6ff53b8187d0d3e287ad9ce3da20eca4f9dd105a2e3421ca1ad73b533ec4b91a

Analysis

max time kernel
149s
max time network
276s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
07-03-2023 22:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ambrosial.exe
Size

15.9MB
MD5

596b0f4684d45de83c204967c06e48a3
SHA1

933dc2dc29a17a9447c944289fed4f98e0eb5e5f
SHA256

6ff53b8187d0d3e287ad9ce3da20eca4f9dd105a2e3421ca1ad73b533ec4b91a
SHA512

8f50098d120d32a84347a8337dee27061a6914d66b951f930d491a81a9804317318f25f80467684fd4fecea6bccc6de38b2df3ee2742a54805f2cdb4413d3830
SSDEEP

196608:64WxsIO2gfRMhSE8/Erd8QP+ih91qBpodTAIRq+2vBt:64WuIO2gfRMYbcr6QP391qBafC

Score

7^/10

agilenet

Malware Config

Signatures

Loads dropped DLL 1 IoCs

Processes:

Ambrosial.exe

pid process

2608 Ambrosial.exe

pid	process
2608	Ambrosial.exe

Obfuscated with Agile.Net obfuscator 33 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/2608-345-0x0000021633450000-0x0000021633638000-memory.dmp	agile_net
behavioral1/memory/2608-353-0x0000021633450000-0x0000021633634000-memory.dmp	agile_net
behavioral1/memory/2608-354-0x0000021633450000-0x0000021633634000-memory.dmp	agile_net
behavioral1/memory/2608-356-0x0000021633450000-0x0000021633634000-memory.dmp	agile_net
behavioral1/memory/2608-359-0x0000021633450000-0x0000021633634000-memory.dmp	agile_net
behavioral1/memory/2608-361-0x0000021633450000-0x0000021633634000-memory.dmp	agile_net
behavioral1/memory/2608-363-0x0000021633450000-0x0000021633634000-memory.dmp	agile_net
behavioral1/memory/2608-365-0x0000021633450000-0x0000021633634000-memory.dmp	agile_net
behavioral1/memory/2608-367-0x0000021633450000-0x0000021633634000-memory.dmp	agile_net
behavioral1/memory/2608-369-0x0000021633450000-0x0000021633634000-memory.dmp	agile_net
behavioral1/memory/2608-371-0x0000021633450000-0x0000021633634000-memory.dmp	agile_net
behavioral1/memory/2608-373-0x0000021633450000-0x0000021633634000-memory.dmp	agile_net
behavioral1/memory/2608-375-0x0000021633450000-0x0000021633634000-memory.dmp	agile_net
behavioral1/memory/2608-377-0x0000021633450000-0x0000021633634000-memory.dmp	agile_net
behavioral1/memory/2608-379-0x0000021633450000-0x0000021633634000-memory.dmp	agile_net
behavioral1/memory/2608-381-0x0000021633450000-0x0000021633634000-memory.dmp	agile_net
behavioral1/memory/2608-383-0x0000021633450000-0x0000021633634000-memory.dmp	agile_net
behavioral1/memory/2608-385-0x0000021633450000-0x0000021633634000-memory.dmp	agile_net
behavioral1/memory/2608-387-0x0000021633450000-0x0000021633634000-memory.dmp	agile_net
behavioral1/memory/2608-389-0x0000021633450000-0x0000021633634000-memory.dmp	agile_net
behavioral1/memory/2608-391-0x0000021633450000-0x0000021633634000-memory.dmp	agile_net
behavioral1/memory/2608-393-0x0000021633450000-0x0000021633634000-memory.dmp	agile_net
behavioral1/memory/2608-395-0x0000021633450000-0x0000021633634000-memory.dmp	agile_net
behavioral1/memory/2608-397-0x0000021633450000-0x0000021633634000-memory.dmp	agile_net
behavioral1/memory/2608-399-0x0000021633450000-0x0000021633634000-memory.dmp	agile_net
behavioral1/memory/2608-401-0x0000021633450000-0x0000021633634000-memory.dmp	agile_net
behavioral1/memory/2608-403-0x0000021633450000-0x0000021633634000-memory.dmp	agile_net
behavioral1/memory/2608-405-0x0000021633450000-0x0000021633634000-memory.dmp	agile_net
behavioral1/memory/2608-407-0x0000021633450000-0x0000021633634000-memory.dmp	agile_net
behavioral1/memory/2608-409-0x0000021633450000-0x0000021633634000-memory.dmp	agile_net
behavioral1/memory/2608-411-0x0000021633450000-0x0000021633634000-memory.dmp	agile_net
behavioral1/memory/2608-413-0x0000021633450000-0x0000021633634000-memory.dmp	agile_net
behavioral1/memory/2608-415-0x0000021633450000-0x0000021633634000-memory.dmp	agile_net

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Windows directory 3 IoCs

Processes:

Ambrosial.exe

description	ioc	process
File created	C:\Windows\Fonts\Azonix.otf	Ambrosial.exe
File opened for modification	C:\Windows\Fonts\Azonix.otf	Ambrosial.exe
File created	C:\Windows\Fonts\OpenSansLight.ttf	Ambrosial.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings firefox.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Ambrosial.exefirefox.exe

description pid process

Token: SeDebugPrivilege 2608 Ambrosial.exe
Token: SeDebugPrivilege 2864 firefox.exe
Token: SeDebugPrivilege 2864 firefox.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

firefox.exe

pid process

2864 firefox.exe
2864 firefox.exe
2864 firefox.exe
2864 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

2864 firefox.exe
2864 firefox.exe
2864 firefox.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

firefox.exe

pid process

2864 firefox.exe
2864 firefox.exe
2864 firefox.exe
2864 firefox.exe
2864 firefox.exe
2864 firefox.exe
2864 firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings	firefox.exe

description	pid	process
Token: SeDebugPrivilege	2608	Ambrosial.exe
Token: SeDebugPrivilege	2864	firefox.exe
Token: SeDebugPrivilege	2864	firefox.exe

pid	process
2864	firefox.exe
2864	firefox.exe
2864	firefox.exe
2864	firefox.exe

pid	process
2864	firefox.exe
2864	firefox.exe
2864	firefox.exe

pid	process
2864	firefox.exe
2864	firefox.exe
2864	firefox.exe
2864	firefox.exe
2864	firefox.exe
2864	firefox.exe
2864	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 2212 wrote to memory of 2864	2212	firefox.exe	firefox.exe
PID 2212 wrote to memory of 2864	2212	firefox.exe	firefox.exe
PID 2212 wrote to memory of 2864	2212	firefox.exe	firefox.exe
PID 2212 wrote to memory of 2864	2212	firefox.exe	firefox.exe
PID 2212 wrote to memory of 2864	2212	firefox.exe	firefox.exe
PID 2212 wrote to memory of 2864	2212	firefox.exe	firefox.exe
PID 2212 wrote to memory of 2864	2212	firefox.exe	firefox.exe
PID 2212 wrote to memory of 2864	2212	firefox.exe	firefox.exe
PID 2212 wrote to memory of 2864	2212	firefox.exe	firefox.exe
PID 2212 wrote to memory of 2864	2212	firefox.exe	firefox.exe
PID 2212 wrote to memory of 2864	2212	firefox.exe	firefox.exe
PID 2864 wrote to memory of 3960	2864	firefox.exe	firefox.exe
PID 2864 wrote to memory of 3960	2864	firefox.exe	firefox.exe
PID 2864 wrote to memory of 1268	2864	firefox.exe	firefox.exe
PID 2864 wrote to memory of 1268	2864	firefox.exe	firefox.exe
PID 2864 wrote to memory of 1268	2864	firefox.exe	firefox.exe
PID 2864 wrote to memory of 1268	2864	firefox.exe	firefox.exe
PID 2864 wrote to memory of 1268	2864	firefox.exe	firefox.exe
PID 2864 wrote to memory of 1268	2864	firefox.exe	firefox.exe
PID 2864 wrote to memory of 1268	2864	firefox.exe	firefox.exe
PID 2864 wrote to memory of 1268	2864	firefox.exe	firefox.exe
PID 2864 wrote to memory of 1268	2864	firefox.exe	firefox.exe
PID 2864 wrote to memory of 1268	2864	firefox.exe	firefox.exe
PID 2864 wrote to memory of 1268	2864	firefox.exe	firefox.exe
PID 2864 wrote to memory of 1268	2864	firefox.exe	firefox.exe
PID 2864 wrote to memory of 1268	2864	firefox.exe	firefox.exe
PID 2864 wrote to memory of 1268	2864	firefox.exe	firefox.exe
PID 2864 wrote to memory of 1268	2864	firefox.exe	firefox.exe
PID 2864 wrote to memory of 1268	2864	firefox.exe	firefox.exe
PID 2864 wrote to memory of 1268	2864	firefox.exe	firefox.exe
PID 2864 wrote to memory of 1268	2864	firefox.exe	firefox.exe
PID 2864 wrote to memory of 1268	2864	firefox.exe	firefox.exe
PID 2864 wrote to memory of 1268	2864	firefox.exe	firefox.exe
PID 2864 wrote to memory of 1268	2864	firefox.exe	firefox.exe
PID 2864 wrote to memory of 1268	2864	firefox.exe	firefox.exe
PID 2864 wrote to memory of 1268	2864	firefox.exe	firefox.exe
PID 2864 wrote to memory of 1268	2864	firefox.exe	firefox.exe
PID 2864 wrote to memory of 1268	2864	firefox.exe	firefox.exe
PID 2864 wrote to memory of 1268	2864	firefox.exe	firefox.exe
PID 2864 wrote to memory of 1268	2864	firefox.exe	firefox.exe
PID 2864 wrote to memory of 1268	2864	firefox.exe	firefox.exe
PID 2864 wrote to memory of 1268	2864	firefox.exe	firefox.exe
PID 2864 wrote to memory of 1268	2864	firefox.exe	firefox.exe
PID 2864 wrote to memory of 1268	2864	firefox.exe	firefox.exe
PID 2864 wrote to memory of 1268	2864	firefox.exe	firefox.exe
PID 2864 wrote to memory of 1268	2864	firefox.exe	firefox.exe
PID 2864 wrote to memory of 1268	2864	firefox.exe	firefox.exe
PID 2864 wrote to memory of 1268	2864	firefox.exe	firefox.exe
PID 2864 wrote to memory of 1268	2864	firefox.exe	firefox.exe
PID 2864 wrote to memory of 1268	2864	firefox.exe	firefox.exe
PID 2864 wrote to memory of 1268	2864	firefox.exe	firefox.exe
PID 2864 wrote to memory of 1268	2864	firefox.exe	firefox.exe
PID 2864 wrote to memory of 1268	2864	firefox.exe	firefox.exe
PID 2864 wrote to memory of 1268	2864	firefox.exe	firefox.exe
PID 2864 wrote to memory of 1268	2864	firefox.exe	firefox.exe
PID 2864 wrote to memory of 1268	2864	firefox.exe	firefox.exe
PID 2864 wrote to memory of 1268	2864	firefox.exe	firefox.exe
PID 2864 wrote to memory of 1268	2864	firefox.exe	firefox.exe
PID 2864 wrote to memory of 1268	2864	firefox.exe	firefox.exe
PID 2864 wrote to memory of 1268	2864	firefox.exe	firefox.exe
PID 2864 wrote to memory of 1268	2864	firefox.exe	firefox.exe
PID 2864 wrote to memory of 4660	2864	firefox.exe	firefox.exe
PID 2864 wrote to memory of 4660	2864	firefox.exe	firefox.exe
PID 2864 wrote to memory of 4660	2864	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Ambrosial.exe
"C:\Users\Admin\AppData\Local\Temp\Ambrosial.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2608

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2212

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2864

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2864.0.1530601151\1824096895" -parentBuildID 20221007134813 -prefsHandle 1608 -prefMapHandle 1588 -prefsLen 20888 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {28127e9c-2383-4ee8-b09e-fb78723be9fe} 2864 "\\.\pipe\gecko-crash-server-pipe.2864" 1724 225b0fa7258 gpu
3⤵
PID:3960

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2864.1.954272476\1617974803" -parentBuildID 20221007134813 -prefsHandle 2040 -prefMapHandle 2036 -prefsLen 20969 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1b631e27-844b-40a0-8b71-8f2a1484099f} 2864 "\\.\pipe\gecko-crash-server-pipe.2864" 2072 225a486fb58 socket
3⤵
PID:1268

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2864.2.881898301\2111860776" -childID 1 -isForBrowser -prefsHandle 2920 -prefMapHandle 2916 -prefsLen 21117 -prefMapSize 232675 -jsInitHandle 1336 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bc213098-a81e-4d58-a51b-b0575c47e05a} 2864 "\\.\pipe\gecko-crash-server-pipe.2864" 2932 225b3d14758 tab
3⤵
PID:4660

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2864.3.85964862\208434587" -childID 2 -isForBrowser -prefsHandle 3152 -prefMapHandle 3148 -prefsLen 26906 -prefMapSize 232675 -jsInitHandle 1336 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7e151326-1320-429e-b5f0-e8c148aeb53b} 2864 "\\.\pipe\gecko-crash-server-pipe.2864" 1064 225b2325e58 tab
3⤵
PID:4272

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2864.4.1526684139\263926288" -childID 3 -isForBrowser -prefsHandle 3252 -prefMapHandle 3248 -prefsLen 26906 -prefMapSize 232675 -jsInitHandle 1336 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {89358c38-4253-4f75-84d4-6e898dae17d9} 2864 "\\.\pipe\gecko-crash-server-pipe.2864" 2896 225b4fc9958 tab
3⤵
PID:1392

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2864.5.1100202455\1308637377" -childID 4 -isForBrowser -prefsHandle 4352 -prefMapHandle 4348 -prefsLen 27046 -prefMapSize 232675 -jsInitHandle 1336 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3c1cc685-0f7d-40a3-884c-2a0517640105} 2864 "\\.\pipe\gecko-crash-server-pipe.2864" 4364 225b2326458 tab
3⤵
PID:2216

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2864.6.71996052\1236578288" -childID 5 -isForBrowser -prefsHandle 4576 -prefMapHandle 4580 -prefsLen 27046 -prefMapSize 232675 -jsInitHandle 1336 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {555121c0-5872-4607-a2bb-db25f57fd9e9} 2864 "\\.\pipe\gecko-crash-server-pipe.2864" 4676 225b58e4758 tab
3⤵
PID:3324

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2864.7.2145964766\1688728350" -childID 6 -isForBrowser -prefsHandle 4868 -prefMapHandle 4864 -prefsLen 27063 -prefMapSize 232675 -jsInitHandle 1336 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f36e93fb-0a10-4238-94b6-387ed8cc3ede} 2864 "\\.\pipe\gecko-crash-server-pipe.2864" 3388 225a486b858 tab
3⤵
PID:3688

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2864.8.845866993\1205257385" -childID 7 -isForBrowser -prefsHandle 5108 -prefMapHandle 5096 -prefsLen 27063 -prefMapSize 232675 -jsInitHandle 1336 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {74dd1af2-10a7-49ff-834a-e52f1f4d95ab} 2864 "\\.\pipe\gecko-crash-server-pipe.2864" 5076 225b6193f58 tab
3⤵
PID:208

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\688b889dc3f74dce961577d5cb61335f /t 2132 /p 2864
1⤵
PID:3568

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:1340

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffe62459758,0x7ffe62459768,0x7ffe62459778
2⤵
PID:2304

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1600 --field-trial-handle=1592,i,15045882279379114962,4865785330354965188,131072 /prefetch:2
2⤵
PID:4712

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1868 --field-trial-handle=1592,i,15045882279379114962,4865785330354965188,131072 /prefetch:8
2⤵
PID:4336

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1800 --field-trial-handle=1592,i,15045882279379114962,4865785330354965188,131072 /prefetch:8
2⤵
PID:1456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2960 --field-trial-handle=1592,i,15045882279379114962,4865785330354965188,131072 /prefetch:1
2⤵
PID:4980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2992 --field-trial-handle=1592,i,15045882279379114962,4865785330354965188,131072 /prefetch:1
2⤵
PID:1848

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4396 --field-trial-handle=1592,i,15045882279379114962,4865785330354965188,131072 /prefetch:1
2⤵
PID:664

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4340 --field-trial-handle=1592,i,15045882279379114962,4865785330354965188,131072 /prefetch:8
2⤵
PID:2492

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4676 --field-trial-handle=1592,i,15045882279379114962,4865785330354965188,131072 /prefetch:8
2⤵
PID:2168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4676 --field-trial-handle=1592,i,15045882279379114962,4865785330354965188,131072 /prefetch:8
2⤵
PID:3576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4588 --field-trial-handle=1592,i,15045882279379114962,4865785330354965188,131072 /prefetch:1
2⤵
PID:1244

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3000 --field-trial-handle=1592,i,15045882279379114962,4865785330354965188,131072 /prefetch:1
2⤵
PID:4808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4604 --field-trial-handle=1592,i,15045882279379114962,4865785330354965188,131072 /prefetch:1
2⤵
PID:4348

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5556 --field-trial-handle=1592,i,15045882279379114962,4865785330354965188,131072 /prefetch:8
2⤵
PID:1036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5592 --field-trial-handle=1592,i,15045882279379114962,4865785330354965188,131072 /prefetch:8
2⤵
PID:3920

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5868 --field-trial-handle=1592,i,15045882279379114962,4865785330354965188,131072 /prefetch:8
2⤵
PID:4412

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5884 --field-trial-handle=1592,i,15045882279379114962,4865785330354965188,131072 /prefetch:8
2⤵
PID:3752

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5904 --field-trial-handle=1592,i,15045882279379114962,4865785330354965188,131072 /prefetch:8
2⤵
PID:1720

C:\Users\Admin\Downloads\Ambrosial.exe
"C:\Users\Admin\Downloads\Ambrosial.exe"
2⤵
PID:3176

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3184 --field-trial-handle=1592,i,15045882279379114962,4865785330354965188,131072 /prefetch:8
2⤵
PID:376

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3576

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:372

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Ambrosial\assets\clients\1.19.2002.0\Zephyr Classic\launcherAssets\ProjectHalcyon.png
Filesize
54KB

MD5
cf4b10cab822fb4e563d5c1fc7757a30

SHA1
57328884b3e1ebf4eaeb4715a33bf93a52c95d53

SHA256
abb9e95c2b6bf7f7fad5f483b9e3e746bbca54a82ff79009d0760dcd2ff013cc

SHA512
f0607ac012b3e86a56f63b9778bde661424e56b3b048f24c8d82b693fe673e860bf0225863f4f71915a1c8c5c83f3caa0de796a0059860d62e378e0b98135eb0

Download Submit
C:\Users\Admin\AppData\Local\Ambrosial\assets\clients\cachedclients.json
Filesize
21KB

MD5
fe5d24800acdc5d26af90b2f66f8c84b

SHA1
ddc2e98511a766913a013433a3f20ee45183745c

SHA256
784f9e5508323217b012d7949c8de533d80b065f8954e81982b54039dc07f23d

SHA512
d8e491e747e003fc93a9c79595edc23bdfa3aef90c1477609560f3dc5c25d4f42e290d988b065b65e8ece69847cf34e5849f1b57fda0465cc4c46491718c4e70

Download Submit
C:\Users\Admin\AppData\Local\Ambrosial\log.txt
Filesize
1KB

MD5
94c7e7036e9223b2808db7272e7302f4

SHA1
bd12b4c38a7b7e473545b5f1116d8db7ee6a771b

SHA256
3cadead704a4fd0a1ac7091645c7ee9da6b086225c5c183cf3087c8ecf7319fc

SHA512
78e20346bf8779a42fcdf8f4bfc0df322a9b3bdd14707190370173695224d8f719cd79cb55a6f8237b3c028251c2358dfe582fa63a5bc9a649e4387625e7495c

Download Submit
C:\Users\Admin\AppData\Local\Ambrosial\log.txt
Filesize
3KB

MD5
c9d4354470ceda336a99f89bcc5cab81

SHA1
6b0cc170b772b1a8474009e00cea4b717419d5ca

SHA256
604d787ba427a0debd02fbc6d14c66a89f37213bc06ad852364e7a144f658584

SHA512
e04ed486276ff25088499f7c4e52746670da88d573c90537a794a159e9e584e537e09819a0ba9e4150960a6ca18be30345813beaad48c5e0c9c1dcd7dbd94ac2

Download Submit
C:\Users\Admin\AppData\Local\Ambrosial\log.txt
Filesize
4KB

MD5
c6e5fa99cdbe8dab5e05741d3d9e4716

SHA1
bcf93b39ed5c6cab6790451f2db3929147413b78

SHA256
6e348a330f70a683b7968db6a641261136046426dfd7e3016190162579c569c9

SHA512
7d4582d4229f6bd7454e9373e754da7cd9b16b75a3d472bd1414459dd93f4693a831ca198c16649e11f366e4e8b5a0ac6a7502244a2963dc24d9524688c0616e

Download Submit
C:\Users\Admin\AppData\Local\Ambrosial\log.txt
Filesize
19KB

MD5
43cf56b106219d29bc0804dd9e71c61d

SHA1
4127d54fea7a4fc7d537bb623d4edfc8f46e778d

SHA256
165c83fd17f0797ee9ca34c057a5e34947725ce64faf9cddb5557549c1d3b97b

SHA512
628ee3b3559c7dabd6d2623531bc625bb9330fc036c10761282fb90b39ccf3136185027a6bf4ac23dfa7d76b330354c8f07cda9291656cffcd52f6af9a9b43cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000c
Filesize
37KB

MD5
d90cb261f4a509d886611473296e188e

SHA1
23551f9039c8b855b496f017c8f75b32f6e56671

SHA256
ca6c7cdd1e68e9f251fbf58e0b0ad9e883b38979e264c3cf4125f603b21c8bb4

SHA512
1cca6c9490c8f7adca7441ffea3e7445309d0c52fbaf7252e4c3c73525e00233a8173536c031747a55343bb86e96618d9c96afc6e4f8d25b0106729cca5c8031

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
461fa353285cba8fdfb8f07c1b1d52e0

SHA1
771475dcabc0fb03555fb351ae8986c310f64e19

SHA256
0b07e5cccfddfd16a6e6a1a0462acbc197e3dd8c779b8e00cf07efa0e54ce981

SHA512
140ca32c7168a7b963efad17e8c6562524b3ee6d52076037364d1ddca028fc30c4fb7decf271dc11329e1732ed1db1638501c6f83cb6b8050b57536c6d5489ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
1d22fe9a2de2e2600c407a6fd378992b

SHA1
78040558d159c582a17b0bc94c2044d903b79762

SHA256
0fe01a22c4a85552db284761e88431136108b66df2c47ee8018d22d3c5e131a7

SHA512
888daa80432b63b651216b616a3f21ba1194bd4f8588f8cbe1d0e63727d09c933a80dfae9794175b7fcdca9df35945f957cb52f89d45ae5a559345ff423b53b1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
371B

MD5
c0874b22479c3959091bbbfa494520dd

SHA1
f755be277f970166cefdf2d537a262611b65838d

SHA256
7f5a584431f893478caa142efbcdc68898bcf2d082926463ddeb46084321d6e6

SHA512
83f0cc597b9aca865b3e5014b50945b320d9becb57f916b8b5022a697755b2ce973204fec6e0d5d0d7b4222b23fdb0c74c4d0a7af788b2cfc16d0c3568a30176

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
539B

MD5
e1fc23bf16f5933ec6bf560a4e9779be

SHA1
35c3df268e900a7b213fa4ff940bf00520a8142a

SHA256
7d059badffa81af536c93a2aee705e696b21dfeb48ff47fd3e9e2a99bac2c741

SHA512
6b6d0eff41e2d65e849f96bde01adfdb47cb7d93746723da9a97f792f244abd332ac423272ea3c33556bd838ddfb4cf8576968d2153744c83e9fc9f81bd7b9b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
a36173ece2e15ebe929286e86f407fdd

SHA1
73125642e37d27137838826d8747f27c2d88da6a

SHA256
dbbaa7646fa88cee960053865d3a74f76db31fc6c5c19d76d113a356c4c62d1c

SHA512
e7d33f6c66e681972ba733fcf254f0b28899a6dc577cc06b1991b12e2c86375d7a53dca7c31cdf2e171a93303bb30715b8f3bd3f06a0c47b7615436f149a7cdb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
ddd0de6b3bf704b36d66059281e18a20

SHA1
3e14448579070e4c92283af5b7740d3953bcd387

SHA256
48f96c5adbd12713a4ca3b4d7026799d56bed2c24e59ce778f2149918987bcba

SHA512
75e4337a0d98abcd88650603aaaafcdbe911e2ae025ba77ce956be46c846f4b4c6fe4d5dc30a7ded7dc592a1f642b25da5c8f24f6f7c4d7ea50fc8299ad06faa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
649dfc289174a490e411dec1266379e2

SHA1
1782a2b6aa4b1755c49a42e25c5c18b2b039a742

SHA256
46bfb731a8d81d21e3d23fff0568467295b2e2d07707d95d729d0ce83d20085c

SHA512
53a72af07249f3ffe586f4ba12292296b18b6afbc0e6478bd89a7e87f6d4bbc6147ff0f8130cb6723fa9cab7975a3ac833de8729a3991c829009d77cbecc2e1f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
9a55583758e118f7b990b5a081a6ac82

SHA1
4560c74f31d6577dd853695e27cfb870617c43f6

SHA256
2cf8c2764f1f3f091f6550620d4be08b5245add2c92cd05ee53ac843558bb9ea

SHA512
d9dbe13ada3aed2261948d1073d7ab252e58e3983bd4f7e17b2ef16c2ea16e4ce7661907451be0164bf28889e01cb7a94eb7634728375179a7e5a582e924b251

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
53e432f083976b6252f6030a08c9fa45

SHA1
0f330739fc2d5c9515e3f09ecced4081f0851845

SHA256
d9d2c4392efcbd6fdf9e10fd7458786aae8c78004c99afead289f0865979b771

SHA512
4f7adce3d4aa39cb172ec78707e165e6a57f765e98720d9fbb4ad62cb8f06842612fb10a8647808460fa32b261ef90e3c9a4a0163f0d3b6afd59ecdd79e139fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
143KB

MD5
0978460845482e95097ae331c9171307

SHA1
4d4b85f02b1bb1c738bda63d8c68bac6552d3cc2

SHA256
4d2bd4809d5f6070c2d71e728d9d386aa8722d507661a31fff7b6f92e50719ce

SHA512
c65f11f575eee382aeb6f13e2dcea6081aff4c621304fae4dea2dc00bede7645609ea8983975a648636e39dfb7d0eb9f1bad1962f7b07838f77bf2a6e3a2cf66

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\p4wuoroe.default-release\activity-stream.discovery_stream.json.tmp
Filesize
168KB

MD5
d939eae4127f918014a4360afc9b7e83

SHA1
b1d89b87496651bb2ebcf04cc593a0636cee38ab

SHA256
9ee0d4547add1b351098a4a952a19cabc33dde357e982907591ce1fdd0b031bc

SHA512
e438cbb9dc0a55b82042daa60a1f014f3684b1b15b37b3cb6018b8213ee5a0f1c42c2c976ef8a3f3e70a00ae23155cc4b9bc96bf82197a7e4517a07209c2f063

Download Submit
C:\Users\Admin\AppData\Local\Temp\0e1a63fc-9228-4b4f-96fc-fee060f96e92\GunaDotNetRT64.dll
Filesize
142KB

MD5
9c43f77cb7cff27cb47ed67babe3eda5

SHA1
b0400cf68249369d21de86bd26bb84ccffd47c43

SHA256
f25b9288fe370dcfcb4823fb4e44ab88c7f5fce6e137d0dba389a3dba07d621e

SHA512
cde6fb6cf8db6f9746e69e6c10214e60b3646700d70b49668a2a792e309714dd2d4c5a5241977a833a95fcde8318abcc89eb9968a5039a0b75726bbfa27125a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\0e1a63fc-9228-4b4f-96fc-fee060f96e92\GunaDotNetRT64.dll
Filesize
142KB

MD5
9c43f77cb7cff27cb47ed67babe3eda5

SHA1
b0400cf68249369d21de86bd26bb84ccffd47c43

SHA256
f25b9288fe370dcfcb4823fb4e44ab88c7f5fce6e137d0dba389a3dba07d621e

SHA512
cde6fb6cf8db6f9746e69e6c10214e60b3646700d70b49668a2a792e309714dd2d4c5a5241977a833a95fcde8318abcc89eb9968a5039a0b75726bbfa27125a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Azonix.otf
Filesize
11KB

MD5
cdfe47b31e9184a55cf02eef1baf7240

SHA1
b8825c605434d572f5277be0283d5a9b2cde59e4

SHA256
51a65e5c09bf27980adf640cb54cb2a5bbb217fdaab79b377e158f92533362a9

SHA512
a2e5141c0f7ca72bcf5b1a303fce1734953d83ad363d4c3c7d8786e1bfd872a6b96eeabce3740b547a5447e255415cdf688a0d2074cecfaa0c54c49d0f2882c5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\prefs.js
Filesize
6KB

MD5
fc03769491e92557713bff75b3dcae44

SHA1
a4f4687575dba8a950a014c93d8f9f086a2b68d6

SHA256
3e943e423e8dd73d3afd2444234e9c1ca4eebd430da878f5bcc15e2141da7375

SHA512
8e2266f0af8f7833397b36b31482a43a4bd798693e069f8aeb823d12b767bcdac3aed772ce10b8907fca777436e4efc39ecb5172e81d2672f1165a2427b709b4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
88bcd917179fb3a5c09f809c8e758d70

SHA1
d51976598216dd1ad7f630a55cec84161b4d2f75

SHA256
17700f43df811c6bd859e44545f277437883474a11362dc488763e74f0bb2658

SHA512
50a0455160e0fb011c1cd8f24c1e0f8daf22cc55ce673a309978c177a1e30fa7247d45ebcce7d822331e3bdf964cd662f03c2607fd2dbe763973b64798d761bb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
ef526397176dd04f2917eb22206a9377

SHA1
7518b27ea51335263eb6d050db6066adbbb59137

SHA256
18fd84d3c2c460bff7068c9603fc99ed5af7d1eeb36853da1ddae22cc20f9932

SHA512
cf0bba46a518c9388a70a2d3f3c8c630ed1996e4deb86d92cd0f64a37561d51464ee52b8befe5134aed8bd003cc704966e9880e4a2bde68c423d810d1485386e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize
184KB

MD5
2868ade33b3fc157edc3d0e6b6b88d96

SHA1
2fbc5d21e4b5b51b85aa242c5f1094b78b42f06f

SHA256
463716a72dce3b7c34a12818ca051fc044627890946b4437b6998bcc24a20534

SHA512
0756622f5ab9deb31b5cb909c570b236b58fd594d9ff52b92a670761f1b447a1f15f9032a50dce0bbd9b176a761fe7a5f2095938c1642bfe04b93ba83147ee0d

Download Submit
C:\Users\Admin\Downloads\Ambrosial.exe
Filesize
15.9MB

MD5
596b0f4684d45de83c204967c06e48a3

SHA1
933dc2dc29a17a9447c944289fed4f98e0eb5e5f

SHA256
6ff53b8187d0d3e287ad9ce3da20eca4f9dd105a2e3421ca1ad73b533ec4b91a

SHA512
8f50098d120d32a84347a8337dee27061a6914d66b951f930d491a81a9804317318f25f80467684fd4fecea6bccc6de38b2df3ee2742a54805f2cdb4413d3830

Download Submit
C:\Users\Admin\Downloads\Ambrosial.exe
Filesize
15.9MB

MD5
596b0f4684d45de83c204967c06e48a3

SHA1
933dc2dc29a17a9447c944289fed4f98e0eb5e5f

SHA256
6ff53b8187d0d3e287ad9ce3da20eca4f9dd105a2e3421ca1ad73b533ec4b91a

SHA512
8f50098d120d32a84347a8337dee27061a6914d66b951f930d491a81a9804317318f25f80467684fd4fecea6bccc6de38b2df3ee2742a54805f2cdb4413d3830

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 752446.crdownload
Filesize
15.9MB

MD5
596b0f4684d45de83c204967c06e48a3

SHA1
933dc2dc29a17a9447c944289fed4f98e0eb5e5f

SHA256
6ff53b8187d0d3e287ad9ce3da20eca4f9dd105a2e3421ca1ad73b533ec4b91a

SHA512
8f50098d120d32a84347a8337dee27061a6914d66b951f930d491a81a9804317318f25f80467684fd4fecea6bccc6de38b2df3ee2742a54805f2cdb4413d3830

Download Submit
C:\WINDOWS\FONTS\AZONIX.OTF
Filesize
11KB

MD5
cdfe47b31e9184a55cf02eef1baf7240

SHA1
b8825c605434d572f5277be0283d5a9b2cde59e4

SHA256
51a65e5c09bf27980adf640cb54cb2a5bbb217fdaab79b377e158f92533362a9

SHA512
a2e5141c0f7ca72bcf5b1a303fce1734953d83ad363d4c3c7d8786e1bfd872a6b96eeabce3740b547a5447e255415cdf688a0d2074cecfaa0c54c49d0f2882c5

Download Submit
C:\WINDOWS\FONTS\OPENSANSLIGHT.TTF
Filesize
217KB

MD5
1bf71be111189e76987a4bb9b3115cb7

SHA1
40442c189568184b6e6c27a25d69f14d91b65039

SHA256
cf5f5184c1441a1660aa52526328e9d5c2793e77b6d8d3a3ad654bdb07ab8424

SHA512
cb18b69e98a194af5e3e3d982a75254f3a20bd94c68816a15f38870b9be616cef0c32033f253219cca9146b2b419dd6df28cc4ceeff80d01f400aa0ed101e061

Download Submit
C:\Windows\Fonts\OpenSansLight.ttf
Filesize
217KB

MD5
1bf71be111189e76987a4bb9b3115cb7

SHA1
40442c189568184b6e6c27a25d69f14d91b65039

SHA256
cf5f5184c1441a1660aa52526328e9d5c2793e77b6d8d3a3ad654bdb07ab8424

SHA512
cb18b69e98a194af5e3e3d982a75254f3a20bd94c68816a15f38870b9be616cef0c32033f253219cca9146b2b419dd6df28cc4ceeff80d01f400aa0ed101e061

Download Submit
\Users\Admin\AppData\Local\Temp\0e1a63fc-9228-4b4f-96fc-fee060f96e92\GunaDotNetRT64.dll
Filesize
142KB

MD5
9c43f77cb7cff27cb47ed67babe3eda5

SHA1
b0400cf68249369d21de86bd26bb84ccffd47c43

SHA256
f25b9288fe370dcfcb4823fb4e44ab88c7f5fce6e137d0dba389a3dba07d621e

SHA512
cde6fb6cf8db6f9746e69e6c10214e60b3646700d70b49668a2a792e309714dd2d4c5a5241977a833a95fcde8318abcc89eb9968a5039a0b75726bbfa27125a7

Download Submit
\Users\Admin\AppData\Local\Temp\0e1a63fc-9228-4b4f-96fc-fee060f96e92\GunaDotNetRT64.dll
Filesize
142KB

MD5
9c43f77cb7cff27cb47ed67babe3eda5

SHA1
b0400cf68249369d21de86bd26bb84ccffd47c43

SHA256
f25b9288fe370dcfcb4823fb4e44ab88c7f5fce6e137d0dba389a3dba07d621e

SHA512
cde6fb6cf8db6f9746e69e6c10214e60b3646700d70b49668a2a792e309714dd2d4c5a5241977a833a95fcde8318abcc89eb9968a5039a0b75726bbfa27125a7

Download Submit
memory/2608-359-0x0000021633450000-0x0000021633634000-memory.dmp

Filesize
1.9MB

Download
memory/2608-375-0x0000021633450000-0x0000021633634000-memory.dmp

Filesize
1.9MB

Download
memory/2608-391-0x0000021633450000-0x0000021633634000-memory.dmp

Filesize
1.9MB

Download
memory/2608-393-0x0000021633450000-0x0000021633634000-memory.dmp

Filesize
1.9MB

Download
memory/2608-395-0x0000021633450000-0x0000021633634000-memory.dmp

Filesize
1.9MB

Download
memory/2608-397-0x0000021633450000-0x0000021633634000-memory.dmp

Filesize
1.9MB

Download
memory/2608-399-0x0000021633450000-0x0000021633634000-memory.dmp

Filesize
1.9MB

Download
memory/2608-401-0x0000021633450000-0x0000021633634000-memory.dmp

Filesize
1.9MB

Download
memory/2608-403-0x0000021633450000-0x0000021633634000-memory.dmp

Filesize
1.9MB

Download
memory/2608-405-0x0000021633450000-0x0000021633634000-memory.dmp

Filesize
1.9MB

Download
memory/2608-407-0x0000021633450000-0x0000021633634000-memory.dmp

Filesize
1.9MB

Download
memory/2608-409-0x0000021633450000-0x0000021633634000-memory.dmp

Filesize
1.9MB

Download
memory/2608-411-0x0000021633450000-0x0000021633634000-memory.dmp

Filesize
1.9MB

Download
memory/2608-413-0x0000021633450000-0x0000021633634000-memory.dmp

Filesize
1.9MB

Download
memory/2608-415-0x0000021633450000-0x0000021633634000-memory.dmp

Filesize
1.9MB

Download
memory/2608-565-0x000002161A410000-0x000002161A420000-memory.dmp

Filesize
64KB

Download
memory/2608-806-0x00007FFE7A770000-0x00007FFE7A797000-memory.dmp

Filesize
156KB

Download
memory/2608-387-0x0000021633450000-0x0000021633634000-memory.dmp

Filesize
1.9MB

Download
memory/2608-385-0x0000021633450000-0x0000021633634000-memory.dmp

Filesize
1.9MB

Download
memory/2608-383-0x0000021633450000-0x0000021633634000-memory.dmp

Filesize
1.9MB

Download
memory/2608-381-0x0000021633450000-0x0000021633634000-memory.dmp

Filesize
1.9MB

Download
memory/2608-379-0x0000021633450000-0x0000021633634000-memory.dmp

Filesize
1.9MB

Download
memory/2608-377-0x0000021633450000-0x0000021633634000-memory.dmp

Filesize
1.9MB

Download
memory/2608-389-0x0000021633450000-0x0000021633634000-memory.dmp

Filesize
1.9MB

Download
memory/2608-373-0x0000021633450000-0x0000021633634000-memory.dmp

Filesize
1.9MB

Download
memory/2608-371-0x0000021633450000-0x0000021633634000-memory.dmp

Filesize
1.9MB

Download
memory/2608-369-0x0000021633450000-0x0000021633634000-memory.dmp

Filesize
1.9MB

Download
memory/2608-367-0x0000021633450000-0x0000021633634000-memory.dmp

Filesize
1.9MB

Download
memory/2608-365-0x0000021633450000-0x0000021633634000-memory.dmp

Filesize
1.9MB

Download
memory/2608-363-0x0000021633450000-0x0000021633634000-memory.dmp

Filesize
1.9MB

Download
memory/2608-361-0x0000021633450000-0x0000021633634000-memory.dmp

Filesize
1.9MB

Download
memory/2608-121-0x0000021617650000-0x000002161863A000-memory.dmp

Filesize
15.9MB

Download
memory/2608-357-0x00007FFE7A770000-0x00007FFE7A797000-memory.dmp

Filesize
156KB

Download
memory/2608-356-0x0000021633450000-0x0000021633634000-memory.dmp

Filesize
1.9MB

Download
memory/2608-354-0x0000021633450000-0x0000021633634000-memory.dmp

Filesize
1.9MB

Download
memory/2608-353-0x0000021633450000-0x0000021633634000-memory.dmp

Filesize
1.9MB

Download
memory/2608-352-0x00007FFE76BC0000-0x00007FFE76CEC000-memory.dmp

Filesize
1.2MB

Download
memory/2608-122-0x000002161A220000-0x000002161A23C000-memory.dmp

Filesize
112KB

Download
memory/2608-345-0x0000021633450000-0x0000021633638000-memory.dmp

Filesize
1.9MB

Download
memory/2608-152-0x0000021632BF0000-0x0000021632C12000-memory.dmp

Filesize
136KB

Download
memory/2608-145-0x0000021632AF0000-0x0000021632BA0000-memory.dmp

Filesize
704KB

Download
memory/2608-123-0x000002161A2E0000-0x000002161A2FA000-memory.dmp

Filesize
104KB

Download
memory/2608-124-0x000002161A410000-0x000002161A420000-memory.dmp

Filesize
64KB

Download
memory/3176-7486-0x00007FFE7A770000-0x00007FFE7A797000-memory.dmp

Filesize
156KB

Download
memory/3176-7436-0x0000012D531D0000-0x0000012D531E0000-memory.dmp

Filesize
64KB

Download
memory/3176-7685-0x0000012D531D0000-0x0000012D531E0000-memory.dmp

Filesize
64KB

Download
memory/3176-7741-0x00007FFE7A770000-0x00007FFE7A797000-memory.dmp

Filesize
156KB

Download