memory.dmp

                                                            Filesize

                                                            8KB

                                                            Download

                                                          • memory/1892-15-0x0000000000790000-0x0000000000AA4000-memory.dmp

                                                            Filesize

                                                            3.1MB

                                                            Download

                                                          • memory/1892-2-0x0000000000791000-0x00000000007BF000-memory.dmp

                                                            Filesize

                                                            184KB

                                                            Download

                                                          • memory/1892-3-0x0000000000790000-0x0000000000AA4000-memory.dmp

                                                            Filesize

                                                            3.1MB

                                                            Download

                                                          • memory/1892-5-0x0000000000790000-0x0000000000AA4000-memory.dmp

                                                            Filesize

                                                            3.1MB

                                                            Download

                                                          • memory/2468-1477-0x000002EC4F1B0000-0x000002EC4F1D2000-memory.dmp

                                                            Filesize

                                                            136KB

                                                            Download

                                                          • memory/2508-36-0x0000000000EA0000-0x000000000133A000-memory.dmp

                                                            Filesize

                                                            4.6MB

                                                            Download

                                                          • memory/2508-1260-0x0000000000EA0000-0x000000000133A000-memory.dmp

                                                            Filesize

                                                            4.6MB

                                                            Download

                                                          • memory/2508-41-0x0000000000EA0000-0x000000000133A000-memory.dmp

                                                            Filesize

                                                            4.6MB

                                                            Download

                                                          • memory/2508-38-0x0000000000EA0000-0x000000000133A000-memory.dmp

                                                            Filesize

                                                            4.6MB

                                                            Download

                                                          • memory/2508-39-0x0000000000EA0000-0x000000000133A000-memory.dmp

                                                            Filesize

                                                            4.6MB

                                                            Download

                                                          • memory/2508-2852-0x0000000000F70000-0x0000000001284000-memory.dmp

                                                            Filesize

                                                            3.1MB

                                                            Download

                                                          • memory/3620-1619-0x0000000000D80000-0x0000000001A05000-memory.dmp

                                                            Filesize

                                                            12.5MB

                                                            Download

                                                          • memory/3620-6127-0x0000000000D80000-0x0000000001A05000-memory.dmp

                                                            Filesize

                                                            12.5MB

                                                            Download

                                                          • memory/3620-3035-0x0000000000D80000-0x0000000001A05000-memory.dmp

                                                            Filesize

                                                            12.5MB

                                                            Download

                                                          • memory/3808-1425-0x0000000000C30000-0x00000000010CA000-memory.dmp

                                                            Filesize

                                                            4.6MB

                                                            Download

                                                          • memory/3808-1346-0x0000000000C30000-0x00000000010CA000-memory.dmp

                                                            Filesize

                                                            4.6MB

                                                            Download

                                                          • memory/4184-79-0x00000000058B0000-0x00000000059C3000-memory.dmp

                                                            Filesize

                                                            1.1MB

                                                            Download

                                                          • memory/4184-107-0x00000000058B0000-0x00000000059C3000-memory.dmp

                                                            Filesize

                                                            1.1MB

                                                            Download

                                                          • memory/4184-60-0x0000000000D50000-0x0000000000E84000-memory.dmp

                                                            Filesize

                                                            1.2MB

                                                            Download

                                                          • memory/4184-61-0x00000000058B0000-0x00000000059C8000-memory.dmp

                                                            Filesize

                                                            1.1MB

                                                            Download

                                                          • memory/4184-62-0x0000000005F80000-0x0000000006524000-memory.dmp

                                                            Filesize

                                                            5.6MB

                                                            Download

                                                          • memory/4184-63-0x0000000005A70000-0x0000000005B02000-memory.dmp

                                                            Filesize

                                                            584KB

                                                            Download

                                                          • memory/4184-64-0x00000000058B0000-0x00000000059C3000-memory.dmp

                                                            Filesize

                                                            1.1MB

                                                            Download

                                                          • memory/4184-83-0x00000000058B0000-0x00000000059C3000-memory.dmp

                                                            Filesize

                                                            1.1MB

                                                            Download

                                                          • memory/4184-120-0x00000000058B0000-0x00000000059C3000-memory.dmp

                                                            Filesize

                                                            1.1MB

                                                            Download

                                                          • memory/4184-125-0x00000000058B0000-0x00000000059C3000-memory.dmp

                                                            Filesize

                                                            1.1MB

                                                            Download

                                                          • memory/4184-123-0x00000000058B0000-0x00000000059C3000-memory.dmp

                                                            Filesize

                                                            1.1MB

                                                            Download

                                                          • memory/4184-1636-0x0000000005F10000-0x0000000005F64000-memory.dmp

                                                            Filesize

                                                            336KB

                                                            Download

                                                          • memory/4184-121-0x00000000058B0000-0x00000000059C3000-memory.dmp

                                                            Filesize

                                                            1.1MB

                                                            Download

                                                          • memory/4184-117-0x00000000058B0000-0x00000000059C3000-memory.dmp

                                                            Filesize

                                                            1.1MB

                                                            Download

                                                          • memory/4184-115-0x00000000058B0000-0x00000000059C3000-memory.dmp

                                                            Filesize

                                                            1.1MB

                                                            Download

                                                          • memory/4184-113-0x00000000058B0000-0x00000000059C3000-memory.dmp

                                                            Filesize

                                                            1.1MB

                                                            Download

                                                          • memory/4184-111-0x00000000058B0000-0x00000000059C3000-memory.dmp

                                                            Filesize

                                                            1.1MB

                                                            Download

                                                          • memory/4184-109-0x00000000058B0000-0x00000000059C3000-memory.dmp

                                                            Filesize

                                                            1.1MB

                                                            Download

                                                          • memory/4184-105-0x00000000058B0000-0x00000000059C3000-memory.dmp

                                                            Filesize

                                                            1.1MB

                                                            Download

                                                          • memory/4184-103-0x00000000058B0000-0x00000000059C3000-memory.dmp

                                                            Filesize

                                                            1.1MB

                                                            Download

                                                          • memory/4184-101-0x00000000058B0000-0x00000000059C3000-memory.dmp

                                                            Filesize

                                                            1.1MB

                                                            Download

                                                          • memory/4184-99-0x00000000058B0000-0x00000000059C3000-memory.dmp

                                                            Filesize

                                                            1.1MB

                                                            Download

                                                          • memory/4184-97-0x00000000058B0000-0x00000000059C3000-memory.dmp

                                                            Filesize

                                                            1.1MB

                                                            Download

                                                          • memory/4184-95-0x00000000058B0000-0x00000000059C3000-memory.dmp

                                                            Filesize

                                                            1.1MB

                                                            Download

                                                          • memory/4184-91-0x00000000058B0000-0x00000000059C3000-memory.dmp

                                                            Filesize

                                                            1.1MB

                                                            Download

                                                          • memory/4184-89-0x00000000058B0000-0x00000000059C3000-memory.dmp

                                                            Filesize

                                                            1.1MB

                                                            Download

                                                          • memory/4184-87-0x00000000058B0000-0x00000000059C3000-memory.dmp

                                                            Filesize

                                                            1.1MB

                                                            Download

                                                          • memory/4184-81-0x00000000058B0000-0x00000000059C3000-memory.dmp

                                                            Filesize

                                                            1.1MB

                                                            Download

                                                          • memory/4184-1258-0x0000000005C20000-0x0000000005C6C000-memory.dmp

                                                            Filesize

                                                            304KB

                                                            Download

                                                          • memory/4184-1257-0x0000000005B40000-0x0000000005BCA000-memory.dmp

                                                            Filesize

                                                            552KB

                                                            Download

                                                          • memory/4184-85-0x00000000058B0000-0x00000000059C3000-memory.dmp

                                                            Filesize

                                                            1.1MB

                                                            Download

                                                          • memory/4184-93-0x00000000058B0000-0x00000000059C3000-memory.dmp

                                                            Filesize

                                                            1.1MB

                                                            Download

                                                          • memory/4184-65-0x00000000058B0000-0x00000000059C3000-memory.dmp

                                                            Filesize

                                                            1.1MB

                                                            Download

                                                          • memory/4184-67-0x00000000058B0000-0x00000000059C3000-memory.dmp

                                                            Filesize

                                                            1.1MB

                                                            Download

                                                          • memory/4184-69-0x00000000058B0000-0x00000000059C3000-memory.dmp

                                                            Filesize

                                                            1.1MB

                                                            Download

                                                          • memory/4184-71-0x00000000058B0000-0x00000000059C3000-memory.dmp

                                                            Filesize

                                                            1.1MB

                                                            Download

                                                          • memory/4184-73-0x00000000058B0000-0x00000000059C3000-memory.dmp

                                                            Filesize

                                                            1.1MB

                                                            Download

                                                          • memory/4184-75-0x00000000058B0000-0x00000000059C3000-memory.dmp

                                                            Filesize

                                                            1.1MB

                                                            Download

                                                          • memory/4184-77-0x00000000058B0000-0x00000000059C3000-memory.dmp

                                                            Filesize

                                                            1.1MB

                                                            Download

                                                          • memory/4532-1364-0x0000000006C00000-0x0000000006CA3000-memory.dmp

                                                            Filesize

                                                            652KB

                                                            Download

                                                          • memory/4532-1300-0x0000000004A40000-0x0000000004A62000-memory.dmp

                                                            Filesize

                                                            136KB

                                                            Download

                                                          • memory/4532-1366-0x0000000007380000-0x00000000079FA000-memory.dmp

                                                            Filesize

                                                            6.5MB

                                                            Download

                                                          • memory/4532-1367-0x0000000006D40000-0x0000000006D5A000-memory.dmp

                                                            Filesize

                                                            104KB

                                                            Download

                                                          • memory/4532-1301-0x0000000004BE0000-0x0000000004C46000-memory.dmp

                                                            Filesize

                                                            408KB

                                                            Download

                                                          • memory/4532-1312-0x0000000005500000-0x0000000005854000-memory.dmp

                                                            Filesize

                                                            3.3MB

                                                            Download

                                                          • memory/4532-1313-0x00000000059F0000-0x0000000005A0E000-memory.dmp

                                                            Filesize

                                                            120KB

                                                            Download

                                                          • memory/4532-1314-0x0000000005A90000-0x0000000005ADC000-memory.dmp

                                                            Filesize

                                                            304KB

                                                            Download

                                                          • memory/4532-1352-0x0000000005FD0000-0x0000000006002000-memory.dmp

                                                            Filesize

                                                            200KB

                                                            Download

                                                          • memory/4532-1353-0x0000000073BF0000-0x0000000073C3C000-memory.dmp

                                                            Filesize

                                                            304KB

                                                            Download

                                                          • memory/4532-1298-0x0000000002130000-0x0000000002166000-memory.dmp

                                                            Filesize

                                                            216KB

                                                            Download

                                                          • memory/4532-1363-0x0000000005FB0000-0x0000000005FCE000-memory.dmp

                                                            Filesize

                                                            120KB

                                                            Download

                                                          • memory/4532-1377-0x0000000007060000-0x0000000007068000-memory.dmp

                                                            Filesize

                                                            32KB

                                                            Download

                                                          • memory/4532-1299-0x0000000004C70000-0x0000000005298000-memory.dmp

                                                            Filesize

                                                            6.2MB

                                                            Download

                                                          • memory/4532-1307-0x0000000005310000-0x0000000005376000-memory.dmp

                                                            Filesize

                                                            408KB

                                                            Download

                                                          • memory/4532-1370-0x0000000006DB0000-0x0000000006DBA000-memory.dmp

                                                            Filesize

                                                            40KB

                                                            Download

                                                          • memory/4532-1376-0x0000000007080000-0x000000000709A000-memory.dmp

                                                            Filesize

                                                            104KB

                                                            Download

                                                          • memory/4532-1372-0x0000000006FC0000-0x0000000007056000-memory.dmp

                                                            Filesize

                                                            600KB

                                                            Download

                                                          • memory/4532-1373-0x0000000006F40000-0x0000000006F51000-memory.dmp

                                                            Filesize

                                                            68KB

                                                            Download

                                                          • memory/4532-1374-0x0000000006F70000-0x0000000006F7E000-memory.dmp

                                                            Filesize

                                                            56KB

                                                            Download

                                                          • memory/4532-1375-0x0000000006F80000-0x0000000006F94000-memory.dmp

                                                            Filesize

                                                            80KB

                                                            Download

                                                          • memory/4664-1646-0x00000000051B0000-0x0000000005272000-memory.dmp

                                                            Filesize

                                                            776KB

                                                            Download

                                                          • memory/4664-1509-0x0000000007880000-0x000000000791C000-memory.dmp

                                                            Filesize

                                                            624KB

                                                            Download

                                                          • memory/4664-1507-0x0000000000730000-0x0000000000846000-memory.dmp

                                                            Filesize

                                                            1.1MB

                                                            Download

                                                          • memory/4664-1510-0x0000000007850000-0x0000000007876000-memory.dmp

                                                            Filesize

                                                            152KB

                                                            Download

                                                          • memory/4664-1508-0x00000000029D0000-0x00000000029DA000-memory.dmp

                                                            Filesize

                                                            40KB

                                                            Download

                                                          • memory/4904-1418-0x0000000007AB0000-0x0000000007B53000-memory.dmp

                                                            Filesize

                                                            652KB

                                                            Download

                                                          • memory/4904-1398-0x00000000062B0000-0x0000000006604000-memory.dmp

                                                            Filesize

                                                            3.3MB

                                                            Download

                                                          • memory/4904-1406-0x00000000068D0000-0x000000000691C000-memory.dmp

                                                            Filesize

                                                            304KB

                                                            Download

                                                          • memory/4904-1408-0x000000006FAE0000-0x000000006FB2C000-memory.dmp

                                                            Filesize

                                                            304KB

                                                            Download

                                                          • memory/4904-1423-0x0000000007D90000-0x0000000007DA1000-memory.dmp

                                                            Filesize

                                                            68KB

                                                            Download

                                                          • memory/4904-1426-0x0000000007DD0000-0x0000000007DE4000-memory.dmp

                                                            Filesize

                                                            80KB

                                                            Download

                                                          • memory/5008-1455-0x00000000003B0000-0x000000000076B000-memory.dmp

                                                            Filesize

                                                            3.7MB

                                                            Download

                                                          • memory/5008-1526-0x00000000003B0000-0x000000000076B000-memory.dmp

                                                            Filesize

                                                            3.7MB

                                                            Download

                                                          • memory/5256-3809-0x00000000017F0000-0x0000000001888000-memory.dmp

                                                            Filesize

                                                            608KB

                                                            Download

                                                          • memory/5256-3803-0x0000000000400000-0x0000000000464000-memory.dmp

                                                            Filesize

                                                            400KB

                                                            Download

                                                          • memory/5256-6113-0x0000000005670000-0x000000000569C000-memory.dmp

                                                            Filesize

                                                            176KB

                                                            Download

                                                          • memory/5332-6184-0x0000000000AA0000-0x00000000016FE000-memory.dmp

                                                            Filesize

                                                            12.4MB

                                                            Download

                                                          • memory/5692-6154-0x0000000006400000-0x000000000644C000-memory.dmp

                                                            Filesize

                                                            304KB

                                                            Download

                                                          • memory/5692-6153-0x0000000005980000-0x0000000005CD4000-memory.dmp

                                                            Filesize

                                                            3.3MB

                                                            Download

                                                          • memory/5692-6167-0x00000000073D0000-0x00000000073E1000-memory.dmp

                                                            Filesize

                                                            68KB

                                                            Download

                                                          • memory/5692-6165-0x0000000007110000-0x00000000071B3000-memory.dmp

                                                            Filesize

                                                            652KB

                                                            Download

                                                          • memory/5692-6155-0x0000000073C90000-0x0000000073CDC000-memory.dmp

                                                            Filesize

                                                            304KB

                                                            Download

                                                          • memory/5692-6168-0x0000000007410000-0x0000000007424000-memory.dmp

                                                            Filesize

                                                            80KB

                                                            Download

                                                          • memory/5712-6219-0x0000018342220000-0x0000018342232000-memory.dmp

                                                            Filesize

                                                            72KB

                                                            Download

                                                          • memory/5712-6222-0x0000018344F00000-0x0000018344F38000-memory.dmp

                                                            Filesize

                                                            224KB

                                                            Download

                                                          • memory/5712-6224-0x0000018345FA0000-0x0000018346126000-memory.dmp

                                                            Filesize

                                                            1.5MB

                                                            Download

                                                          • memory/5712-6223-0x0000018344EC0000-0x0000018344ECE000-memory.dmp

                                                            Filesize

                                                            56KB

                                                            Download

                                                          • memory/5712-6221-0x0000018342CA0000-0x0000018342CA8000-memory.dmp

                                                            Filesize

                                                            32KB

                                                            Download

                                                          • memory/5712-6220-0x0000018342280000-0x00000183422BC000-memory.dmp

                                                            Filesize

                                                            240KB

                                                            Download

                                                          • memory/5712-6240-0x0000018346180000-0x00000183461A6000-memory.dmp

                                                            Filesize

                                                            152KB

                                                            Download

                                                          • memory/5712-6200-0x0000018326AF0000-0x0000018326BF2000-memory.dmp

                                                            Filesize

                                                            1.0MB

                                                            Download

                                                          • memory/5712-6202-0x0000018341150000-0x000001834115A000-memory.dmp

                                                            Filesize

                                                            40KB

                                                            Download

                                                          • memory/5712-6203-0x0000018342920000-0x00000183429DA000-memory.dmp

                                                            Filesize

                                                            744KB

                                                            Download

                                                          • memory/6000-6123-0x00000000064A0000-0x00000000067F4000-memory.dmp

                                                            Filesize

                                                            3.3MB

                                                            Download

                                                          • memory/6000-6124-0x00000000068F0000-0x000000000693C000-memory.dmp

                                                            Filesize

                                                            304KB

                                                            Download

                                                          • memory/6000-6130-0x000000006F8C0000-0x000000006F90C000-memory.dmp

                                                            Filesize

                                                            304KB

                                                            Download

                                                          • memory/6000-6142-0x0000000007DD0000-0x0000000007DE4000-memory.dmp

                                                            Filesize

                                                            80KB

                                                            Download

                                                          • memory/6000-6140-0x0000000007A50000-0x0000000007AF3000-memory.dmp

                                                            Filesize

                                                            652KB

                                                            Download

                                                          • memory/6000-6141-0x0000000007D90000-0x0000000007DA1000-memory.dmp

                                                            Filesize

                                                            68KB

                                                            Download

                                                          • memory/7808-6238-0x0000000000400000-0x0000000000C69000-memory.dmp

                                                            Filesize

                                                            8.4MB

                                                            Download