xmrig | hxxps://anonym[.]ninja/download/UqVE2XPvW38Pgkj

Analysis

max time kernel
65s
max time network
79s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-01-2025 22:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://anonym.ninja/download/UqVE2XPvW38Pgkj

Score

10^/10

xmrig microsoft defense_evasion discovery evasion execution miner persistence phishing upx

Malware Config

Signatures

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 13 IoCs

miner

resource	yara_rule
behavioral1/memory/4220-742-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/4220-746-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/4220-744-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/4220-747-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/4220-749-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/4220-745-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/4220-741-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/4220-809-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/6108-891-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/6108-890-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/6108-892-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/6108-889-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/6108-888-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5052	powershell.exe
6084	powershell.exe
5876	powershell.exe
5880	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\etc\hosts	Bootstrapper.exe
File created	C:\Windows\system32\drivers\etc\hosts	updater.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe

Executes dropped EXE 4 IoCs

pid	Process
1432	Bootstrapper.exe
5204	Bootstrapper.exe
5856	updater.exe
5476	updater.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
241	pastebin.com
247	pastebin.com
287	pastebin.com
288	pastebin.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Power Settings 1 TTPs 12 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
5556	powercfg.exe
5568	powercfg.exe
2348	powercfg.exe
5140	powercfg.exe
4632	powercfg.exe
5124	powercfg.exe
5560	powercfg.exe
5268	powercfg.exe
764	powercfg.exe
5188	powercfg.exe
1248	powercfg.exe
5868	powercfg.exe

Detected potential entity reuse from brand MICROSOFT.
phishing microsoft

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MRT.exe	Bootstrapper.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	updater.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 5856 set thread context of 5144	5856	updater.exe	168
PID 5856 set thread context of 4220	5856	updater.exe	169

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4220-737-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4220-740-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4220-742-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4220-746-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4220-744-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4220-747-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4220-749-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4220-745-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4220-741-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4220-739-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4220-738-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4220-736-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4220-809-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/6108-891-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/6108-890-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/6108-892-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/6108-889-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/6108-888-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Launches sc.exe 19 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
6060	sc.exe
5300	sc.exe
5176	sc.exe
5656	sc.exe
5744	sc.exe
4056	sc.exe
5524	sc.exe
5904	sc.exe
5500	sc.exe
5532	sc.exe
5820	sc.exe
5312	sc.exe
5732	sc.exe
5340	sc.exe
4848	sc.exe
5692	sc.exe
5392	sc.exe
5396	sc.exe
5292	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bootstrapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	explorer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\12-01-2025_UqVE2XPvW38Pgkj.zip:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 55 IoCs

pid	Process
2580	powershell.exe
2580	powershell.exe
5124	powershell.exe
5124	powershell.exe
5124	powershell.exe
2580	powershell.exe
5204	Bootstrapper.exe
6084	powershell.exe
6084	powershell.exe
6084	powershell.exe
5204	Bootstrapper.exe
5204	Bootstrapper.exe
5204	Bootstrapper.exe
5204	Bootstrapper.exe
5204	Bootstrapper.exe
5204	Bootstrapper.exe
5204	Bootstrapper.exe
5204	Bootstrapper.exe
5204	Bootstrapper.exe
5204	Bootstrapper.exe
5204	Bootstrapper.exe
5204	Bootstrapper.exe
5204	Bootstrapper.exe
5204	Bootstrapper.exe
5856	updater.exe
5876	powershell.exe
5876	powershell.exe
5876	powershell.exe
5856	updater.exe
5856	updater.exe
5856	updater.exe
5856	updater.exe
5856	updater.exe
5856	updater.exe
5856	updater.exe
5856	updater.exe
5856	updater.exe
5856	updater.exe
5856	updater.exe
5856	updater.exe
4220	explorer.exe
4220	explorer.exe
4220	explorer.exe
4220	explorer.exe
4220	explorer.exe
4220	explorer.exe
5144	conhost.exe
5880	powershell.exe
5880	powershell.exe
5880	powershell.exe
5144	conhost.exe
5476	updater.exe
5052	powershell.exe
5052	powershell.exe
5052	powershell.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeDebugPrivilege	4660	firefox.exe
Token: SeDebugPrivilege	4660	firefox.exe
Token: SeDebugPrivilege	4660	firefox.exe
Token: SeRestorePrivilege	1016	7zG.exe
Token: 35	1016	7zG.exe
Token: SeSecurityPrivilege	1016	7zG.exe
Token: SeSecurityPrivilege	1016	7zG.exe
Token: SeDebugPrivilege	5124	powershell.exe
Token: SeDebugPrivilege	2580	powershell.exe
Token: SeDebugPrivilege	6084	powershell.exe
Token: SeShutdownPrivilege	5124	powercfg.exe
Token: SeCreatePagefilePrivilege	5124	powercfg.exe
Token: SeShutdownPrivilege	5188	powercfg.exe
Token: SeCreatePagefilePrivilege	5188	powercfg.exe
Token: SeShutdownPrivilege	4632	powercfg.exe
Token: SeCreatePagefilePrivilege	4632	powercfg.exe
Token: SeShutdownPrivilege	5140	powercfg.exe
Token: SeCreatePagefilePrivilege	5140	powercfg.exe
Token: SeDebugPrivilege	5876	powershell.exe
Token: SeShutdownPrivilege	5560	powercfg.exe
Token: SeCreatePagefilePrivilege	5560	powercfg.exe
Token: SeShutdownPrivilege	5568	powercfg.exe
Token: SeCreatePagefilePrivilege	5568	powercfg.exe
Token: SeShutdownPrivilege	5556	powercfg.exe
Token: SeCreatePagefilePrivilege	5556	powercfg.exe
Token: SeShutdownPrivilege	5268	powercfg.exe
Token: SeCreatePagefilePrivilege	5268	powercfg.exe
Token: SeLockMemoryPrivilege	4220	explorer.exe
Token: SeDebugPrivilege	5880	powershell.exe
Token: SeDebugPrivilege	5052	powershell.exe

Suspicious use of FindShellTrayWindow 22 IoCs

pid	Process
4660	firefox.exe
4660	firefox.exe
4660	firefox.exe
4660	firefox.exe
4660	firefox.exe
4660	firefox.exe
4660	firefox.exe
4660	firefox.exe
4660	firefox.exe
4660	firefox.exe
4660	firefox.exe
4660	firefox.exe
4660	firefox.exe
4660	firefox.exe
4660	firefox.exe
4660	firefox.exe
4660	firefox.exe
4660	firefox.exe
4660	firefox.exe
4660	firefox.exe
4660	firefox.exe
1016	7zG.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
4660	firefox.exe
4660	firefox.exe
4660	firefox.exe
4660	firefox.exe
4660	firefox.exe
4660	firefox.exe
4660	firefox.exe
4660	firefox.exe
4660	firefox.exe
4660	firefox.exe
4660	firefox.exe
4660	firefox.exe
4660	firefox.exe
4660	firefox.exe
4660	firefox.exe
4660	firefox.exe
4660	firefox.exe
4660	firefox.exe
4660	firefox.exe
4660	firefox.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4660	firefox.exe
4660	firefox.exe
4660	firefox.exe
4660	firefox.exe
1432	Bootstrapper.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 4660	2064	firefox.exe	82
PID 2064 wrote to memory of 4660	2064	firefox.exe	82
PID 2064 wrote to memory of 4660	2064	firefox.exe	82
PID 2064 wrote to memory of 4660	2064	firefox.exe	82
PID 2064 wrote to memory of 4660	2064	firefox.exe	82
PID 2064 wrote to memory of 4660	2064	firefox.exe	82
PID 2064 wrote to memory of 4660	2064	firefox.exe	82
PID 2064 wrote to memory of 4660	2064	firefox.exe	82
PID 2064 wrote to memory of 4660	2064	firefox.exe	82
PID 2064 wrote to memory of 4660	2064	firefox.exe	82
PID 2064 wrote to memory of 4660	2064	firefox.exe	82
PID 4660 wrote to memory of 2736	4660	firefox.exe	83
PID 4660 wrote to memory of 2736	4660	firefox.exe	83
PID 4660 wrote to memory of 2736	4660	firefox.exe	83
PID 4660 wrote to memory of 2736	4660	firefox.exe	83
PID 4660 wrote to memory of 2736	4660	firefox.exe	83
PID 4660 wrote to memory of 2736	4660	firefox.exe	83
PID 4660 wrote to memory of 2736	4660	firefox.exe	83
PID 4660 wrote to memory of 2736	4660	firefox.exe	83
PID 4660 wrote to memory of 2736	4660	firefox.exe	83
PID 4660 wrote to memory of 2736	4660	firefox.exe	83
PID 4660 wrote to memory of 2736	4660	firefox.exe	83
PID 4660 wrote to memory of 2736	4660	firefox.exe	83
PID 4660 wrote to memory of 2736	4660	firefox.exe	83
PID 4660 wrote to memory of 2736	4660	firefox.exe	83
PID 4660 wrote to memory of 2736	4660	firefox.exe	83
PID 4660 wrote to memory of 2736	4660	firefox.exe	83
PID 4660 wrote to memory of 2736	4660	firefox.exe	83
PID 4660 wrote to memory of 2736	4660	firefox.exe	83
PID 4660 wrote to memory of 2736	4660	firefox.exe	83
PID 4660 wrote to memory of 2736	4660	firefox.exe	83
PID 4660 wrote to memory of 2736	4660	firefox.exe	83
PID 4660 wrote to memory of 2736	4660	firefox.exe	83
PID 4660 wrote to memory of 2736	4660	firefox.exe	83
PID 4660 wrote to memory of 2736	4660	firefox.exe	83
PID 4660 wrote to memory of 2736	4660	firefox.exe	83
PID 4660 wrote to memory of 2736	4660	firefox.exe	83
PID 4660 wrote to memory of 2736	4660	firefox.exe	83
PID 4660 wrote to memory of 2736	4660	firefox.exe	83
PID 4660 wrote to memory of 2736	4660	firefox.exe	83
PID 4660 wrote to memory of 2736	4660	firefox.exe	83
PID 4660 wrote to memory of 2736	4660	firefox.exe	83
PID 4660 wrote to memory of 2736	4660	firefox.exe	83
PID 4660 wrote to memory of 2736	4660	firefox.exe	83
PID 4660 wrote to memory of 2736	4660	firefox.exe	83
PID 4660 wrote to memory of 2736	4660	firefox.exe	83
PID 4660 wrote to memory of 2736	4660	firefox.exe	83
PID 4660 wrote to memory of 2736	4660	firefox.exe	83
PID 4660 wrote to memory of 2736	4660	firefox.exe	83
PID 4660 wrote to memory of 2736	4660	firefox.exe	83
PID 4660 wrote to memory of 2736	4660	firefox.exe	83
PID 4660 wrote to memory of 2736	4660	firefox.exe	83
PID 4660 wrote to memory of 2736	4660	firefox.exe	83
PID 4660 wrote to memory of 2736	4660	firefox.exe	83
PID 4660 wrote to memory of 2736	4660	firefox.exe	83
PID 4660 wrote to memory of 2736	4660	firefox.exe	83
PID 4660 wrote to memory of 4616	4660	firefox.exe	84
PID 4660 wrote to memory of 4616	4660	firefox.exe	84
PID 4660 wrote to memory of 4616	4660	firefox.exe	84
PID 4660 wrote to memory of 4616	4660	firefox.exe	84
PID 4660 wrote to memory of 4616	4660	firefox.exe	84
PID 4660 wrote to memory of 4616	4660	firefox.exe	84
PID 4660 wrote to memory of 4616	4660	firefox.exe	84
PID 4660 wrote to memory of 4616	4660	firefox.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://anonym.ninja/download/UqVE2XPvW38Pgkj"
1⤵
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://anonym.ninja/download/UqVE2XPvW38Pgkj
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4660
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2028 -parentBuildID 20240401114208 -prefsHandle 1944 -prefMapHandle 1936 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5090db3b-34e0-40aa-98f0-c1176d5544d2} 4660 "\\.\pipe\gecko-crash-server-pipe.4660" gpu
    3⤵
    PID:2736
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2396 -parentBuildID 20240401114208 -prefsHandle 2448 -prefMapHandle 2444 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3dd6bd7a-24a0-4624-981e-d896625a0881} 4660 "\\.\pipe\gecko-crash-server-pipe.4660" socket
    3⤵
    PID:4616
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1468 -childID 1 -isForBrowser -prefsHandle 1512 -prefMapHandle 3324 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1216 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {920f6b53-67fb-48f0-bfaa-583a04cb06d4} 4660 "\\.\pipe\gecko-crash-server-pipe.4660" tab
    3⤵
    PID:5096
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2892 -childID 2 -isForBrowser -prefsHandle 3636 -prefMapHandle 3764 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1216 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b1590161-7faf-4c06-bab2-cd0129c948b2} 4660 "\\.\pipe\gecko-crash-server-pipe.4660" tab
    3⤵
    PID:1792
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4360 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4416 -prefMapHandle 4412 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fdfcef7b-1d5c-42c1-b22d-91186bc3f64e} 4660 "\\.\pipe\gecko-crash-server-pipe.4660" utility
    3⤵
    - Checks processor information in registry
    PID:4192
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5388 -childID 3 -isForBrowser -prefsHandle 5400 -prefMapHandle 4340 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1216 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {82a8101c-e35e-4267-aaaf-081f97f2da85} 4660 "\\.\pipe\gecko-crash-server-pipe.4660" tab
    3⤵
    PID:3296
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5556 -childID 4 -isForBrowser -prefsHandle 5632 -prefMapHandle 5628 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1216 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0e95ec65-3630-4771-a710-410f40dbe63b} 4660 "\\.\pipe\gecko-crash-server-pipe.4660" tab
    3⤵
    PID:2760
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5744 -childID 5 -isForBrowser -prefsHandle 5752 -prefMapHandle 5756 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1216 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4dcd1b94-8d4c-49dd-99d2-8b5eea32db19} 4660 "\\.\pipe\gecko-crash-server-pipe.4660" tab
    3⤵
    PID:632
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6604 -childID 6 -isForBrowser -prefsHandle 6644 -prefMapHandle 6640 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1216 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d6003beb-7ac1-4357-ace9-0871dbae8f34} 4660 "\\.\pipe\gecko-crash-server-pipe.4660" tab
    3⤵
    PID:2932
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6752 -childID 7 -isForBrowser -prefsHandle 6624 -prefMapHandle 6496 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1216 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f87b32f4-404f-469a-9e22-f5a1abd505a0} 4660 "\\.\pipe\gecko-crash-server-pipe.4660" tab
    3⤵
    PID:1728
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3256 -childID 8 -isForBrowser -prefsHandle 7156 -prefMapHandle 3236 -prefsLen 28084 -prefMapSize 244658 -jsInitHandle 1216 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {59f335be-848b-4691-b8fe-ec47a525243a} 4660 "\\.\pipe\gecko-crash-server-pipe.4660" tab
    3⤵
    PID:5896
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7348 -childID 9 -isForBrowser -prefsHandle 7364 -prefMapHandle 7360 -prefsLen 28084 -prefMapSize 244658 -jsInitHandle 1216 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ee1dd470-8e40-4199-99d4-30852a4c8006} 4660 "\\.\pipe\gecko-crash-server-pipe.4660" tab
    3⤵
    PID:2104
- - C:\Users\Admin\Downloads\NDP481-Web.exe
    "C:\Users\Admin\Downloads\NDP481-Web.exe"
    3⤵
    PID:5256
  - - F:\9c5db194f899fda77fce88ebca\Setup.exe
      F:\9c5db194f899fda77fce88ebca\\Setup.exe /x86 /x64 /web
      4⤵
      PID:4484

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2276

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\12-01-2025_UqVE2XPvW38Pgkj\" -spe -an -ai#7zMap6796:114:7zEvent15997
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1016

C:\Users\Admin\Downloads\12-01-2025_UqVE2XPvW38Pgkj\Bootstrapper.exe
"C:\Users\Admin\Downloads\12-01-2025_UqVE2XPvW38Pgkj\Bootstrapper.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1432
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAagBtACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHgAdABmACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcARQByAG8AcgA6ACAAQwBvAHUAbABkACAAbgBvAHQAIABzAHQAYQByAHQAOgAgAC4ATgBFAFQAIABGAHIAYQBtAGUAdwBvAHIAawAgADQALgA4AC4AMQAgAG4AbwB0ACAAaQBuAHMAdABhAGwAbABlAGQALgAnACwAJwAnACwAJwBPAEsAJwAsACcARQByAHIAbwByACcAKQA8ACMAbQBxAGcAIwA+AA=="
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2580
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAYgBlACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHMAcgB3ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAawBsACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAbQBpACMAPgA="
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5124
- C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
  "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:5204
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:6084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:5400
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:4168
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:5392
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:5500
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:5532
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:5300
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:5312
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:5188
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:5140
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:5124
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:4632
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"
    3⤵
    - Launches sc.exe
    PID:5176
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:5656
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:5732
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"
    3⤵
    - Launches sc.exe
    PID:5744

C:\ProgramData\Google\Chrome\updater.exe
C:\ProgramData\Google\Chrome\updater.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:5856
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:5180
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:5256
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:5340
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:4056
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:5524
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:4848
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:5396
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:5568
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:5560
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:5556
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:5268
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5144
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5880
- - C:\ProgramData\Google\Chrome\updater.exe
    "C:\ProgramData\Google\Chrome\updater.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:5476
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5052
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:5856
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:5004
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      4⤵
      Launches sc.exe
      PID:5292
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:5820
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop wuauserv
      4⤵
      Launches sc.exe
      PID:5692
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop bits
      4⤵
      Launches sc.exe
      PID:5904
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop dosvc
      4⤵
      Launches sc.exe
      PID:6060
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      Power Settings
      PID:2348
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      Power Settings
      PID:1248
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      Power Settings
      PID:5868
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      Power Settings
      PID:764
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      PID:6108
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
d9743ef671ea8cea8c72fedd957fa5cc

SHA1
1d93cbc7689b0df60a003eac8b76ea9c6f9ce503

SHA256
e560eb74b9141d9da1986bd6a35c77ead2cc3a1423c4547df2965dacace1f50c

SHA512
02df86d0ee2246b2b49ce84d4f0df9f0e128aadd42bd1c434dad258b35dd6304df32928802a2e4c3cdca2b45c114e5ebcc49c87e830b9086939a0526bd22f638

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yuzka873.default-release\activity-stream.discovery_stream.json

Filesize
21KB

MD5
da7708ad137f8911fd1a96535dabaa63

SHA1
358a2e8c00dcfb21a4bc11ad5f0881257aac08e0

SHA256
064a98326d2704866c7411a0a2bbbedc24cc0a99135ebf8c0ab7e40fc95dea08

SHA512
f57c08e399a65e7d3fbea5ffe75e28e2feceee78339a448079b9c78a062e7f25a81d109bb34a6dd3a31bb133f993a88a49d89f1eee107c2506e96ba60fee6ac0

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yuzka873.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe

Filesize
5.1MB

MD5
33a6872a056879c6a977599778a1fb0f

SHA1
109285b385ce0c21ee8b9624b63104d27a51115e

SHA256
79e48350a0712336332571a280272957ffc446c520e70a6e8827169fc84933d4

SHA512
7052a4d7e047768d0eb91b316c191aba2eb6247a66c0f39f2fd7e062bbdd31c402734c80b81dc2b144c199ecde2efc25a5afdfce476923a026bf927dff0c0973

Download Submit
C:\Users\Admin\AppData\Local\Temp\HFIAEE9.tmp.html

Filesize
17KB

MD5
3549c0e68fc3f60ea6e76b75a0b2a06f

SHA1
99c282f7682ea22d37588d69a101fb0f2d705bb1

SHA256
15892904fb86b219daaaa6b21455698865f6d6fc7d2a325a4b6fefb2a2cf0c9e

SHA512
70192df069f40e80d806b2d84e2f53fe52ea49a5681ddd9689b67029317777b0c51ecd25a6dc723e5d114a3e463f51630bf766f2555f13ab271f4ac32c1f484d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qq03iklv.bd1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\AlternateServices.bin

Filesize
6KB

MD5
3488ac7e32ff2b2c58f1e863cff4d537

SHA1
9b1a89c872b1aa2cd775282341ab9bcaaeefe10b

SHA256
8cd564239e75a8bc51422fc66676ef0d0e3b85610c185f337d643bfb6d1b58e6

SHA512
9dd50b3c1bfda8d62a267a287e443032d65ea66a3a372cab82303f8f6adf750ab6e987f862042a5bffcdc2d341147cee9e8abbc44ac0a7496f41b68fc666c865

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\AlternateServices.bin

Filesize
8KB

MD5
cb0514f280261771f785208be9b3c6f8

SHA1
2dc4b2e007741ab1b3be6f8cd148a95867cf2dd5

SHA256
0627bef9317c25f249375d7a0dddcb0498dfc3e190cc4f667641f9301cbbf5de

SHA512
451639196e817d91e1f1cb829552260da1ef8ceff650e22ecc16221e394066818e96a7f53ec82dcb35b63f8b42872976c6863f4a7a3a350c6711270c7fe5a0d4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\AlternateServices.bin

Filesize
20KB

MD5
d735efa542dd31d32e75d63fb1bdfcf1

SHA1
b5c145ae93e5f40fb9b235e51690a1e0cb8b63f1

SHA256
5934ad5898e63084bbbf56c8fd4dbdaec7d14492fb29640712066957045997b8

SHA512
d76311e99fd8cb9330a41151089ca498932654a9fb1f2640a9189e845036eafc715ddebc8526dda53f33177f552430ffcd77a809eaf7652def4365f99f688846

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
a9ffcd0b9e6c7e5f68345ea43b7a08eb

SHA1
035215a0d11e86d21a71ffdf530faba6d5fb1370

SHA256
69b07839a817b50bf6861328ee58f37b85be24f24ceb1780899e4cbca1eb660d

SHA512
7aef683c7ee1c18cfea0dd53ea944cb87d815afb7f7dcb047511baf84ba7d88e763d3b59b8373527ba186e4fe652aab4e32b464930fcb10e82d47a563b46183f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
8eeef4a998620fc4d7efa4372d373005

SHA1
de8de4f331da04aee2ead99cb63aacc493e97d43

SHA256
b24d33a889a725ec392a95c29c371356dcc322a3a1b4d396dd491fa1970ef0d3

SHA512
efded19e40f1edc9306ad9b9f2723fd57fb9dbf3875b480257b9eff0052c09c2883ab6f7098f3fa600ba3732b68f4611232100dfba32e7dbb59d5cc089fd90ad

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp

Filesize
33KB

MD5
fd63efd9f0f283fb7a06be2fa7a50ec9

SHA1
6bb62f815f1c0b587f75ba594c65ca0a2880d175

SHA256
d4d349b22cff583b9ed5f39887f32a1d6a063a61adb280dbca296fbd7de3508b

SHA512
749c10aece9f25ade636fc34b08937a163880c36b1c65727c8c47c3e03950ce8952489a88a38cba3673930cc2913f64225f8914b93dacbc9c4563ce675243d23

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\pending_pings\581609d3-285c-4e4e-a501-62a17b0328ce

Filesize
671B

MD5
c412ad32c3def7dccec7ea3af97b4442

SHA1
45a71794f2f646750b9b2cf3efe6d98e927937f9

SHA256
ddcbdfaabb942dde309381ef570ced8ab087273d651cdbf0b1a02ced1631f09f

SHA512
7fb56e0b4af8dfe16071beeaf084ec433c6f7123c4b39b03dd385bf9a05e96231c884ea95ce83143c94cf86239555929bedc325c17ab226df568d19e168ec184

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\pending_pings\c190988e-ecd0-4d25-a0f5-6e8637e8e43d

Filesize
27KB

MD5
5ad5249b1b55564199cb2ba036fe55d2

SHA1
7531714a9870c79e3c7b46a3d8517c990cc2121a

SHA256
8a2ce483c018001b456aca42a6053d7f8fb6e63cbed0240cbc17905954a4072f

SHA512
13968467316ee9a69e5e33fa9ed31b6bfe7c061df38676d90fc3dee4c3392134d73f91d959c14cedfff905d9fbd209ea640c4ce3b8dfb836760c35d1756696c5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\pending_pings\fe679292-c5db-4748-b4a6-b77101ba65f8

Filesize
982B

MD5
1b6a809cf091a9e02633e907a9b7e581

SHA1
0990df54b85a0d3c10e3a642944a023424a775fa

SHA256
d616d1bae5fbb2f274acb717ec876a68eac9fb89ac875e083de03e7e7678d875

SHA512
3f5a023e91c3975d867f5e73878d9fd70f703a932639c4517bee1db2b44fbf83ed62db69ca4cb95e86ffb2971c99c1276e1f43c22704512f2cad47e6149c985d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\prefs-1.js

Filesize
10KB

MD5
bc59c3b1a6ad6b58f2e4e4410cafed25

SHA1
9b8367444bbee8f8e7b08ac74d80fcbc500ef8f2

SHA256
689edcf9121581b3f658405404a331ef70acd5ab85d776ef72a9294cb3e334e7

SHA512
4e53dd561f1626a58a6a9a68ed393cf2250551a8fba5d5da7ddb158c51ab9261b1ecd9c564604377dcf80610223b80e4d4058f9a595a9f516b17293475de0bc8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\prefs.js

Filesize
10KB

MD5
ca0bdfb4ddf56c8336db107f19fd2712

SHA1
50a53b9b01968ff286e63c01854d081f0d693829

SHA256
75bb3e8cb6f236b466f5a1ce54f33993a17d9f7cc0d09710f026840f442b05fb

SHA512
4eaed9f4bbe17b609003b66ad3c1e2c33f5ee0c8ded461d7237ba9587cf48bbe4ff24cf76bdf75946e992fd791f90001d1c3a0528241cbcb01f8ed90b69656be

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\prefs.js

Filesize
9KB

MD5
4ef13e1b1c1bf6551637e21ca0cbfa21

SHA1
2a84703d17ae396a0a8fb177b4fd7d08df216b97

SHA256
ea067acc50b914d1e365ace38ebf4fe42ea00cdeb40bef7a5ead3effcac1f7cf

SHA512
c69eaad20c98b73f2aefaf6b9e6212c3602edd7958af418ea9d44c07a8d52787438cb7b92e9559ccef685dac30802c290bbec5f92446d305d414282559dee1d7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\sessionstore-backups\recovery.baklz4

Filesize
5KB

MD5
4de11e1bb4b8c332b9c3b399733258a6

SHA1
80691fb120f09f4f6872af486d01cda647794919

SHA256
06a41e2f1df98c74be348ca530e0f90304eb26ffffa9cda169d7329ad3822b0b

SHA512
394997d7ec6b8a3a2fdd6dd6f75ff19d8c7646c6cff652fb9d0c96ced0d6af11d5dad5ff7be6d2c80ca7d8522ba0d47229d4c011ee9d7bdac4bda9a6247b1193

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
4359bc14cfc91d2e6c468c48e62c5cb7

SHA1
056e505d36c61636a3073f819788b6e7c2368d28

SHA256
862fc3ffe45530c818d0696d05b63e46d422c77719469ba4ce8d42de1a5a892a

SHA512
274923596153ada4cddf671a9e5f6c82b7812fca1d0181597183c2b0cc92b5b618aa9dd1fef35d3dcb883bc5f24153c2bf2cdee68a17a1014e51883235dc085a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\sessionstore-backups\recovery.baklz4

Filesize
5KB

MD5
8caf0a3c7493b4213692027ef9c4dbdb

SHA1
01f30ea429c262fd447a5203aed1d95c391fa83b

SHA256
9d9095d470ed3dae4c73ae840fc1217acb4383e887dcbb91c3997e33501f9fc3

SHA512
1533da177ee2cd1ad72961cbf0c54e53ef57f43966f238d693838ae52c084c8dfa3e3f2f60cb005356fa1a469b248049056c7575fbcaac33e4039d7ecbdda912

Download Submit
C:\Users\Admin\Downloads\12-01-2025_UqVE2XPvW38Pgkj.2pNccj9G.zip.part

Filesize
4.3MB

MD5
cf356b163f946dc2f16d95febf45a583

SHA1
e7c8e964c23f86765d729b82d3140604bb00cb7c

SHA256
50d3bf20e1534889385de4b8d780a750c9d37a75c941ffae6dd961caef2eb325

SHA512
baa6367011ebda751fe7ef40a49f99e96c5daf19e068b02b2cdf564477f17a792a9dc0887b9723208d0c49d55a7e1c501723643d12fee8c8dcd0d1406e65be2d

Download Submit
C:\Users\Admin\Downloads\12-01-2025_UqVE2XPvW38Pgkj\Bootstrapper.exe

Filesize
5.1MB

MD5
d15c24a478c313ede9d4ad03a4164f8a

SHA1
aceaa3800a3c042243e39b1235b7c1eef338e90f

SHA256
87e35093021944aa354666c0f7b594f4414e2c29a2da69f62a427ed56f91d2b1

SHA512
2b373ab102ba01bbb119f2e08daac38cb3f90939be0474c6086eb2d6e64eead65b41b8a818f464248b67973539b5de879844fe4175268ae8db808230480fea40

Download Submit
C:\Users\Admin\Downloads\NDP481-Web.exe

Filesize
1.4MB

MD5
39304ce18d93eeeb6efa488387adaed8

SHA1
22c974f3865cce3f0ec385dd9c0b291ca045bc2c

SHA256
05e9ada305fd0013a6844e7657f06ed330887093e3df59c11cb528b86efa3fbf

SHA512
4cf7f831fc1316dd36ed562a9bd1fda8cca223d64d662f3da0ade5fddc04be48c2d40333ba3320ee2d6c900e54c4f7e4f503897793e86666eac7e242d8194f5b

Download Submit
C:\Windows\TEMP\wbkbtnggimcu.sys

Filesize
14KB

MD5
0c0195c48b6b8582fa6f6373032118da

SHA1
d25340ae8e92a6d29f599fef426a2bc1b5217299

SHA256
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

SHA512
ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
4KB

MD5
bdb25c22d14ec917e30faf353826c5de

SHA1
6c2feb9cea9237bc28842ebf2fea68b3bd7ad190

SHA256
e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495

SHA512
b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b42c70c1dbf0d1d477ec86902db9e986

SHA1
1d1c0a670748b3d10bee8272e5d67a4fabefd31f

SHA256
8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a

SHA512
57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6714d2ce29e2b80c6ec82827abecc844

SHA1
c5316f2b4b4a073e25a694e20d7ee47441d459fc

SHA256
085cf746903ae4fe3be49a9ef382f64cc09d7cec88789f9c207c9e2886c53e9b

SHA512
93d8275ca299d01c41c4a1e7077c2a1c22e6a017962d3aab60411dfa59d05144f170a01eae278dad64da55f3dba57d2a2986d8bcbb4c48e018652f1b0dae90f7

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
3KB

MD5
00930b40cba79465b7a38ed0449d1449

SHA1
4b25a89ee28b20ba162f23772ddaf017669092a5

SHA256
eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01

SHA512
cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62

Download Submit
F:\9c5db194f899fda77fce88ebca\1025\LocalizedData.xml

Filesize
81KB

MD5
075961c7e742c66ee4cd8b614a778141

SHA1
a5541fa0487135aaed1c336bba79e8025ac2804c

SHA256
4198a6ae89b0be8bd07ed3c18dea6ca87239a5a47343b73ff612ce0ab47e08dd

SHA512
c6881fc501805d0cb5aa9b42fc14029404a236166699e3845586e0609c26e4536bdd6ca2181e1139f83d5cb78c35d0fa7d158134f522fb9f4736880e330fc8f6

Download Submit
F:\9c5db194f899fda77fce88ebca\1028\LocalizedData.xml

Filesize
70KB

MD5
8b37256ce099957b91ebe1d51ad8f61c

SHA1
6bf4bcf46781126ffdce92e39ad4d1d912e75ac5

SHA256
7d6777e8c9484229c1b8e3f2e354a88f57539503c2c56f2b0ee47679a6ef9cc0

SHA512
6659dec6fae7a7f733a0c9e44a04f178a6732e1b9b785833c63efd8ed6e25adabb58e37b2ec039dacdb071732f8ee42ceb297cb2ec72b67e8d25eb093d5423a5

Download Submit
F:\9c5db194f899fda77fce88ebca\1029\LocalizedData.xml

Filesize
87KB

MD5
aadf97951359a8267f7990cdd2cc950d

SHA1
61f626b44e252e916c9c70a4222efc9c21d951c6

SHA256
e28d2d89fc269d25272956cee4d7150a30706f58ad305e84e3c1c9fe7ac0ee86

SHA512
2d352cf7d8d167b2a9fd4416582328d894619f2eb213fd334e1b15ef1044735a69ffca36fba02d9d1af6355e9d1a55d38c3b7f5339ecacb8c1dfdc4cc50c5342

Download Submit
F:\9c5db194f899fda77fce88ebca\1030\LocalizedData.xml

Filesize
84KB

MD5
e1f2f586d75650df1a751d86bb659df8

SHA1
283097241e6b1acc8f30ca822585df104c918e51

SHA256
615a6380adcfa3a0e7a5db2df9b98dad650678d8c46b1c7c3f2d2854204f079e

SHA512
b7fb3e366a7e5cbaaf99e8e14731653dd14885cd0b3d5462c091113f12800478ff2e5bd351bd403abaeef3041cdd5a7693825e488f27ec48d087686c95daa774

Download Submit
F:\9c5db194f899fda77fce88ebca\1031\LocalizedData.xml

Filesize
89KB

MD5
74d28384c38283518c6490bfd068ebf1

SHA1
c52d2fd41a59691e18871ec64db10c43f241fb6c

SHA256
01afd814b009538f387812f6940c863a9d0cd7dc4159050f34f82e50ecbc33f8

SHA512
e23ae604eafab0c3a0d8aeb07321c0dd629d21c5ba47d37958f48f1b9f27d89de4db880ec3958ad1e5f2165a69bed18d61f73f71fd743a2d7eaafdc0ef8d1cc0

Download Submit
F:\9c5db194f899fda77fce88ebca\1032\LocalizedData.xml

Filesize
91KB

MD5
233d0d1551b17f2284ad80674569de79

SHA1
67cd31126c6e5547e60d7266e61b6835b80b5916

SHA256
7106a1121056a73fed77aab7c7293dddffe0f5aecd7db969799a121ad5d88181

SHA512
c3375081c704fb05c7335929505ef4589fa728c97bb58738932b7ee05dd6e00c19d8ba14bb0a8dfce0d51ac73fa76bffa0ccc00772b73850eea37d39088a0473

Download Submit
F:\9c5db194f899fda77fce88ebca\1033\LocalizedData.xml

Filesize
84KB

MD5
31bff8efc0cc701092ab7fe606271d65

SHA1
844cc4837ebe3eea9563df6613989b4588d6f19c

SHA256
b3048715a23d9bd77e9b3e1ec8577f94cfc8c2dd30b61dbf326871a97aa6e22c

SHA512
472b881df9128c93f9183ab05d2406146aeef8ce9723c9dcfa6e93d093d90b2db75bb4a3f784d26db187436242409f021fa8b7844aa04bf9cb58f48a6c4822d5

Download Submit
F:\9c5db194f899fda77fce88ebca\1033\SetupResources.dll

Filesize
24KB

MD5
49a9bedc81cd400abbf794f272883a8d

SHA1
dc9aa0fe56bc4f0d5fee333eb28a29bb4750eed1

SHA256
197cb97902aa576a8a4dcbc5b4615a28943b1941d67c6fc163b5b4a034c650d0

SHA512
bd579834eb275cc07d458052317f1851380c5a510869b224c0441f70d2cb468c5cea034649704c9cced28cf2425fa1c67c0f8c22011b81ce98ed243647422415

Download Submit
F:\9c5db194f899fda77fce88ebca\1035\LocalizedData.xml

Filesize
85KB

MD5
c78dddce3189c67c23f60561dcacd4a8

SHA1
e375a6d1f71709ead1ad4139b1c16476019666d2

SHA256
e9353dedb338ce826b3b990851a955da1b04e484a378cac7c3c17a2de26d14a4

SHA512
a58d995936f5c5310e04f7514c177a071f3451638f0a9692593c4d505c5f48caeca1cee9644b092bf32bd70c52bb956f0b87ac748190aea2040adc3afbbab3b0

Download Submit
F:\9c5db194f899fda77fce88ebca\1036\LocalizedData.xml

Filesize
89KB

MD5
d7e814adae1a18958416b7e29ae7078b

SHA1
857fed2c8766102d1a64d91eccb0661f6de750fd

SHA256
c8c847bf9ddf8998520123ff0a638c6e9843c860b68943275b7f0256f324c4ce

SHA512
73ad8b3d24ace1795c93ef807b3e644512fee2a295eea05a93fea07d131746aa99f895a68075efe44c2c4e305da3881c27a342d2fa13dd6d1f258a9cc669491a

Download Submit
F:\9c5db194f899fda77fce88ebca\1037\LocalizedData.xml

Filesize
79KB

MD5
a258bd1060df46dcefe6257d4af638dc

SHA1
9e989db32e94499a717c93e889ebf47787509a42

SHA256
83120845e156ecbd401a9047365647cf8e9b2ec75d9295237da33c53eda365e4

SHA512
6f69aa98e264e3de3669f52e34140bf3a1bc333e3e3c4e06228eb1a78aabde380c8a444d9086a1f1188c49ead7ca73962db488dfb8e4e13c09ebf539ae53d011

Download Submit
F:\9c5db194f899fda77fce88ebca\1038\LocalizedData.xml

Filesize
88KB

MD5
1b59e64e51b3f9b96e8897d5b9b17c37

SHA1
1fdd8951133add26ae062da306133980e31809b0

SHA256
5dfa759937eb0ee393d94485e0ac74546d344f342fc3d42ad33847ebbd5163e4

SHA512
f1cb4670805ccd1327a7ea31b98caccc7c5bc7cb7ea7817a5749b0e176f4bdae36339d25d1037f9cdb19a47bcaac4e53fc49656c365ee7981473264b55f2a996

Download Submit
F:\9c5db194f899fda77fce88ebca\1040\LocalizedData.xml

Filesize
87KB

MD5
3192c0f7f30df881ec199d77b095b93e

SHA1
dca1cfe248a9de56f2d207d5f1979c92e006831c

SHA256
5dceb300d25c68003d61437e3802f97e1d5503e27032989338f7d260c7b0904e

SHA512
42a5f98103e23d7e8d7a34f8ba08d027ac4317d92109565b5f3fa4fd7057104d3a12b88846bee1914451cff59ed1b46e9146592784c09cd724bf004eb65864c3

Download Submit
F:\9c5db194f899fda77fce88ebca\1041\LocalizedData.xml

Filesize
76KB

MD5
4cfdb16e84869a51119e17a545ace7a2

SHA1
5eb358e13291d65ff8805513254b02ff3b83d7c6

SHA256
1c2587f7c0d7e57494061d24638a83c8f9d33a4eb192cfe6bd65c172fb6a76a4

SHA512
381878c16a98aae9ef688bf4735b13d2d42b2c115d76c1677f5c275db3745b35fac35468f11d80284307a6f5ed93265fa2c378a5199284d848fdf984f2a88daf

Download Submit
F:\9c5db194f899fda77fce88ebca\1042\LocalizedData.xml

Filesize
74KB

MD5
401f386416c7c37f92da9ec1688d750b

SHA1
c6565b80ba557827e3e6b96901f27fdcd1b525c6

SHA256
721cf8956fb2fb01df302713351eb9721cfccff096dc429d02b0f2b150855919

SHA512
f4ac60826287262b87bd407c85091d583ac504645faabd6fe8e116ac50e35908341d85850e8888e5928cb8235101e6b7a1074597946d584550e8aea6a7fba591

Download Submit
F:\9c5db194f899fda77fce88ebca\1043\LocalizedData.xml

Filesize
86KB

MD5
18efd16361a280efe263f261a4faa21e

SHA1
6e5bbbc46b2decdb00cd957d02e27bbbf2a4d880

SHA256
88de82f8c0934f23e0eb16224def959ff55da396610bd34149e4fb9aab24fb03

SHA512
b4bdaf600c5a855c040db974744b780c4860474c38ec453c4bfdc5a11c8beff65437d17c5ab0c3c78b5b861d93b0d41f1c3f4d5d435d233ba3719f78c9058446

Download Submit
F:\9c5db194f899fda77fce88ebca\1044\LocalizedData.xml

Filesize
85KB

MD5
a9998c1f395c44bcd41faa0ae60439e4

SHA1
4a267707c7dd8a24eed4c433b3c41b7e1a6a936b

SHA256
8165d0b468d73347a495f525dc81d847bb84b3391c8af1abc95e2b8f4a51d620

SHA512
9f0fb00c34ee788f9e8058915794b822fcb31f1c35a1d47ce5da2b15bae904cab513d55111ae4cccbf4da2587a4c3e045f0cc2e95654c9b5631a3a4a86632bd3

Download Submit
F:\9c5db194f899fda77fce88ebca\1045\LocalizedData.xml

Filesize
88KB

MD5
5eadf11a5b9af3f40b21328474ba3b7e

SHA1
af456b6123f9adf4ea0b926124b926ea3056248e

SHA256
4362c962c7611190999b36e139370245104b66398ebddd56b210810440c43e88

SHA512
e0f0c32c736d23d40508daaa2fb7b7033034154869a4f411aa4ff96c7ff197d97b1d89eb4a6da1dbfeacdd3373c45f22bdda70554521bbce409c051ae4573e42

Download Submit
F:\9c5db194f899fda77fce88ebca\1046\LocalizedData.xml

Filesize
85KB

MD5
361a4c229849b55e4540943b5c04403c

SHA1
46a0751432df223c936393f21a7543a3b314157e

SHA256
c2afb880f0986ca807b1dacbd5a9f2a5b9be4930c29379cdd88a6ebf9b0618c1

SHA512
40ba8c19286f992e5742f342532161062c36504aa3a364cdaee15e2e3ab750012d6502278d064f45b3df13b3063c66a361d688adbcaa6eb7a657c9a50e0e9380

Download Submit
F:\9c5db194f899fda77fce88ebca\1049\LocalizedData.xml

Filesize
87KB

MD5
f65088c4998e6ca3a872fc66bdd2a192

SHA1
c697a3a043a6104befd6f8e1b85e746c3d84e390

SHA256
3b2c633bb0a7342418aef0ce29331643a4cd48a572ddbb90c3d3433d135fd952

SHA512
a5938da7cab6e963c553de1c135ee9c7ec565fc97ed4d433dfff9debb5d31ba3bbf3d1b8a12e814462fd92f4c39680ae71dbd2e3df846f23a1a98921f3981992

Download Submit
F:\9c5db194f899fda77fce88ebca\1053\LocalizedData.xml

Filesize
84KB

MD5
a6f6198758552f453df96c4a8fb84134

SHA1
c40dd5faafe457c6c814695b4885f065f9d2f4bd

SHA256
b28bd460c2df31315297083c5507c233a569e1e89547127191468598b35eb36e

SHA512
9b958a0556d5989f71d1e38848c8b6b54ff6bfe292ad599b81e808f4c193cd41a23885d806539a0c246b811519a73d5fe7b0ce679c53119cfa97f999784fb66b

Download Submit
F:\9c5db194f899fda77fce88ebca\1055\LocalizedData.xml

Filesize
84KB

MD5
c515bca575c7e7e7dba8c1ac2a3031d7

SHA1
3aa307513e55a2ada4866ff8fcb2de4e5184a1ad

SHA256
98b5b75b8a89606dfcb54c622884671211199dffced96c29269010b81b06231a

SHA512
5a8c51f55aa6ae44f0a6932a30f0054e8c012080696d5fc784a3ec89aa63275978440364e6b9663eab5466af459594fd1c5d517c629f312bc9b4943e9e040a29

Download Submit
F:\9c5db194f899fda77fce88ebca\2052\LocalizedData.xml

Filesize
70KB

MD5
83242627ea9f4ea7c346a8830026eeb5

SHA1
75a8f52fa3e03b2f04b168d517117f80212b5672

SHA256
4577902142bb96b849f6b78866a5e81c761109a454470948902a40c73f7b9b7f

SHA512
cd27e3ad4168b7bb61b2336f73cd9f61516b953271aeecafbe22cbcffe18ef45d4a4e2c7513c3986939ffd635f2e7d1868798182ffcb4ae0e7aa207c5bc67bc2

Download Submit
F:\9c5db194f899fda77fce88ebca\2070\LocalizedData.xml

Filesize
87KB

MD5
50b9f5f566fd83ceeb0fd0992739388b

SHA1
c040e31d59580541bbcbd662598e8d3fbf52b51e

SHA256
4aa6b559e8993de92797e0d1c595cec0bf305403dd275a231f8417ba4c09c1a1

SHA512
87736f5db8bbcbe4924667e8f5820dc5329e902632d22480ac4768023215fd0db399f442eb1ba76ab2c5c008e58611f006cae4307605a5340380127fd83f70a4

Download Submit
F:\9c5db194f899fda77fce88ebca\3082\LocalizedData.xml

Filesize
86KB

MD5
14005b857dd90ec8bde8e80c3cb0faea

SHA1
7aa4e6f4c9feb808b2dc95f7541bd10aee02874b

SHA256
9d3fd31e3826b91d68ea34a6961cf288e23251cdf8faf0aad02653a55c53f2e0

SHA512
5ad424144a47fcc47ce5a33225a7cb1017b4278b5e3241da48213e132c4cef549ea3c107e7789f42886bdc0a343f50fcd0fc0b287efaff010bc1186251c5c0ec

Download Submit
F:\9c5db194f899fda77fce88ebca\DHTMLHeader.html

Filesize
15KB

MD5
cd131d41791a543cc6f6ed1ea5bd257c

SHA1
f42a2708a0b42a13530d26515274d1fcdbfe8490

SHA256
e139af8858fe90127095ac1c4685bcd849437ef0df7c416033554703f5d864bb

SHA512
a6ee9af8f8c2c7acd58dd3c42b8d70c55202b382ffc5a93772af7bf7d7740c1162bb6d38a4307b1802294a18eb52032d410e128072af7d4f9d54f415be020c9a

Download Submit
F:\9c5db194f899fda77fce88ebca\ParameterInfo.xml

Filesize
1.0MB

MD5
4a0c5e0d81034c74bedc85b7f4759888

SHA1
d2c13fca6d918c7b4d25c8b9290bac053c551694

SHA256
5b872fc7d87f00634137d4051ee6f4cf481f9f7e0163ae7589a6c40a7c828569

SHA512
913425ea56c02ec136ee6eab4ab6a44e6a61f428ee431df241e2c745377d33835a6ecac69a8d02596f2adbbbf602a8afe578a05a1e3d253aa6e60e5666e1214c

Download Submit
F:\9c5db194f899fda77fce88ebca\Setup.exe

Filesize
118KB

MD5
f7a63e2d4217b71d39e4b18b3dadf632

SHA1
c3446cd1a50f6374c3ad3446607864bee97426d9

SHA256
43290269962f9edb13d042d54973a76570f6e4b6a4af33e7362f8284b9083720

SHA512
1703b6c1b1f96febdee8663fa9e8e11939715781810f5feccc6f11b0298fed4f83f6decd975ed1c05dd0e976a12b0738040d0c09db46389a2720462a6624c942

Download Submit
F:\9c5db194f899fda77fce88ebca\SetupEngine.dll

Filesize
899KB

MD5
9964ce1f4874a686910dbc1aeec1a326

SHA1
0b434c566f6722c765245a1228b7600fd10ba1c9

SHA256
3a45fbe9c5e03f67b49808c068eb2ce831e4eebdd1b38e520e4be5a5537a72e4

SHA512
8d123ab8e6b767a80d122b021a77460373e2b0841c92375ba1f56830529a2610bbf3749ce95aa64b67f45591378246409f035518feced582c7ebe1b6609dba99

Download Submit
F:\9c5db194f899fda77fce88ebca\SetupUi.dll

Filesize
341KB

MD5
b90a60068318cefa24e3344c4ef71649

SHA1
e61893f999442bbf6c0b1fa4c154fddb3be721f1

SHA256
1f757ea33835920a08fd9558f973761f70bc63a8c01fda4db1170e19ebf0c73d

SHA512
372d17ddc5ecc1190a81be67d1e9a256e9d52d1225a0de064dcebc3b7da983412a3ec1c5cb4f3f1abfe5a1fb3cc69157abbdf05e1c6bbea368d0a357afbd611b

Download Submit
F:\9c5db194f899fda77fce88ebca\SetupUi.xsd

Filesize
31KB

MD5
a9f6a028e93f3f6822eb900ec3fda7ad

SHA1
8ff2e8f36d690a687233dbd2e72d98e16e7ef249

SHA256
aaf8cb1a9af89d250cbc0893a172e2c406043b1f81a211cb93604f165b051848

SHA512
1c51392c334aea17a25b20390cd4e7e99aa6373e2c2b97e7304cf7ec1a16679051a41e124c7bc890b02b890d4044b576b666ef50d06671f7636e4701970e8ddc

Download Submit
F:\9c5db194f899fda77fce88ebca\SplashScreen.bmp

Filesize
117KB

MD5
bc32088bfaa1c76ba4b56639a2dec592

SHA1
84b47aa37bda0f4cd196bd5f4bd6926a594c5f82

SHA256
b05141dbc71669a7872a8e735e5e43a7f9713d4363b7a97543e1e05dcd7470a7

SHA512
4708015aa57f1225d928bfac08ed835d31fd7bdf2c0420979fd7d0311779d78c392412e8353a401c1aa1885568174f6b9a1e02b863095fa491b81780d99d0830

Download Submit
F:\9c5db194f899fda77fce88ebca\Strings.xml

Filesize
13KB

MD5
8a28b474f4849bee7354ba4c74087cea

SHA1
c17514dfc33dd14f57ff8660eb7b75af9b2b37b0

SHA256
2a7a44fb25476886617a1ec294a20a37552fd0824907f5284fade3e496ed609b

SHA512
a7927700d8050623bc5c761b215a97534c2c260fcab68469b7a61c85e2dff22ed9cf57e7cb5a6c8886422abe7ac89b5c71e569741db74daa2dcb4152f14c2369

Download Submit
F:\9c5db194f899fda77fce88ebca\UiInfo.xml

Filesize
63KB

MD5
c99059acb88a8b651d7ab25e4047a52d

SHA1
45114125699fa472d54bc4c45c881667c117e5d4

SHA256
b879f9bc5b79349fa7b0bdbe63167be399c5278454c96773885bd70fbfe7c81d

SHA512
b23a7051f94d72d5a1a0914107e5c2be46c0ddee7ca510167065b55e2d1cb25f81927467370700b1cc7449348d152e9562566de501f3ea5673a2072248572e3b

Download Submit
F:\9c5db194f899fda77fce88ebca\graphics\print.ico

Filesize
123KB

MD5
d39bad9dda7b91613cb29b6bd55f0901

SHA1
6d079df41e31fbc836922c19c5be1a7fc38ac54e

SHA256
d80ffeb020927f047c11fc4d9f34f985e0c7e5dfea9fb23f2bc134874070e4e6

SHA512
fad8cb2b9007a7240421fbc5d621c3092d742417c60e8bb248e2baa698dcade7ca54b24452936c99232436d92876e9184eaf79d748c96aa1fe8b29b0e384eb82

Download Submit
F:\9c5db194f899fda77fce88ebca\graphics\save.ico

Filesize
123KB

MD5
c66bbe8f84496ef85f7af6bed5212cec

SHA1
1e4eab9cc728916a8b1c508f5ac8ae38bb4e7bf1

SHA256
1372c7f132595ddad210c617e44fedff7a990a9e8974cc534ca80d897dd15abd

SHA512
5dabf65ec026d8884e1d80dcdacb848c1043ef62c9ebd919136794b23be0deb3f7f1acdff5a4b25a53424772b32bd6f91ba1bd8c5cf686c41477dd65cb478187

Download Submit
F:\9c5db194f899fda77fce88ebca\graphics\setup.ico

Filesize
123KB

MD5
6125f32aa97772afdff2649bd403419b

SHA1
d84da82373b599aed496e0d18901e3affb6cfaca

SHA256
a0c7b4b17a69775e1d94123dfceec824744901d55b463ba9dca9301088f12ea5

SHA512
c4bdcd72fa4f2571c505fdb0adc69f7911012b6bdeb422dca64f79f7cc1286142e51b8d03b410735cd2bd7bc7c044c231a3a31775c8e971270beb4763247850f

Download Submit
F:\9c5db194f899fda77fce88ebca\graphics\stop.ico

Filesize
185KB

MD5
7d1bccce4f2ee7c824c6304c4a2f9736

SHA1
2c21bf8281ac211759b1d48c6b1217dd6ddfb870

SHA256
bfb0332df9fa20dea30f0db53ceaa389df2722fd1acf37f40af954237717532d

SHA512
16f9bf72b2ddc2178a6f1b439dedabe36a82c9293e0e64cfaccbf5297786d33025a5e15aa3c4dc00b878b53fe032f0b7ed3dee476d288195fb3f929037bdcdbe

Download Submit
memory/2580-531-0x0000000000E60000-0x0000000000E96000-memory.dmp

Filesize
216KB

Download
memory/2580-533-0x0000000004FD0000-0x0000000004FF2000-memory.dmp

Filesize
136KB

Download
memory/2580-560-0x00000000063A0000-0x00000000063BA000-memory.dmp

Filesize
104KB

Download
memory/2580-572-0x0000000008060000-0x0000000008604000-memory.dmp

Filesize
5.6MB

Download
memory/2580-558-0x0000000007430000-0x0000000007AAA000-memory.dmp

Filesize
6.5MB

Download
memory/2580-532-0x00000000050F0000-0x0000000005718000-memory.dmp

Filesize
6.2MB

Download
memory/2580-574-0x0000000007240000-0x00000000072D2000-memory.dmp

Filesize
584KB

Download
memory/4220-743-0x0000000000FB0000-0x0000000000FD0000-memory.dmp

Filesize
128KB

Download
memory/4220-739-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4220-809-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4220-737-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4220-740-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4220-742-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4220-746-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4220-744-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4220-747-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4220-749-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4220-745-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4220-741-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4220-736-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4220-738-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5124-579-0x0000000007B20000-0x0000000007B3A000-memory.dmp

Filesize
104KB

Download
memory/5124-580-0x0000000007A70000-0x0000000007A78000-memory.dmp

Filesize
32KB

Download
memory/5124-534-0x00000000056B0000-0x0000000005716000-memory.dmp

Filesize
408KB

Download
memory/5124-535-0x0000000005EA0000-0x0000000005F06000-memory.dmp

Filesize
408KB

Download
memory/5124-545-0x0000000005F10000-0x0000000006264000-memory.dmp

Filesize
3.3MB

Download
memory/5124-555-0x00000000064D0000-0x00000000064EE000-memory.dmp

Filesize
120KB

Download
memory/5124-556-0x0000000006500000-0x000000000654C000-memory.dmp

Filesize
304KB

Download
memory/5124-557-0x0000000006A90000-0x0000000006AC2000-memory.dmp

Filesize
200KB

Download
memory/5124-570-0x0000000006A70000-0x0000000006A8E000-memory.dmp

Filesize
120KB

Download
memory/5124-559-0x0000000074920000-0x000000007496C000-memory.dmp

Filesize
304KB

Download
memory/5124-571-0x00000000076B0000-0x0000000007753000-memory.dmp

Filesize
652KB

Download
memory/5124-573-0x0000000007870000-0x000000000787A000-memory.dmp

Filesize
40KB

Download
memory/5124-575-0x0000000007A80000-0x0000000007B16000-memory.dmp

Filesize
600KB

Download
memory/5124-576-0x00000000079F0000-0x0000000007A01000-memory.dmp

Filesize
68KB

Download
memory/5124-577-0x0000000007A30000-0x0000000007A3E000-memory.dmp

Filesize
56KB

Download
memory/5124-578-0x0000000007A40000-0x0000000007A54000-memory.dmp

Filesize
80KB

Download
memory/5144-735-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5144-728-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5144-730-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5144-729-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5144-731-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5144-732-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5876-719-0x000001D55D940000-0x000001D55D94A000-memory.dmp

Filesize
40KB

Download
memory/5876-707-0x000001D55D720000-0x000001D55D73C000-memory.dmp

Filesize
112KB

Download
memory/5876-720-0x000001D55D9A0000-0x000001D55D9BA000-memory.dmp

Filesize
104KB

Download
memory/5876-721-0x000001D55D950000-0x000001D55D958000-memory.dmp

Filesize
32KB

Download
memory/5876-722-0x000001D55D980000-0x000001D55D986000-memory.dmp

Filesize
24KB

Download
memory/5876-723-0x000001D55D990000-0x000001D55D99A000-memory.dmp

Filesize
40KB

Download
memory/5876-709-0x000001D55D4D0000-0x000001D55D4DA000-memory.dmp

Filesize
40KB

Download
memory/5876-710-0x000001D55D960000-0x000001D55D97C000-memory.dmp

Filesize
112KB

Download
memory/5876-708-0x000001D55D740000-0x000001D55D7F5000-memory.dmp

Filesize
724KB

Download
memory/5880-840-0x000002041FE40000-0x000002041FEF5000-memory.dmp

Filesize
724KB

Download
memory/6084-662-0x000001D4B9470000-0x000001D4B9492000-memory.dmp

Filesize
136KB

Download
memory/6108-891-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/6108-890-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/6108-892-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/6108-889-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/6108-888-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download