amadey | 5532dfb59a4d7f1bfcee31623b7b7be6b43f7b86f24098ff7e890721bca63534

Analysis

max time kernel
28s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
18-04-2024 07:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5532dfb59a4d7f1bfcee31623b7b7be6b43f7b86f24098ff7e890721bca63534.exe
Size

1.8MB
MD5

579edaafad4cd35db85487afa7f2b778
SHA1

08796fd6a37de8062c3025659cfb02eba8aa23a5
SHA256

5532dfb59a4d7f1bfcee31623b7b7be6b43f7b86f24098ff7e890721bca63534
SHA512

95e0049c9b12a9ea48bf244ec3170a3ecc197f2d71922c18fe39e008ecb6ac4c18596d48ea4946d56bd2394a89f8da5b6116d6cb077d80548129fbaa0f7ffaa1
SSDEEP

24576:XWRcs0w7YRcjXVGr0nxUtpzVPuWlBdCY0Yv5+lnQkMWaSjymbZ+amk/oHwuL:mnHY6XVZxUtpUWdmCpSOmbZboT

Score

10^/10

amadey lumma redline stealc zgrat @oleh_psp test1234 evasion infostealer persistence rat spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.17

http://193.233.132.167

Attributes

install_dir
4d0ab15804
install_file
chrosha.exe
strings_key
1a9519d7b465e1f4880fa09a6162d768
url_paths
/enigma/index.php

rc4.plain

Extracted

Family

redline

Botnet

@OLEH_PSP

185.172.128.33:8970

Extracted

Family

redline

Botnet

Test1234

185.215.113.67:26260

Extracted

Family

stealc

http://52.143.157.84

Attributes

url_path
/c73eed764cc59dcb.php

Extracted

Family

amadey

Version

4.18

http://193.233.132.56

Attributes

install_dir
09fd851a4f
install_file
explorha.exe
strings_key
443351145ece4966ded809641c77cfa8
url_paths
/Pneh2sXQk0/index.php

rc4.plain

Extracted

Family

lumma

https://affordcharmcropwo.shop/api

https://cleartotalfisherwo.shop/api

https://worryfillvolcawoi.shop/api

https://enthusiasimtitleow.shop/api

https://dismissalcylinderhostw.shop/api

https://diskretainvigorousiw.shop/api

https://economicscreateojsu.shop/api

https://communicationgenerwo.shop/api

https://entitlementappwo.shop/api

https://pillowbrocccolipe.shop/api

https://pushjellysingeywus.shop/api

https://absentconvicsjawun.shop/api

https://suitcaseacanehalk.shop/api

https://bordersoarmanusjuw.shop/api

https://mealplayerpreceodsju.shop/api

https://wifeplasterbakewis.shop/api

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect ZGRat V1 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe	family_zgrat_v1
behavioral1/memory/2144-79-0x0000000000160000-0x000000000031C000-memory.dmp	family_zgrat_v1

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe	family_redline
behavioral1/memory/3000-145-0x00000000006E0000-0x0000000000732000-memory.dmp	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe	family_redline
behavioral1/memory/1556-184-0x0000000000570000-0x00000000005FC000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe	family_redline
behavioral1/memory/3404-232-0x00000000004D0000-0x0000000000522000-memory.dmp	family_redline

Stealc
Stealc is an infostealer written in C++.
stealer stealc
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

5532dfb59a4d7f1bfcee31623b7b7be6b43f7b86f24098ff7e890721bca63534.exechrosha.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	5532dfb59a4d7f1bfcee31623b7b7be6b43f7b86f24098ff7e890721bca63534.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	chrosha.exe

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Downloads MZ/PE file
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5532dfb59a4d7f1bfcee31623b7b7be6b43f7b86f24098ff7e890721bca63534.exechrosha.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5532dfb59a4d7f1bfcee31623b7b7be6b43f7b86f24098ff7e890721bca63534.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5532dfb59a4d7f1bfcee31623b7b7be6b43f7b86f24098ff7e890721bca63534.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	chrosha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	chrosha.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrosha.exeRegAsm.exeNewB.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	chrosha.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	NewB.exe

Executes dropped EXE 11 IoCs

Processes:

chrosha.exeswiiiii.exealexxxxxxxx.exegold.exepropro.exeTraffic.exeNewB.exejok.exeISetup8.exeswiiii.exetoolspub1.exe

pid	process
4444	chrosha.exe
996	swiiiii.exe
2144	alexxxxxxxx.exe
4360	gold.exe
3000	propro.exe
1556	Traffic.exe
1212	NewB.exe
3404	jok.exe
764	ISetup8.exe
4176	swiiii.exe
4936	toolspub1.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

5532dfb59a4d7f1bfcee31623b7b7be6b43f7b86f24098ff7e890721bca63534.exechrosha.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Software\Wine	5532dfb59a4d7f1bfcee31623b7b7be6b43f7b86f24098ff7e890721bca63534.exe
Key opened	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Software\Wine	chrosha.exe

Loads dropped DLL 2 IoCs

Processes:

rundll32.exerundll32.exe

pid process

4556 rundll32.exe
4600 rundll32.exe
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

149 pastebin.com
150 pastebin.com
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

128 ip-api.com
192 api.myip.com
195 api.myip.com
196 ipinfo.io
197 ipinfo.io
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

5532dfb59a4d7f1bfcee31623b7b7be6b43f7b86f24098ff7e890721bca63534.exechrosha.exe

pid process

5008 5532dfb59a4d7f1bfcee31623b7b7be6b43f7b86f24098ff7e890721bca63534.exe
4444 chrosha.exe

pid	process
4556	rundll32.exe
4600	rundll32.exe

flow	ioc
149	pastebin.com
150	pastebin.com

flow	ioc
128	ip-api.com
192	api.myip.com
195	api.myip.com
196	ipinfo.io
197	ipinfo.io

Suspicious use of SetThreadContext 4 IoCs

Processes:

swiiiii.exealexxxxxxxx.exegold.exeswiiii.exe

description	pid	process	target process
PID 996 set thread context of 620	996	swiiiii.exe	RegAsm.exe
PID 2144 set thread context of 1348	2144	alexxxxxxxx.exe	RegAsm.exe
PID 4360 set thread context of 3900	4360	gold.exe	RegAsm.exe
PID 4176 set thread context of 3348	4176	swiiii.exe	RegAsm.exe

Drops file in Windows directory 1 IoCs

Processes:

5532dfb59a4d7f1bfcee31623b7b7be6b43f7b86f24098ff7e890721bca63534.exe

description ioc process

File created C:\Windows\Tasks\chrosha.job 5532dfb59a4d7f1bfcee31623b7b7be6b43f7b86f24098ff7e890721bca63534.exe

description	ioc	process
File created	C:\Windows\Tasks\chrosha.job	5532dfb59a4d7f1bfcee31623b7b7be6b43f7b86f24098ff7e890721bca63534.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
1220	sc.exe
1108	sc.exe
6120	sc.exe
5116	sc.exe
1288	sc.exe
5360	sc.exe
4460	sc.exe
4704	sc.exe
5880	sc.exe
3124	sc.exe
5856	sc.exe
396	sc.exe
5004	sc.exe
3264	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
212	996	WerFault.exe	swiiiii.exe
1420	4936	WerFault.exe	toolspub1.exe
4696	4648	WerFault.exe	ul8.0.exe
544	5460	WerFault.exe	u3qc.0.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

4464 schtasks.exe
6084 schtasks.exe
2828 schtasks.exe

pid	process
4464	schtasks.exe
6084	schtasks.exe
2828	schtasks.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

propro.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	propro.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	propro.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

5532dfb59a4d7f1bfcee31623b7b7be6b43f7b86f24098ff7e890721bca63534.exechrosha.exerundll32.exe

pid	process
5008	5532dfb59a4d7f1bfcee31623b7b7be6b43f7b86f24098ff7e890721bca63534.exe
5008	5532dfb59a4d7f1bfcee31623b7b7be6b43f7b86f24098ff7e890721bca63534.exe
4444	chrosha.exe
4444	chrosha.exe
4600	rundll32.exe
4600	rundll32.exe
4600	rundll32.exe
4600	rundll32.exe
4600	rundll32.exe
4600	rundll32.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

Traffic.exe

description	pid	process
Token: SeDebugPrivilege	1556	Traffic.exe
Token: SeBackupPrivilege	1556	Traffic.exe
Token: SeSecurityPrivilege	1556	Traffic.exe
Token: SeSecurityPrivilege	1556	Traffic.exe
Token: SeSecurityPrivilege	1556	Traffic.exe
Token: SeSecurityPrivilege	1556	Traffic.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrosha.exeswiiiii.exealexxxxxxxx.exegold.exeRegAsm.exeNewB.exe

description	pid	process	target process
PID 4444 wrote to memory of 996	4444	chrosha.exe	swiiiii.exe
PID 4444 wrote to memory of 996	4444	chrosha.exe	swiiiii.exe
PID 4444 wrote to memory of 996	4444	chrosha.exe	swiiiii.exe
PID 996 wrote to memory of 1932	996	swiiiii.exe	RegAsm.exe
PID 996 wrote to memory of 1932	996	swiiiii.exe	RegAsm.exe
PID 996 wrote to memory of 1932	996	swiiiii.exe	RegAsm.exe
PID 996 wrote to memory of 220	996	swiiiii.exe	RegAsm.exe
PID 996 wrote to memory of 220	996	swiiiii.exe	RegAsm.exe
PID 996 wrote to memory of 220	996	swiiiii.exe	RegAsm.exe
PID 996 wrote to memory of 116	996	swiiiii.exe	RegAsm.exe
PID 996 wrote to memory of 116	996	swiiiii.exe	RegAsm.exe
PID 996 wrote to memory of 116	996	swiiiii.exe	RegAsm.exe
PID 996 wrote to memory of 620	996	swiiiii.exe	RegAsm.exe
PID 996 wrote to memory of 620	996	swiiiii.exe	RegAsm.exe
PID 996 wrote to memory of 620	996	swiiiii.exe	RegAsm.exe
PID 996 wrote to memory of 620	996	swiiiii.exe	RegAsm.exe
PID 996 wrote to memory of 620	996	swiiiii.exe	RegAsm.exe
PID 996 wrote to memory of 620	996	swiiiii.exe	RegAsm.exe
PID 996 wrote to memory of 620	996	swiiiii.exe	RegAsm.exe
PID 996 wrote to memory of 620	996	swiiiii.exe	RegAsm.exe
PID 996 wrote to memory of 620	996	swiiiii.exe	RegAsm.exe
PID 4444 wrote to memory of 2144	4444	chrosha.exe	alexxxxxxxx.exe
PID 4444 wrote to memory of 2144	4444	chrosha.exe	alexxxxxxxx.exe
PID 4444 wrote to memory of 2144	4444	chrosha.exe	alexxxxxxxx.exe
PID 2144 wrote to memory of 1348	2144	alexxxxxxxx.exe	RegAsm.exe
PID 2144 wrote to memory of 1348	2144	alexxxxxxxx.exe	RegAsm.exe
PID 2144 wrote to memory of 1348	2144	alexxxxxxxx.exe	RegAsm.exe
PID 2144 wrote to memory of 1348	2144	alexxxxxxxx.exe	RegAsm.exe
PID 2144 wrote to memory of 1348	2144	alexxxxxxxx.exe	RegAsm.exe
PID 2144 wrote to memory of 1348	2144	alexxxxxxxx.exe	RegAsm.exe
PID 2144 wrote to memory of 1348	2144	alexxxxxxxx.exe	RegAsm.exe
PID 2144 wrote to memory of 1348	2144	alexxxxxxxx.exe	RegAsm.exe
PID 4444 wrote to memory of 4360	4444	chrosha.exe	gold.exe
PID 4444 wrote to memory of 4360	4444	chrosha.exe	gold.exe
PID 4444 wrote to memory of 4360	4444	chrosha.exe	gold.exe
PID 4360 wrote to memory of 3900	4360	gold.exe	RegAsm.exe
PID 4360 wrote to memory of 3900	4360	gold.exe	RegAsm.exe
PID 4360 wrote to memory of 3900	4360	gold.exe	RegAsm.exe
PID 4360 wrote to memory of 3900	4360	gold.exe	RegAsm.exe
PID 4360 wrote to memory of 3900	4360	gold.exe	RegAsm.exe
PID 4360 wrote to memory of 3900	4360	gold.exe	RegAsm.exe
PID 4360 wrote to memory of 3900	4360	gold.exe	RegAsm.exe
PID 4360 wrote to memory of 3900	4360	gold.exe	RegAsm.exe
PID 4360 wrote to memory of 3900	4360	gold.exe	RegAsm.exe
PID 1348 wrote to memory of 3000	1348	RegAsm.exe	propro.exe
PID 1348 wrote to memory of 3000	1348	RegAsm.exe	propro.exe
PID 1348 wrote to memory of 3000	1348	RegAsm.exe	propro.exe
PID 1348 wrote to memory of 1556	1348	RegAsm.exe	Traffic.exe
PID 1348 wrote to memory of 1556	1348	RegAsm.exe	Traffic.exe
PID 4444 wrote to memory of 1212	4444	chrosha.exe	NewB.exe
PID 4444 wrote to memory of 1212	4444	chrosha.exe	NewB.exe
PID 4444 wrote to memory of 1212	4444	chrosha.exe	NewB.exe
PID 1212 wrote to memory of 4464	1212	NewB.exe	schtasks.exe
PID 1212 wrote to memory of 4464	1212	NewB.exe	schtasks.exe
PID 1212 wrote to memory of 4464	1212	NewB.exe	schtasks.exe
PID 4444 wrote to memory of 3404	4444	chrosha.exe	jok.exe
PID 4444 wrote to memory of 3404	4444	chrosha.exe	jok.exe
PID 4444 wrote to memory of 3404	4444	chrosha.exe	jok.exe
PID 1212 wrote to memory of 764	1212	NewB.exe	ISetup8.exe
PID 1212 wrote to memory of 764	1212	NewB.exe	ISetup8.exe
PID 1212 wrote to memory of 764	1212	NewB.exe	ISetup8.exe
PID 4444 wrote to memory of 4176	4444	chrosha.exe	swiiii.exe
PID 4444 wrote to memory of 4176	4444	chrosha.exe	swiiii.exe
PID 4444 wrote to memory of 4176	4444	chrosha.exe	swiiii.exe

C:\Users\Admin\AppData\Local\Temp\5532dfb59a4d7f1bfcee31623b7b7be6b43f7b86f24098ff7e890721bca63534.exe
"C:\Users\Admin\AppData\Local\Temp\5532dfb59a4d7f1bfcee31623b7b7be6b43f7b86f24098ff7e890721bca63534.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:5008

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4444
- C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe
  "C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:996
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:1932
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:220
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:116
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:620
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 996 -s 896
    3⤵
    - Program crash
    PID:212
- C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe
  "C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2144
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:1348
  - - C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe
      "C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe"
      4⤵
      Executes dropped EXE
      Modifies system certificate store
      PID:3000
  - - C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe
      "C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1556
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
      4⤵
      PID:1664
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:1264
- C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe
  "C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4360
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:3900
- C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
  "C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1212
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:4464
- - C:\Users\Admin\AppData\Local\Temp\1000193001\ISetup8.exe
    "C:\Users\Admin\AppData\Local\Temp\1000193001\ISetup8.exe"
    3⤵
    - Executes dropped EXE
    PID:764
  - - C:\Users\Admin\AppData\Local\Temp\ul8.0.exe
      "C:\Users\Admin\AppData\Local\Temp\ul8.0.exe"
      4⤵
      PID:4648
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4648 -s 1016
        5⤵
        Program crash
        
        PID:4696
  - - C:\Users\Admin\AppData\Local\Temp\serversystemNCQ_x64.exe
      "C:\Users\Admin\AppData\Local\Temp\serversystemNCQ_x64.exe"
      4⤵
      PID:5420
    - - C:\Users\Admin\AppData\Local\Temp\NBLwriter_test\TrueBurner.exe
        
        C:\Users\Admin\AppData\Local\Temp\NBLwriter_test\TrueBurner.exe
        5⤵
        
        PID:4856
      - C:\Users\Admin\AppData\Roaming\NBLwriter_test\TrueBurner.exe
        
        C:\Users\Admin\AppData\Roaming\NBLwriter_test\TrueBurner.exe
        6⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        7⤵
        
        PID:1268
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        8⤵
        
        PID:4980
  - - C:\Users\Admin\AppData\Local\Temp\ul8.1.exe
      "C:\Users\Admin\AppData\Local\Temp\ul8.1.exe"
      4⤵
      PID:5760
    - - C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
        5⤵
        
        PID:4448
- - C:\Users\Admin\AppData\Local\Temp\1000194001\toolspub1.exe
    "C:\Users\Admin\AppData\Local\Temp\1000194001\toolspub1.exe"
    3⤵
    - Executes dropped EXE
    PID:4936
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4936 -s 468
      4⤵
      Program crash
      PID:1420
- - C:\Users\Admin\AppData\Local\Temp\1000195001\4767d2e713f2021e8fe856e3ea638b58.exe
    "C:\Users\Admin\AppData\Local\Temp\1000195001\4767d2e713f2021e8fe856e3ea638b58.exe"
    3⤵
    PID:4640
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:2036
  - - C:\Users\Admin\AppData\Local\Temp\1000195001\4767d2e713f2021e8fe856e3ea638b58.exe
      "C:\Users\Admin\AppData\Local\Temp\1000195001\4767d2e713f2021e8fe856e3ea638b58.exe"
      4⤵
      PID:1912
- - C:\Users\Admin\AppData\Local\Temp\1000196001\FirstZ.exe
    "C:\Users\Admin\AppData\Local\Temp\1000196001\FirstZ.exe"
    3⤵
    PID:5144
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      PID:5880
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:4840
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:3920
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      4⤵
      Launches sc.exe
      PID:6120
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:5116
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop wuauserv
      4⤵
      Launches sc.exe
      PID:4460
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop bits
      4⤵
      Launches sc.exe
      PID:4704
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop dosvc
      4⤵
      Launches sc.exe
      PID:396
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      PID:4316
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      PID:1332
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      PID:4052
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      PID:1888
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "WSNKISKT"
      4⤵
      Launches sc.exe
      PID:1288
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "WSNKISKT" binpath= "C:\ProgramData\wikombernizc\reakuqnanrkn.exe" start= "auto"
      4⤵
      Launches sc.exe
      PID:5004
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      4⤵
      Launches sc.exe
      PID:3124
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "WSNKISKT"
      4⤵
      Launches sc.exe
      PID:5880
- - C:\Users\Admin\AppData\Local\Temp\1000198001\Uni400uni.exe
    "C:\Users\Admin\AppData\Local\Temp\1000198001\Uni400uni.exe"
    3⤵
    PID:5512
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1000198001\Uni400uni.exe" -Force
      4⤵
      PID:6024
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
      4⤵
      PID:6040
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      4⤵
      PID:6140
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
      4⤵
      PID:1088
    - - C:\Users\Admin\Pictures\I6lBI2hGDJCR6WOYN8LzII4Z.exe
        
        "C:\Users\Admin\Pictures\I6lBI2hGDJCR6WOYN8LzII4Z.exe"
        5⤵
        
        PID:4836
      - C:\Users\Admin\AppData\Local\Temp\u3qc.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u3qc.0.exe"
        6⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5460 -s 1224
        7⤵
        Program crash
        
        PID:544
      - C:\Users\Admin\AppData\Local\Temp\serversystemNCQ_x64.exe
        
        "C:\Users\Admin\AppData\Local\Temp\serversystemNCQ_x64.exe"
        6⤵
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\NBLwriter_test\TrueBurner.exe
        
        C:\Users\Admin\AppData\Local\Temp\NBLwriter_test\TrueBurner.exe
        7⤵
        
        PID:872
        
        C:\Users\Admin\AppData\Roaming\NBLwriter_test\TrueBurner.exe
        
        C:\Users\Admin\AppData\Roaming\NBLwriter_test\TrueBurner.exe
        8⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        9⤵
        
        PID:5144
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        10⤵
        
        PID:1124
      - C:\Users\Admin\AppData\Local\Temp\u3qc.1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u3qc.1.exe"
        6⤵
        
        PID:4320
    - - C:\Users\Admin\Pictures\4g1hgW4bgZIzUwav0jpwfEg4.exe
        
        "C:\Users\Admin\Pictures\4g1hgW4bgZIzUwav0jpwfEg4.exe"
        5⤵
        
        PID:1700
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:5760
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:4556
      - C:\Users\Admin\Pictures\4g1hgW4bgZIzUwav0jpwfEg4.exe
        
        "C:\Users\Admin\Pictures\4g1hgW4bgZIzUwav0jpwfEg4.exe"
        6⤵
        
        PID:5336
    - - C:\Users\Admin\Pictures\3lZSgfJlUZHDJQXGjRQHbRPi.exe
        
        "C:\Users\Admin\Pictures\3lZSgfJlUZHDJQXGjRQHbRPi.exe"
        5⤵
        
        PID:5400
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:4768
      - C:\Users\Admin\Pictures\3lZSgfJlUZHDJQXGjRQHbRPi.exe
        
        "C:\Users\Admin\Pictures\3lZSgfJlUZHDJQXGjRQHbRPi.exe"
        6⤵
        
        PID:1288
    - - C:\Users\Admin\Pictures\INJTS7u4vUigMVTjiMYqSTP7.exe
        
        "C:\Users\Admin\Pictures\INJTS7u4vUigMVTjiMYqSTP7.exe"
        5⤵
        
        PID:5936
    - - C:\Users\Admin\Pictures\8KSOmsPJOIlGgNob5H2vkL89.exe
        
        "C:\Users\Admin\Pictures\8KSOmsPJOIlGgNob5H2vkL89.exe" --silent --allusers=0
        5⤵
        
        PID:5824
      - C:\Users\Admin\Pictures\8KSOmsPJOIlGgNob5H2vkL89.exe
        
        C:\Users\Admin\Pictures\8KSOmsPJOIlGgNob5H2vkL89.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x29c,0x2a0,0x2a4,0x278,0x2a8,0x6a83e1d0,0x6a83e1dc,0x6a83e1e8
        6⤵
        
        PID:5572
      - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\8KSOmsPJOIlGgNob5H2vkL89.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\8KSOmsPJOIlGgNob5H2vkL89.exe" --version
        6⤵
        
        PID:6000
      - C:\Users\Admin\Pictures\8KSOmsPJOIlGgNob5H2vkL89.exe
        
        "C:\Users\Admin\Pictures\8KSOmsPJOIlGgNob5H2vkL89.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=5824 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240418075349" --session-guid=9c0b27d5-d4f1-4d7e-9755-17ec4077514d --server-tracking-blob="NmM2MDAxY2M1OWM2ZWI4ZjMwZmZhZTE0ZmU0YmZhZjA4NmNiNWQ5MjQ5Njk1ZDU0OTliYTVkZTc4OGU3YjZkZTp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N19fMTIzIiwic3lzdGVtIjp7InBsYXRmb3JtIjp7ImFyY2giOiJ4ODZfNjQiLCJvcHN5cyI6IldpbmRvd3MiLCJvcHN5cy12ZXJzaW9uIjoiMTAiLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNzEzNDI2ODIzLjYwMDQiLCJ1dG0iOnsiY2FtcGFpZ24iOiI3NjdfXzEyMyIsIm1lZGl1bSI6ImFwYiIsInNvdXJjZSI6Im1rdCJ9LCJ1dWlkIjoiMDNkY2Q5ZTItNmRjZi00OWZkLThlZjQtZDBjOTA0ZDhkN2E1In0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=F803000000000000
        6⤵
        
        PID:5128
        
        C:\Users\Admin\Pictures\8KSOmsPJOIlGgNob5H2vkL89.exe
        
        C:\Users\Admin\Pictures\8KSOmsPJOIlGgNob5H2vkL89.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x298,0x2a8,0x2ac,0x274,0x2b0,0x69e7e1d0,0x69e7e1dc,0x69e7e1e8
        7⤵
        
        PID:5268
      - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404180753491\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404180753491\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe"
        6⤵
        
        PID:4636
      - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404180753491\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404180753491\assistant\assistant_installer.exe" --version
        6⤵
        
        PID:5704
        
        C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404180753491\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404180753491\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x796038,0x796044,0x796050
        7⤵
        
        PID:1592
    - - C:\Users\Admin\Pictures\sKHcYK3TFgfhwvTpeaEX3E1C.exe
        
        "C:\Users\Admin\Pictures\sKHcYK3TFgfhwvTpeaEX3E1C.exe"
        5⤵
        
        PID:5212
      - C:\Users\Admin\AppData\Local\Temp\7zS36DA.tmp\Install.exe
        
        .\Install.exe /sQwdidHh "385118" /S
        6⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        7⤵
        
        PID:936
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        8⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        9⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        10⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bWycNackLSywaqkmgR" /SC once /ST 07:55:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\ElkpxDW.exe\" em /VYsite_idkAT 385118 /S" /V1 /F
        7⤵
        Creates scheduled task(s)
        
        PID:6084
    - - C:\Users\Admin\Pictures\9QEZtAAHjuPtHTPlgnMiYYJ4.exe
        
        "C:\Users\Admin\Pictures\9QEZtAAHjuPtHTPlgnMiYYJ4.exe"
        5⤵
        
        PID:6052
      - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ce-installer_7.14.2_vbox-6.1.20.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ce-installer_7.14.2_vbox-6.1.20.exe
        6⤵
        
        PID:5440
        
        C:\Windows\SYSTEM32\msiexec.exe
        
        "msiexec.exe" /qn /i VirtualBox-6.1.20-r143896.msi ADDLOCAL=VBoxApplication,VBoxPython VBOX_INSTALLDESKTOPSHORTCUT=0 VBOX_INSTALLQUICKLAUNCHSHORTCUT=0 /log "C:\Users\Admin\AppData\Local\Temp\charityengine-install-vbox-log.txt"
        7⤵
        
        PID:4408
    - - C:\Users\Admin\Pictures\s4du6Ov1rCKiwcz5RFyYdIiD.exe
        
        "C:\Users\Admin\Pictures\s4du6Ov1rCKiwcz5RFyYdIiD.exe"
        5⤵
        
        PID:3164
      - C:\Users\Admin\AppData\Local\Temp\7zS14F5.tmp\Install.exe
        
        .\Install.exe /sQwdidHh "385118" /S
        6⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        7⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        8⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        9⤵
        
        PID:5904
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        10⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bWycNackLSywaqkmgR" /SC once /ST 07:56:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\cFAdtkK.exe\" em /Pusite_idBBO 385118 /S" /V1 /F
        7⤵
        Creates scheduled task(s)
        
        PID:2828
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
      4⤵
      PID:5200
- - C:\Users\Admin\AppData\Local\Temp\1000199001\070.exe
    "C:\Users\Admin\AppData\Local\Temp\1000199001\070.exe"
    3⤵
    PID:5392
  - - C:\Users\Admin\AppData\Local\Temp\is-FKO90.tmp\is-752MT.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-FKO90.tmp\is-752MT.tmp" /SL4 $1025A "C:\Users\Admin\AppData\Local\Temp\1000199001\070.exe" 3833542 52224
      4⤵
      PID:5612
    - - C:\Users\Admin\AppData\Local\Music Station Plugin\musicstationplugin.exe
        
        "C:\Users\Admin\AppData\Local\Music Station Plugin\musicstationplugin.exe" -i
        5⤵
        
        PID:5344
    - - C:\Users\Admin\AppData\Local\Music Station Plugin\musicstationplugin.exe
        
        "C:\Users\Admin\AppData\Local\Music Station Plugin\musicstationplugin.exe" -s
        5⤵
        
        PID:392
- C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe
  "C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe"
  2⤵
  - Executes dropped EXE
  PID:3404
- C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe
  "C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:4176
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:1904
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:3476
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:3348
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
  2⤵
  - Loads dropped DLL
  PID:4556
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:4600
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      PID:2416
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\288054676187_Desktop.zip' -CompressionLevel Optimal
      4⤵
      PID:1912
- C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
  "C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe"
  2⤵
  PID:3732
- - C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
    "C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
    3⤵
    PID:516
- C:\Users\Admin\AppData\Local\Temp\1000167001\build_1GyXIDXRUC.exe
  "C:\Users\Admin\AppData\Local\Temp\1000167001\build_1GyXIDXRUC.exe"
  2⤵
  PID:4580
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:1016
- C:\Users\Admin\AppData\Local\Temp\1000173001\Startup.exe
  "C:\Users\Admin\AppData\Local\Temp\1000173001\Startup.exe"
  2⤵
  PID:4928
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main
  2⤵
  PID:1876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 996 -ip 996
1⤵
PID:4484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4936 -ip 4936
1⤵
PID:1288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4648 -ip 4648
1⤵
PID:5496

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:1360

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:1628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 5460 -ip 5460
1⤵
PID:5324

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
PID:4876

C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
1⤵
PID:3988

C:\ProgramData\wikombernizc\reakuqnanrkn.exe
C:\ProgramData\wikombernizc\reakuqnanrkn.exe
1⤵
PID:5720
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  PID:2180
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:1920
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:3736
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:1220
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:5360
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:3264
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:1108
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:5856
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  PID:5552
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  PID:1944
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  PID:4128
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  PID:3124
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:5524
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    PID:4856
- - C:\ProgramData\wikombernizc\reakuqnanrkn.exe
    "C:\ProgramData\wikombernizc\reakuqnanrkn.exe"
    3⤵
    PID:5760
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      PID:5876
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  PID:5456

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:5456
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 59931E338D90A952992CECC8B3EE84D5
  2⤵
  PID:3016

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
PID:5800

C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
1⤵
PID:5272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ImageGuide 3.1.33.67\ImageGuide 3.1.33.67.exe

Filesize
3.9MB

MD5
baf9651290bdd0022e673773abff6e66

SHA1
9e83c98e10d25d7ea1c09358f564b8790a09455b

SHA256
57aa01a2757286ef09abd7b39de59ddf61a1c981a260cf9529c98bf308ef8ec3

SHA512
aae434da10f7f33f43c2083b28619d2c08a3bfaffaba9b143b503d2920345f4141c60bfdf29334bdd391a8d61e57ac077b88a349e8c533ff64f301c8043259b4

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404180753491\additional_file0.tmp

Filesize
2.5MB

MD5
15d8c8f36cef095a67d156969ecdb896

SHA1
a1435deb5866cd341c09e56b65cdda33620fcc95

SHA256
1521c69f478e9ced2f64b8714b9e19724e747cd8166e0f7ab5db1151a523dda8

SHA512
d6f48180d4dcb5ba83a9c0166870ac00ea67b615e749edf5994bc50277bf97ca87f582ac6f374c5351df252db73ee1231c943b53432dbb7563e12bbaf5bb393a

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404180753491\opera_package

Filesize
103.8MB

MD5
5014156e9ffbb75d1a8d5fc09fabdc42

SHA1
6968d1b5cec3039e53bbbedeee22e2d43d94c771

SHA256
7a01e11e1830ba3c154e5a6c383da15938b1e48f89a2fe4045cdd260924b6802

SHA512
bfc5c44881d0fa7bcbccfd530d874fa624adec50e1a16063a72de12876d2db10ca5edd6fa841ea63e9deca3ff2adf54065f50719fe051d41de92bb68edba4016

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe

Filesize
321KB

MD5
1c7d0f34bb1d85b5d2c01367cc8f62ef

SHA1
33aedadb5361f1646cffd68791d72ba5f1424114

SHA256
e9e09c5e5d03d21fca820bd9b0a0ea7b86ab9e85cdc9996f8f1dc822b0cc801c

SHA512
53bf85d2b004f69bbbf7b6dc78e5f021aba71b6f814101c55d3bf76e6d058a973bc58270b6b621b2100c6e02d382f568d1e96024464e8ea81e6db8ccd948679d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe

Filesize
1.7MB

MD5
85a15f080b09acace350ab30460c8996

SHA1
3fc515e60e4cfa5b3321f04a96c7fb463e4b9d02

SHA256
3a2006bc835a8ffe91b9ee9206f630b3172f42e090f4e8d90be620e540f5ef6b

SHA512
ade5e3531dfa1a01e6c2a69deb2962cbf619e766da3d6e8e3453f70ff55ccbcbe21381c7b97a53d67e1ca88975f4409b1a42a759e18f806171d29e4c3f250e9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe

Filesize
308KB

MD5
818b475b766c54df6d845cb10b6eedcf

SHA1
69ba418b84f5eb0930ba483c8fb1d8416b0b8749

SHA256
8ceca5e241d721a22aa11fa5fc0700c394c9c809fc2565458dedf5c45e99c478

SHA512
93371ece9326b2e88425c01d4f6f7dcc19ae5ee252295d8ddf283bc21ae4f5a72761b0f3ae1204dc85fcd1a11096ccd6c3af4b9e6a85ad9833e8cb06b85c5ca4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe

Filesize
418KB

MD5
0099a99f5ffb3c3ae78af0084136fab3

SHA1
0205a065728a9ec1133e8a372b1e3864df776e8c

SHA256
919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226

SHA512
5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe

Filesize
304KB

MD5
8510bcf5bc264c70180abe78298e4d5b

SHA1
2c3a2a85d129b0d750ed146d1d4e4d6274623e28

SHA256
096220045877e456edfea1adcd5bf1efd332665ef073c6d1e9474c84ca5433f6

SHA512
5ff0a47f9e14e22fc76d41910b2986605376605913173d8ad83d29d85eb79b679459e2723a6ad17bc3c3b8c9b359e2be7348ee1c21fa2e8ceb7cc9220515258d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe

Filesize
158KB

MD5
586f7fecacd49adab650fae36e2db994

SHA1
35d9fb512a8161ce867812633f0a43b042f9a5e6

SHA256
cf88d499c83da613ad5ccd8805822901bdc3a12eb9b15804aeff8c53dc05fc4e

SHA512
a44a2c99d18509681505cf70a251baf2558030a8648d9c621acc72fafcb2f744e3ef664dfd0229baf7c78fb72e69f5d644c755ded4060dcafa7f711d70e94772

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000167001\build_1GyXIDXRUC.exe

Filesize
210KB

MD5
51b0ed6b4908a21e5cc1d9ec7c046040

SHA1
d874f6da7327b2f1b3ace5e66bc763c557ac382e

SHA256
4e68c5a537320cbe88842a53e5691b7f1a590b9c0b491a12baaeeda111dcaa4d

SHA512
48ec96b209d7061a1276496feb250cf183891b950465d3a916c999aa1efc1c8831b068ce0fce4ce21d09677f945b3d816ed4040146462a0ce0845318041586a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000173001\Startup.exe

Filesize
3.3MB

MD5
76eae6ef736073145d6c06d981615ff9

SHA1
6612a26d5db4a6a745fed7518ec93a1121fffd9c

SHA256
3acdea11112584cd1f78da03f6af5cfc0f883309fc5ec552fa6b9c85a6c483bb

SHA512
e7c118bbe9f62d5834b374e05242636b32daab2c1fe607521d6e78520665c59f78637b74c85d171f8608e255be50731771f0a09dcca69e016b281ee02ab77231

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000193001\ISetup8.exe

Filesize
412KB

MD5
34d3a9f816f973641510dd3f24b23ba2

SHA1
3e838249fc40a3e2baf3639fac5d9b5222aaf56d

SHA256
97a9df83c59f602e8734652fc1062d89675fe804c2bf29b7c1a03718511f2e6e

SHA512
40c3d150d320920adb4a820030ab674021cdbc48893cd7973dae4708d2f71b0129e450d6e7759a0cfc3bc2a1c9b2f149d31c3d85a590e56de9053348277c8ee5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000194001\toolspub1.exe

Filesize
307KB

MD5
a11d2533c5dd2b17161fc2eea2ba1bef

SHA1
f7f42c054b83cb0cc3bb0a54a75195f920d9ced8

SHA256
4da76547d7081b68f3af83c77a5c75b2ff3f0691d7c58aca34632ff2ecd1e98c

SHA512
0053214e42b72365bd435ab8f35e4ddc8774c347dfa57d90c9f49c81b23dd1178f0a77b0facb0cce0d29b67b33eb7243a5c7c4f267274374e095a47f4a301a0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000195001\4767d2e713f2021e8fe856e3ea638b58.exe

Filesize
4.2MB

MD5
2239b897e08c8c7c0e3de98d3d0d6333

SHA1
f99e02c88ef301ef359c5538bc2a48fe5a62538b

SHA256
2006d8325d9ecac5d605795abb2690d8869468287be7a9333508ca3a5e4a7139

SHA512
cd2a7b9cfb34b1ad3803683b75921ffbda15a719c22ba7c4528c8892b9845b826c31572288d5716ea0ed683cfdcc866ccafeed7ebd3f75813926fe577f8ea0da

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000196001\FirstZ.exe

Filesize
2.5MB

MD5
ffada57f998ed6a72b6ba2f072d2690a

SHA1
6857b5f0c40a1cdb0411eb34aa9fe5029bcdb84f

SHA256
677f393462e24fb6dba1a47b39e674f485450f91deee6076ccbad9fd5e05bd12

SHA512
1de77f83a89935bb3fc3772d5190c3827d76a998785d451e2c0d11a0061cfd28f1b96eccb41b012c76ddda2021e3333a0a647489ae3c6dac10cfb8302abdf33f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000198001\Uni400uni.exe

Filesize
556KB

MD5
e1d8325b086f91769120381b78626e2e

SHA1
0eb6827878445d3e3e584b7f08067a7a4dc9e618

SHA256
b925abb193e7003f4a692064148ffe7840096022a44f4d5ae4c0abb59a287934

SHA512
c8c0b424c2ed7ee598997bdc0b0d2099b650a280903716891b0eaa340acf556c0642d921fcb7f654387a4a1f1ec4a32feaf8d872b51ca482a977f11e2974072c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000199001\070.exe

Filesize
4.0MB

MD5
b0ce910f653e0cd76f89e73c12af443d

SHA1
f23fc3710af8c8975b819c2c59b9ae062225c991

SHA256
ea912adceeaa763aece9bc815db45439a64e333c5791c4f6974dad73247f76d6

SHA512
2b404ca6f743a880e7a0b7cbb9f4eab0697b7f1d050fa759bee7a4e4064bd9b2c4807e711a73ca776060162f32b62b4939dd61f8006485c07d9960f1877cf34f

Download Submit
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe

Filesize
1.8MB

MD5
579edaafad4cd35db85487afa7f2b778

SHA1
08796fd6a37de8062c3025659cfb02eba8aa23a5

SHA256
5532dfb59a4d7f1bfcee31623b7b7be6b43f7b86f24098ff7e890721bca63534

SHA512
95e0049c9b12a9ea48bf244ec3170a3ecc197f2d71922c18fe39e008ecb6ac4c18596d48ea4946d56bd2394a89f8da5b6116d6cb077d80548129fbaa0f7ffaa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS14F5.tmp\Install.exe

Filesize
6.8MB

MD5
e77964e011d8880eae95422769249ca4

SHA1
8e15d7c4b7812a1da6c91738c7178adf0ff3200f

SHA256
f200984380d291051fc4b342641cd34e7560cadf4af41b2e02b8778f14418f50

SHA512
8feb3dc4432ec0a87416cbc75110d59efaf6504b4de43090fc90286bd37f98fc0a5fb12878bb33ac2f6cd83252e8dfd67dd96871b4a224199c1f595d33d4cade

Download Submit
C:\Users\Admin\AppData\Local\Temp\9c7704e6

Filesize
9.0MB

MD5
57b5400654ece4f893bc1108f3b32676

SHA1
1548133846e49e6f822b695dd472495780bbfe29

SHA256
b68e0064d9d879d988c6447c21bf3501ab41e834a14ee67720fad9eed7aceb8c

SHA512
71457c82dc12dc53a62e0499115f1779d2195da7906dc0124ac6c856005149b8d094c1408f475d63c5e13291c58db74081be2155a218b2469b00dd897502df6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\NBLwriter_test\TrueBurner.exe

Filesize
5.6MB

MD5
0add242030c1c5e5e312042f2bee2e72

SHA1
8e75f3724d75df8d67e1fd555912da332da7f5d1

SHA256
3e190f160218ad78c85c169dfd0828d36e4a366a3e2a61337391f0d7599a7558

SHA512
07860926b25c2e091313a57e0f9d60879229cab9516488567d617649d86c5b04deb3b1b047dd6143d3ced760086a5af4fc75a7c0e534d48ada0b7ec59dcf39c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\NBLwriter_test\badata_x64.dll

Filesize
4.0MB

MD5
0cf98626c6a2922bb6a4d456e47d0608

SHA1
6b71cfc583b337d40574415e9bb91b76296bab7d

SHA256
b4316ff3c60dad0a752aacf0fc88296bcc9c4dac93513d1a6dc1461f17156750

SHA512
27c37c9a0fa1ea76ed6ae9c5389012008f9d1b5523214d2d3702f9305ffa1edcc78a415641cac17adbd581bc57951e7cfdc67be5ad3de6ad0185e25a325f9465

Download Submit
C:\Users\Admin\AppData\Local\Temp\NBLwriter_test\cerebrum.xls

Filesize
53KB

MD5
21dc5133ac6f22266c77c65ad45b2677

SHA1
46c0ad029268c04c7ae9d5ec99381abfb789bdaa

SHA256
fe6b0bda2f3d946a786f9b33d641134e47a2418b4ff2aeb44bfd37b405765a01

SHA512
8257a818a916ca2a96a48a31cc557cfb90e90b501999232fd0b74767b40c3f9fcc45ffd807147bc47a8da09714335a86d04c2f7f8313bdba0da9a51c6abb9c3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\NBLwriter_test\titular.flac

Filesize
1.2MB

MD5
d6caca3c4dd5dad51521b8b0811a7ec4

SHA1
049a4f59d387f7d70be992a90711e43902390a7a

SHA256
21d4bec89486481a8d49b49f75e9e5cba53edfe8735f57c1f36285daa0a33563

SHA512
2181e441fb50e537e0e52c6229c9c330ab1eb690cfd66e6581ae314fab303ef65a629c917eaf0eef32505fe227254818cdfde5c957d73339c716f75d29bbcfab

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2404180753484686000.dll

Filesize
4.6MB

MD5
0415cb7be0361a74a039d5f31e72fa65

SHA1
46ae154436c8c059ee75cbc6a18ccda96bb2021d

SHA256
bb38a8806705980ee3e9181c099e8d5c425e6c9505a88e5af538ca6a48951798

SHA512
f71c2b9e1559aa4eb2d72f852ef9807c781d4a7b96b8e0c2c53b895885319146bd43aa6e4223d43159f3d40bc60704206404dc034500e47fca0a94e53b60239e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp9134.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dqhc3aan.3z2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
2KB

MD5
45bbf73d9ff874eefd677f568b17cbc9

SHA1
506538f17a9d08177294b6d8e1f9e483fee9ffcc

SHA256
7b832e48cd6c111f1dc759f9b676493a5589bf2cec2b9733b08b07c41b7f3bfb

SHA512
b1fcb9b2551ad0e5e8017f9e8c8c12d73343f0edd77d98ee25045374505763f69f240f097cc2ea3bae31b2cb0ee19ab6c0980bd10c76f7c21f1b4fbb97e5613d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-6N0MU.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FKO90.tmp\is-752MT.tmp

Filesize
648KB

MD5
5170e1c2fbba2b8d1340e980c7aa6580

SHA1
7eeef4d22f4774f61a75d321d02f30baebde23c7

SHA256
4a59146d08f549a2da1eff3fb5f7b8d1986ab08e68babbdc558b55a85ed03182

SHA512
84c10f26d91f6ee8298bd639ce2f3caacffb15e9a3696cebb3f347617ade4e24431d28da1670c09f7a065904b10a6385abf1e99ffdf98b4301bb844ae3023287

Download Submit
C:\Users\Admin\AppData\Local\Temp\serversystemNCQ_x64.exe

Filesize
10.9MB

MD5
e8295a7ef2d88aa3a16361a5e53feb3c

SHA1
b07a32538e0540a467203f343bb64e6536d36730

SHA256
18ec7b686d8ff469e63b2568210f5886e9e5512a651137e7fb5e8009a41a54be

SHA512
fc4da2e0f157012fa88f42d7855405e2b078a61548500501ca509937fea78a3024b14a36ea59207a1d2c0a46be54ca3919be578a01d6bd93725b87b3151d6157

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBBDA.tmp

Filesize
20KB

MD5
42c395b8db48b6ce3d34c301d1eba9d5

SHA1
b7cfa3de344814bec105391663c0df4a74310996

SHA256
5644546ecefc6786c7be5b1a89e935e640963ccd34b130f21baab9370cb9055d

SHA512
7b9214db96e9bec8745b4161a41c4c0520cdda9950f0cd3f12c7744227a25d639d07c0dd68b552cf1e032181c2e4f8297747f27bad6c7447b0f415a86bd82845

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBC4A.tmp

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEC64.tmp

Filesize
46KB

MD5
8f5942354d3809f865f9767eddf51314

SHA1
20be11c0d42fc0cef53931ea9152b55082d1a11e

SHA256
776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea

SHA512
fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEEE8.tmp

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\ul8.0.exe

Filesize
270KB

MD5
c0afc2a3cabd6efc6f3719ad7c6fc166

SHA1
72c70f015493a88558a851ebad18c07bff2e92b1

SHA256
2274752a346129c85b6d912a54da10e9c221b64187a1142f411cdb629b2609cc

SHA512
9d9b50fa985df0e457fb13cad0d16d72650468ee5c00f9214a67459d48e6580c6687c90fbad0f55276205c703cc8d14c75cef9a5509e38e86bff69ad5358e857

Download Submit
C:\Users\Admin\AppData\Local\Temp\ul8.1.exe

Filesize
4.6MB

MD5
397926927bca55be4a77839b1c44de6e

SHA1
e10f3434ef3021c399dbba047832f02b3c898dbd

SHA256
4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7

SHA512
cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2288054676-1871194608-3559553667-1000\76b53b3ec448f7ccdda2063b15d2bfc3_7c31d3ed-7f70-49de-870c-1f0d986cd62d

Filesize
2KB

MD5
e166d3c2653bc863dff55537c02fc0db

SHA1
009331f071ba6f1481803c933757ebeb136c6fd4

SHA256
c5fe5491b9df4ea85436c1dd4a7bef48e7853d3dfa3b1197a41b63358f4aa03f

SHA512
4076a6994f4078724efbd5bf81e5d3d83286a969f7c72c6f698700a34e4af0a84f1df68ff735f53c4b7388dfe2f19995d39f634b733c056cb486bd61b9798622

Download Submit
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll

Filesize
109KB

MD5
154c3f1334dd435f562672f2664fea6b

SHA1
51dd25e2ba98b8546de163b8f26e2972a90c2c79

SHA256
5f431129f97f3d56929f1e5584819e091bd6c854d7e18503074737fc6d79e33f

SHA512
1bca69bbcdb7ecd418769e9d4befc458f9f8e3cee81feb7316bb61e189e2904f4431e4cc7d291e179a5dec441b959d428d8e433f579036f763bbad6460222841

Download Submit
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll

Filesize
1.2MB

MD5
f35b671fda2603ec30ace10946f11a90

SHA1
059ad6b06559d4db581b1879e709f32f80850872

SHA256
83e3df5bec15d5333935bea8b719a6d677e2fb3dc1cf9e18e7b82fd0438285c7

SHA512
b5fa27d08c64727cef7fdda5e68054a4359cd697df50d70d1d90da583195959a139066a6214531bbc5f20cd4f9bc1ca3e4244396547381291a6a1d2df9cf8705

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe

Filesize
541KB

MD5
1fc4b9014855e9238a361046cfbf6d66

SHA1
c17f18c8246026c9979ab595392a14fe65cc5e9f

SHA256
f38c27ecbeed9721f0885d3b2f2f767d60a5d1c0a5c98433357f570987da3e50

SHA512
2af234cac24ec4a508693d9affa7f759d4b29bb3c9ddffd9e6350959fd4da26501553399d2b02a8eeae8dace6bfe9b2ce50462ce3c6547497f5b0ea6ed226b12

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe

Filesize
304KB

MD5
cc90e3326d7b20a33f8037b9aab238e4

SHA1
236d173a6ac462d85de4e866439634db3b9eeba3

SHA256
bd73ee49a23901f9fb235f8a5b29adc72cc637ad4b62a9760c306900cb1678b7

SHA512
b5d197a05a267bf66509b6d976924cd6f5963532a9f9f22d1763701d4fba3dfa971e0058388249409884bc29216fb33a51846562a5650f81d99ce14554861521

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk

Filesize
2KB

MD5
cd7d6bffccf9de2857208ad7cb5033a7

SHA1
d328cde3f0b10043c3a5bf824e6b465124ab66fa

SHA256
7c332c27d3432b1a65d2b063027ee4b6897d377258318cdffe6c613e6d3afa0a

SHA512
e83e264c917954019ac3644a3f02baf888dea0cae785303724599b73b616f479682a1421acccd8cfc3c88bdc5c35b4f33f84faa7fb5c63f58d3e501a5649a5a9

Download Submit
C:\Users\Admin\Pictures\4g1hgW4bgZIzUwav0jpwfEg4.exe

Filesize
4.2MB

MD5
c8084fbb76e11606fa849dc83d0ec95b

SHA1
00cf80dc055c4d6a40842801a3fd3624970c3804

SHA256
5a292e565796b1f0c8ac3edbe851f7222168884438228e2773b3f52eb4016309

SHA512
b320260297fc96618f6091086cdc6bf0279fc84456fbe8a0e83a065f900de8005e79808c955722839d8ef6c503df5079c04600776054785dcfa499f8f84db46c

Download Submit
C:\Users\Admin\Pictures\8KSOmsPJOIlGgNob5H2vkL89.exe

Filesize
5.1MB

MD5
dc542980aac7f397bf4a6eac8164bc3b

SHA1
2ee3f868f8cd77810f1bc0de322a32b3480efdeb

SHA256
d9c8e8315f7391695c28821599e255539964200b331c247d49e40e62d95e3b61

SHA512
fb1e082ea23beded70207a159899e41f584bf4c2dd33e355634e6e2f64d67e3c1a8887fe3037cc977add06f99fe52c237b1e9a0a85daac78d9676fdb064a69b8

Download Submit
C:\Users\Admin\Pictures\9QEZtAAHjuPtHTPlgnMiYYJ4.exe

Filesize
84.4MB

MD5
fddd641bcdd1273a3807c28261b65e46

SHA1
c4c2c4bc391fbad2a163df1861c40ec3849b388c

SHA256
274b3ff6502709114da590fcb7913c859cade85f87c1a06391b53becfa3e6e3b

SHA512
bb7582f3655c15807f40e1daaaf8bc0a52572fd5b870fb017090780e818761844cb17f36a59c2eb28842e913254a31c035c37a02cfffdafaf657d9846e112384

Download Submit
C:\Users\Admin\Pictures\G9gOly99ZYTChW4g7IwX6RXh.exe

Filesize
7KB

MD5
5b423612b36cde7f2745455c5dd82577

SHA1
0187c7c80743b44e9e0c193e993294e3b969cc3d

SHA256
e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09

SHA512
c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c

Download Submit
C:\Users\Admin\Pictures\INJTS7u4vUigMVTjiMYqSTP7.exe

Filesize
4.9MB

MD5
a25cdf843e60f609b970ac9414170a7a

SHA1
9d0fee8c64c58d674d383654a4391b8e41d994dc

SHA256
109a993670756619db430191f217236914602b1aac6fe093e1b8b1887cc3d9f9

SHA512
e4dc2979919c8ecfb2a09fd78446db57483e74ff2e3ddcb498d0718590ef0e9021424d6656822921d41b648a36253e9275045b2e4931f94f00c474b73444c6fd

Download Submit
C:\Users\Admin\Pictures\sKHcYK3TFgfhwvTpeaEX3E1C.exe

Filesize
6.5MB

MD5
5d5da0738299d8893b79a6c926765e5f

SHA1
b05c2cfd30ca1c163cb829b7e7e5ea2d6c57d1d1

SHA256
53c80bee05d28fe65ab0ae6459753fe7b804c0b68b85faaf828576687ef28ca3

SHA512
d9fffe943131e71762f5e2e1ad3d23053069f0f028054be9ec2c8491a6812adadacbf099ab8fa79ca9916ceda14ccaedfe4a0e1e5235871a97145ef77d7b0b26

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
b3026d9d4531ff05b668e1701b49a377

SHA1
0b6b2f0510d639aca3ed2f0f21f40a8cec31d176

SHA256
968fe9ec4b781e23e96f79d7f117f36a6820935ff867fa62804211fdaa9a99c1

SHA512
944dea13c76d40bc75c8614c7309ccb2185729798f0b857d642fd674c169d0cb1078441962d63d354ee368249f3d1c1b8d04ed4416242ca917834f9577a5bec5

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
127B

MD5
8ef9853d1881c5fe4d681bfb31282a01

SHA1
a05609065520e4b4e553784c566430ad9736f19f

SHA256
9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

SHA512
5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

Download Submit
memory/620-58-0x0000000000DE0000-0x0000000000DE1000-memory.dmp

Filesize
4KB

Download
memory/620-53-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/620-56-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/620-59-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/764-289-0x0000000002EC0000-0x0000000002FC0000-memory.dmp

Filesize
1024KB

Download
memory/996-82-0x0000000072B90000-0x0000000073340000-memory.dmp

Filesize
7.7MB

Download
memory/996-50-0x0000000072B90000-0x0000000073340000-memory.dmp

Filesize
7.7MB

Download
memory/996-49-0x0000000000310000-0x0000000000362000-memory.dmp

Filesize
328KB

Download
memory/996-57-0x00000000027A0000-0x00000000047A0000-memory.dmp

Filesize
32.0MB

Download
memory/1348-288-0x0000000001210000-0x0000000001220000-memory.dmp

Filesize
64KB

Download
memory/1348-117-0x0000000072B90000-0x0000000073340000-memory.dmp

Filesize
7.7MB

Download
memory/1348-94-0x0000000000400000-0x0000000000592000-memory.dmp

Filesize
1.6MB

Download
memory/1348-115-0x0000000001210000-0x0000000001220000-memory.dmp

Filesize
64KB

Download
memory/1556-184-0x0000000000570000-0x00000000005FC000-memory.dmp

Filesize
560KB

Download
memory/1556-179-0x00007FFE23AA0000-0x00007FFE24561000-memory.dmp

Filesize
10.8MB

Download
memory/1556-189-0x00000000026E0000-0x00000000026F0000-memory.dmp

Filesize
64KB

Download
memory/2144-107-0x0000000002560000-0x0000000004560000-memory.dmp

Filesize
32.0MB

Download
memory/2144-79-0x0000000000160000-0x000000000031C000-memory.dmp

Filesize
1.7MB

Download
memory/2144-109-0x0000000072B90000-0x0000000073340000-memory.dmp

Filesize
7.7MB

Download
memory/2144-81-0x0000000004C70000-0x0000000004C80000-memory.dmp

Filesize
64KB

Download
memory/2144-80-0x0000000072B90000-0x0000000073340000-memory.dmp

Filesize
7.7MB

Download
memory/3000-178-0x0000000005C50000-0x0000000005CC6000-memory.dmp

Filesize
472KB

Download
memory/3000-149-0x00000000050C0000-0x00000000050CA000-memory.dmp

Filesize
40KB

Download
memory/3000-204-0x00000000067B0000-0x00000000067EC000-memory.dmp

Filesize
240KB

Download
memory/3000-194-0x0000000006750000-0x0000000006762000-memory.dmp

Filesize
72KB

Download
memory/3000-205-0x0000000006920000-0x000000000696C000-memory.dmp

Filesize
304KB

Download
memory/3000-188-0x0000000006440000-0x000000000645E000-memory.dmp

Filesize
120KB

Download
memory/3000-145-0x00000000006E0000-0x0000000000732000-memory.dmp

Filesize
328KB

Download
memory/3000-150-0x0000000072B90000-0x0000000073340000-memory.dmp

Filesize
7.7MB

Download
memory/3000-151-0x0000000005100000-0x0000000005110000-memory.dmp

Filesize
64KB

Download
memory/3000-193-0x0000000006810000-0x000000000691A000-memory.dmp

Filesize
1.0MB

Download
memory/3000-192-0x0000000006CC0000-0x00000000072D8000-memory.dmp

Filesize
6.1MB

Download
memory/3000-147-0x0000000004FF0000-0x0000000005082000-memory.dmp

Filesize
584KB

Download
memory/3000-146-0x00000000054A0000-0x0000000005A44000-memory.dmp

Filesize
5.6MB

Download
memory/3348-317-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/3348-323-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/3348-380-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/3404-235-0x0000000005000000-0x0000000005010000-memory.dmp

Filesize
64KB

Download
memory/3404-232-0x00000000004D0000-0x0000000000522000-memory.dmp

Filesize
328KB

Download
memory/3404-231-0x0000000072B90000-0x0000000073340000-memory.dmp

Filesize
7.7MB

Download
memory/3732-344-0x0000000000400000-0x0000000000723000-memory.dmp

Filesize
3.1MB

Download
memory/3732-346-0x0000000000400000-0x0000000000723000-memory.dmp

Filesize
3.1MB

Download
memory/3732-347-0x0000000000400000-0x0000000000723000-memory.dmp

Filesize
3.1MB

Download
memory/3732-352-0x0000000000400000-0x0000000000723000-memory.dmp

Filesize
3.1MB

Download
memory/3732-353-0x0000000000400000-0x0000000000723000-memory.dmp

Filesize
3.1MB

Download
memory/3732-345-0x0000000000400000-0x0000000000723000-memory.dmp

Filesize
3.1MB

Download
memory/3732-354-0x0000000000400000-0x0000000000723000-memory.dmp

Filesize
3.1MB

Download
memory/3732-355-0x0000000000400000-0x0000000000723000-memory.dmp

Filesize
3.1MB

Download
memory/3732-357-0x0000000000400000-0x0000000000723000-memory.dmp

Filesize
3.1MB

Download
memory/3732-358-0x0000000000400000-0x0000000000723000-memory.dmp

Filesize
3.1MB

Download
memory/3732-359-0x0000000000400000-0x0000000000723000-memory.dmp

Filesize
3.1MB

Download
memory/3732-361-0x0000000000400000-0x0000000000723000-memory.dmp

Filesize
3.1MB

Download
memory/3732-371-0x0000000000400000-0x0000000000723000-memory.dmp

Filesize
3.1MB

Download
memory/3732-372-0x0000000000400000-0x0000000000723000-memory.dmp

Filesize
3.1MB

Download
memory/3732-343-0x0000000000400000-0x0000000000723000-memory.dmp

Filesize
3.1MB

Download
memory/3732-393-0x0000000000400000-0x0000000000723000-memory.dmp

Filesize
3.1MB

Download
memory/3732-386-0x0000000000400000-0x0000000000723000-memory.dmp

Filesize
3.1MB

Download
memory/3732-334-0x0000000000400000-0x0000000000723000-memory.dmp

Filesize
3.1MB

Download
memory/3732-381-0x0000000000400000-0x0000000000723000-memory.dmp

Filesize
3.1MB

Download
memory/3732-376-0x0000000000400000-0x0000000000723000-memory.dmp

Filesize
3.1MB

Download
memory/3732-375-0x0000000000400000-0x0000000000723000-memory.dmp

Filesize
3.1MB

Download
memory/3732-395-0x0000000000400000-0x0000000000723000-memory.dmp

Filesize
3.1MB

Download
memory/3732-397-0x0000000000400000-0x0000000000723000-memory.dmp

Filesize
3.1MB

Download
memory/3732-402-0x0000000000400000-0x0000000000723000-memory.dmp

Filesize
3.1MB

Download
memory/3732-400-0x0000000000400000-0x0000000000723000-memory.dmp

Filesize
3.1MB

Download
memory/3732-338-0x0000000000400000-0x0000000000723000-memory.dmp

Filesize
3.1MB

Download
memory/3732-407-0x0000000000400000-0x0000000000723000-memory.dmp

Filesize
3.1MB

Download
memory/3732-409-0x0000000000400000-0x0000000000723000-memory.dmp

Filesize
3.1MB

Download
memory/3732-404-0x0000000000400000-0x0000000000723000-memory.dmp

Filesize
3.1MB

Download
memory/3732-411-0x0000000000400000-0x0000000000723000-memory.dmp

Filesize
3.1MB

Download
memory/3732-419-0x0000000000400000-0x0000000000723000-memory.dmp

Filesize
3.1MB

Download
memory/3732-416-0x0000000000400000-0x0000000000723000-memory.dmp

Filesize
3.1MB

Download
memory/3900-121-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/3900-118-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/3900-125-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4360-124-0x0000000072B90000-0x0000000073340000-memory.dmp

Filesize
7.7MB

Download
memory/4360-123-0x0000000002A20000-0x0000000004A20000-memory.dmp

Filesize
32.0MB

Download
memory/4360-113-0x0000000072B90000-0x0000000073340000-memory.dmp

Filesize
7.7MB

Download
memory/4360-108-0x00000000007A0000-0x00000000007F4000-memory.dmp

Filesize
336KB

Download
memory/4444-24-0x0000000004E50000-0x0000000004E51000-memory.dmp

Filesize
4KB

Download
memory/4444-21-0x0000000004E10000-0x0000000004E11000-memory.dmp

Filesize
4KB

Download
memory/4444-406-0x0000000000F30000-0x00000000013ED000-memory.dmp

Filesize
4.7MB

Download
memory/4444-148-0x0000000000F30000-0x00000000013ED000-memory.dmp

Filesize
4.7MB

Download
memory/4444-227-0x0000000000F30000-0x00000000013ED000-memory.dmp

Filesize
4.7MB

Download
memory/4444-29-0x0000000004E60000-0x0000000004E61000-memory.dmp

Filesize
4KB

Download
memory/4444-28-0x0000000004E70000-0x0000000004E71000-memory.dmp

Filesize
4KB

Download
memory/4444-27-0x0000000004E40000-0x0000000004E41000-memory.dmp

Filesize
4KB

Download
memory/4444-25-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

Filesize
4KB

Download
memory/4444-26-0x0000000004DF0000-0x0000000004DF1000-memory.dmp

Filesize
4KB

Download
memory/4444-116-0x0000000000F30000-0x00000000013ED000-memory.dmp

Filesize
4.7MB

Download
memory/4444-23-0x0000000004E00000-0x0000000004E01000-memory.dmp

Filesize
4KB

Download
memory/4444-22-0x0000000004E20000-0x0000000004E21000-memory.dmp

Filesize
4KB

Download
memory/4444-19-0x0000000000F30000-0x00000000013ED000-memory.dmp

Filesize
4.7MB

Download
memory/4444-20-0x0000000000F30000-0x00000000013ED000-memory.dmp

Filesize
4.7MB

Download
memory/5008-7-0x00000000053E0000-0x00000000053E1000-memory.dmp

Filesize
4KB

Download
memory/5008-16-0x0000000000100000-0x00000000005BD000-memory.dmp

Filesize
4.7MB

Download
memory/5008-11-0x0000000005460000-0x0000000005461000-memory.dmp

Filesize
4KB

Download
memory/5008-10-0x0000000005470000-0x0000000005471000-memory.dmp

Filesize
4KB

Download
memory/5008-9-0x0000000005440000-0x0000000005441000-memory.dmp

Filesize
4KB

Download
memory/5008-8-0x00000000053F0000-0x00000000053F1000-memory.dmp

Filesize
4KB

Download
memory/5008-0-0x0000000000100000-0x00000000005BD000-memory.dmp

Filesize
4.7MB

Download
memory/5008-6-0x0000000005450000-0x0000000005451000-memory.dmp

Filesize
4KB

Download
memory/5008-5-0x0000000005400000-0x0000000005401000-memory.dmp

Filesize
4KB

Download
memory/5008-4-0x0000000005420000-0x0000000005421000-memory.dmp

Filesize
4KB

Download
memory/5008-3-0x0000000005410000-0x0000000005411000-memory.dmp

Filesize
4KB

Download
memory/5008-2-0x0000000000100000-0x00000000005BD000-memory.dmp

Filesize
4.7MB

Download
memory/5008-1-0x0000000076F84000-0x0000000076F86000-memory.dmp

Filesize
8KB

Download