amadey | 7e559097f4e87c8e7d7850bf969e86fa556f090455318c79abc23514201f99d4

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
24-07-2024 06:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7e559097f4e87c8e7d7850bf969e86fa556f090455318c79abc23514201f99d4.exe
Size

209KB
MD5

ead5c20b175ebddfc294f19d276d9f5a
SHA1

f74b6cecb5a68042dee54de356a2ab8ca9d7f622
SHA256

7e559097f4e87c8e7d7850bf969e86fa556f090455318c79abc23514201f99d4
SHA512

2ad1a7460b4937cae9702ef5c3c0195ebfea3a352dbc6d978da978120e546b5c1b63c12d0a0a3d16b2f960d168437f477431f7e51ad6e6a078920cdc37e09cce
SSDEEP

3072:PLvfMR1x/WF2sMe/ZLahwlaMS3dpPEoPWZ3G0P7705YHDghMGwQ:PLvUR1x/uxWrpPh2jvGwQ

Malware Config

Extracted

Family

stealc

Botnet

sila

http://85.28.47.31

Attributes

url_path
/5499d72b3a3e55be.php

Extracted

Family

amadey

Version

4.30

Botnet

4dd39d

http://77.91.77.82

Attributes

install_dir
ad40971b6b
install_file
explorti.exe
strings_key
a434973ad22def7137dbb5e059b7081e
url_paths
/Hun4Ko/index.php

rc4.plain

Extracted

Family

amadey

Version

8254624243

Botnet

e76b71

http://77.91.77.81

Attributes

install_dir
8254624243
install_file
axplong.exe
strings_key
90049e51fabf09df0d6748e0b271922e
url_paths
/Kiru9gu/index.php

rc4.plain

Extracted

Family

stealc

Botnet

QLL

http://85.28.47.70

Attributes

url_path
/744f169d372be841.php

Extracted

Family

redline

Botnet

1307newbild

185.215.113.67:40960

Extracted

Family

redline

Botnet

LiveTraffic

20.52.165.210:39030

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detects Monster Stealer. 3 IoCs

resource	yara_rule
behavioral1/files/0x000900000002341f-919.dat	family_monster
behavioral1/memory/5880-1191-0x00007FF6FA320000-0x00007FF6FB55E000-memory.dmp	family_monster
behavioral1/memory/5880-1228-0x00007FF6FA320000-0x00007FF6FB55E000-memory.dmp	family_monster

Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Monster
Monster is a Golang stealer that was discovered in 2024.
stealer monster
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023557-965.dat	family_redline
behavioral1/memory/3604-981-0x00000000006D0000-0x0000000000720000-memory.dmp	family_redline
behavioral1/memory/432-1049-0x0000000000400000-0x0000000000450000-memory.dmp	family_redline

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	RoamingJDHIEBFHCA.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	AdminCGHCGIIDGD.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
6212	netsh.exe
5908	netsh.exe

Checks BIOS information in registry 2 TTPs 16 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RoamingJDHIEBFHCA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	AdminCGHCGIIDGD.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	AdminCGHCGIIDGD.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RoamingJDHIEBFHCA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe

Checks computer location settings 2 TTPs 10 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	AdminCGHCGIIDGD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	RoamingJDHIEBFHCA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	axplong.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	RobloxPlayerInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	7e559097f4e87c8e7d7850bf969e86fa556f090455318c79abc23514201f99d4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	AdminCFCBAAEBKE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	explorti.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	newwork.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	Hkbsse.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
6868	cmd.exe
6004	powershell.exe

Executes dropped EXE 26 IoCs

pid	Process
4656	AdminCGHCGIIDGD.exe
776	AdminCFCBAAEBKE.exe
7164	explorti.exe
6892	RoamingJDHIEBFHCA.exe
6824	axplong.exe
1260	explorti.exe
6256	Files.exe
6228	a223055a86.exe
5644	NZY3xS4BgF.exe
6324	Wz06pi6uHX.exe
632	axplong.exe
4700	explorti.exe
6772	judit1.exe
5880	stub.exe
6188	54gtxx.exe
3604	newstart.exe
5192	gold.exe
4324	acev.exe
6040	newwork.exe
6588	Hkbsse.exe
1696	2.exe
5068	RobloxPlayerInstaller.exe
5184	lobo.exe
3204	Hkbsse.exe
4992	explorti.exe
2660	axplong.exe

Identifies Wine through registry keys 2 TTPs 8 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine	AdminCGHCGIIDGD.exe
Key opened	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine	RoamingJDHIEBFHCA.exe
Key opened	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine	explorti.exe

Loads dropped DLL 38 IoCs

pid	Process
2604	7e559097f4e87c8e7d7850bf969e86fa556f090455318c79abc23514201f99d4.exe
2604	7e559097f4e87c8e7d7850bf969e86fa556f090455318c79abc23514201f99d4.exe
5880	stub.exe
5880	stub.exe
5880	stub.exe
5880	stub.exe
5880	stub.exe
5880	stub.exe
5880	stub.exe
5880	stub.exe
5880	stub.exe
5880	stub.exe
5880	stub.exe
5880	stub.exe
5880	stub.exe
5880	stub.exe
5880	stub.exe
5880	stub.exe
5880	stub.exe
5880	stub.exe
5880	stub.exe
5880	stub.exe
5880	stub.exe
5880	stub.exe
5880	stub.exe
5880	stub.exe
5880	stub.exe
5880	stub.exe
5880	stub.exe
5880	stub.exe
5880	stub.exe
5880	stub.exe
5880	stub.exe
5880	stub.exe
5880	stub.exe
4324	acev.exe
5336	RegAsm.exe
5336	RegAsm.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a223055a86.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000021001\\a223055a86.exe"	explorti.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
181	raw.githubusercontent.com
180	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
177	ip-api.com

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
7068	cmd.exe
4752	ARP.EXE

Enumerates processes with tasklist 1 TTPs 3 IoCs

discovery

Process Discovery

T1057

pid	Process
7072	tasklist.exe
5916	tasklist.exe
6784	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
3000	cmd.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

pid	Process
4656	AdminCGHCGIIDGD.exe
7164	explorti.exe
6892	RoamingJDHIEBFHCA.exe
6824	axplong.exe
632	axplong.exe
4700	explorti.exe
4992	explorti.exe
2660	axplong.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 7164 set thread context of 1260	7164	explorti.exe	140
PID 6256 set thread context of 6012	6256	Files.exe	145
PID 6188 set thread context of 5336	6188	54gtxx.exe	169
PID 5192 set thread context of 432	5192	gold.exe	181
PID 4324 set thread context of 2192	4324	acev.exe	202

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explorti.job	AdminCGHCGIIDGD.exe
File created	C:\Windows\Tasks\axplong.job	RoamingJDHIEBFHCA.exe
File created	C:\Windows\Tasks\Hkbsse.job	newwork.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1432	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Embeds OpenSSL 1 IoCs

Embeds OpenSSL, may be used to circumvent TLS interception.

resource	yara_rule
behavioral1/files/0x000800000002354c-949.dat	embeds_openssl

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

Program crash 4 IoCs

pid	pid_target	Process	procid_target
4980	2604	WerFault.exe	83
6220	6228	WerFault.exe	144
4600	5184	WerFault.exe	234
2232	1696	WerFault.exe	222

System Location Discovery: System Language Discovery 1 TTPs 29 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7e559097f4e87c8e7d7850bf969e86fa556f090455318c79abc23514201f99d4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdminCGHCGIIDGD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RobloxPlayerInstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	axplong.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Files.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a223055a86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gold.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RoamingJDHIEBFHCA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	acev.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lobo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NZY3xS4BgF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	newstart.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	newwork.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdminCFCBAAEBKE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wz06pi6uHX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	54gtxx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkbsse.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
5736	cmd.exe
4408	netsh.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
1728	NETSTAT.EXE

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	7e559097f4e87c8e7d7850bf969e86fa556f090455318c79abc23514201f99d4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	7e559097f4e87c8e7d7850bf969e86fa556f090455318c79abc23514201f99d4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
6428	WMIC.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
6936	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2500	ipconfig.exe
1728	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
6184	systeminfo.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2868	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings	firefox.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2604	7e559097f4e87c8e7d7850bf969e86fa556f090455318c79abc23514201f99d4.exe
2604	7e559097f4e87c8e7d7850bf969e86fa556f090455318c79abc23514201f99d4.exe
4656	AdminCGHCGIIDGD.exe
4656	AdminCGHCGIIDGD.exe
5248	msedge.exe
5248	msedge.exe
2268	msedge.exe
2268	msedge.exe
2272	chrome.exe
2272	chrome.exe
2604	7e559097f4e87c8e7d7850bf969e86fa556f090455318c79abc23514201f99d4.exe
2604	7e559097f4e87c8e7d7850bf969e86fa556f090455318c79abc23514201f99d4.exe
7164	explorti.exe
7164	explorti.exe
6892	RoamingJDHIEBFHCA.exe
6892	RoamingJDHIEBFHCA.exe
6824	axplong.exe
6824	axplong.exe
5644	NZY3xS4BgF.exe
5644	NZY3xS4BgF.exe
6324	Wz06pi6uHX.exe
6324	Wz06pi6uHX.exe
5644	NZY3xS4BgF.exe
5644	NZY3xS4BgF.exe
5644	NZY3xS4BgF.exe
5644	NZY3xS4BgF.exe
5644	NZY3xS4BgF.exe
5644	NZY3xS4BgF.exe
5644	NZY3xS4BgF.exe
5644	NZY3xS4BgF.exe
5644	NZY3xS4BgF.exe
5644	NZY3xS4BgF.exe
5644	NZY3xS4BgF.exe
5644	NZY3xS4BgF.exe
5644	NZY3xS4BgF.exe
5644	NZY3xS4BgF.exe
5644	NZY3xS4BgF.exe
5644	NZY3xS4BgF.exe
5644	NZY3xS4BgF.exe
5644	NZY3xS4BgF.exe
6324	Wz06pi6uHX.exe
6324	Wz06pi6uHX.exe
5644	NZY3xS4BgF.exe
5644	NZY3xS4BgF.exe
5644	NZY3xS4BgF.exe
5644	NZY3xS4BgF.exe
5644	NZY3xS4BgF.exe
5644	NZY3xS4BgF.exe
5644	NZY3xS4BgF.exe
5644	NZY3xS4BgF.exe
5644	NZY3xS4BgF.exe
5644	NZY3xS4BgF.exe
6324	Wz06pi6uHX.exe
5644	NZY3xS4BgF.exe
6324	Wz06pi6uHX.exe
5644	NZY3xS4BgF.exe
6324	Wz06pi6uHX.exe
5644	NZY3xS4BgF.exe
6324	Wz06pi6uHX.exe
5644	NZY3xS4BgF.exe
6324	Wz06pi6uHX.exe
5644	NZY3xS4BgF.exe
6324	Wz06pi6uHX.exe
5644	NZY3xS4BgF.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
2268	msedge.exe
2268	msedge.exe
2272	chrome.exe
2272	chrome.exe
2268	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeDebugPrivilege	400	firefox.exe
Token: SeDebugPrivilege	400	firefox.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeDebugPrivilege	5644	NZY3xS4BgF.exe
Token: SeDebugPrivilege	6324	Wz06pi6uHX.exe
Token: SeBackupPrivilege	6324	Wz06pi6uHX.exe
Token: SeBackupPrivilege	5644	NZY3xS4BgF.exe
Token: SeSecurityPrivilege	6324	Wz06pi6uHX.exe
Token: SeSecurityPrivilege	5644	NZY3xS4BgF.exe
Token: SeSecurityPrivilege	6324	Wz06pi6uHX.exe
Token: SeSecurityPrivilege	5644	NZY3xS4BgF.exe
Token: SeSecurityPrivilege	6324	Wz06pi6uHX.exe
Token: SeSecurityPrivilege	5644	NZY3xS4BgF.exe
Token: SeSecurityPrivilege	6324	Wz06pi6uHX.exe
Token: SeSecurityPrivilege	5644	NZY3xS4BgF.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeIncreaseQuotaPrivilege	6524	WMIC.exe
Token: SeSecurityPrivilege	6524	WMIC.exe
Token: SeTakeOwnershipPrivilege	6524	WMIC.exe
Token: SeLoadDriverPrivilege	6524	WMIC.exe
Token: SeSystemProfilePrivilege	6524	WMIC.exe
Token: SeSystemtimePrivilege	6524	WMIC.exe
Token: SeProfSingleProcessPrivilege	6524	WMIC.exe
Token: SeIncBasePriorityPrivilege	6524	WMIC.exe
Token: SeCreatePagefilePrivilege	6524	WMIC.exe
Token: SeBackupPrivilege	6524	WMIC.exe
Token: SeRestorePrivilege	6524	WMIC.exe
Token: SeShutdownPrivilege	6524	WMIC.exe
Token: SeDebugPrivilege	6524	WMIC.exe
Token: SeSystemEnvironmentPrivilege	6524	WMIC.exe
Token: SeRemoteShutdownPrivilege	6524	WMIC.exe
Token: SeUndockPrivilege	6524	WMIC.exe
Token: SeManageVolumePrivilege	6524	WMIC.exe
Token: 33	6524	WMIC.exe
Token: 34	6524	WMIC.exe
Token: 35	6524	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
400	firefox.exe
400	firefox.exe
400	firefox.exe
400	firefox.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
400	firefox.exe
400	firefox.exe
400	firefox.exe
400	firefox.exe
400	firefox.exe
400	firefox.exe
400	firefox.exe
400	firefox.exe
400	firefox.exe
400	firefox.exe
400	firefox.exe
400	firefox.exe
400	firefox.exe
400	firefox.exe
400	firefox.exe
400	firefox.exe
400	firefox.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
400	firefox.exe
400	firefox.exe
400	firefox.exe
400	firefox.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
400	firefox.exe
400	firefox.exe
400	firefox.exe
400	firefox.exe
400	firefox.exe
400	firefox.exe
400	firefox.exe
400	firefox.exe
400	firefox.exe
400	firefox.exe
400	firefox.exe
400	firefox.exe
400	firefox.exe
400	firefox.exe
400	firefox.exe
400	firefox.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
400	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2604 wrote to memory of 3348	2604	7e559097f4e87c8e7d7850bf969e86fa556f090455318c79abc23514201f99d4.exe	95
PID 2604 wrote to memory of 3348	2604	7e559097f4e87c8e7d7850bf969e86fa556f090455318c79abc23514201f99d4.exe	95
PID 2604 wrote to memory of 3348	2604	7e559097f4e87c8e7d7850bf969e86fa556f090455318c79abc23514201f99d4.exe	95
PID 3348 wrote to memory of 4656	3348	cmd.exe	97
PID 3348 wrote to memory of 4656	3348	cmd.exe	97
PID 3348 wrote to memory of 4656	3348	cmd.exe	97
PID 2604 wrote to memory of 2616	2604	7e559097f4e87c8e7d7850bf969e86fa556f090455318c79abc23514201f99d4.exe	98
PID 2604 wrote to memory of 2616	2604	7e559097f4e87c8e7d7850bf969e86fa556f090455318c79abc23514201f99d4.exe	98
PID 2604 wrote to memory of 2616	2604	7e559097f4e87c8e7d7850bf969e86fa556f090455318c79abc23514201f99d4.exe	98
PID 2616 wrote to memory of 776	2616	cmd.exe	100
PID 2616 wrote to memory of 776	2616	cmd.exe	100
PID 2616 wrote to memory of 776	2616	cmd.exe	100
PID 776 wrote to memory of 1884	776	AdminCFCBAAEBKE.exe	101
PID 776 wrote to memory of 1884	776	AdminCFCBAAEBKE.exe	101
PID 1884 wrote to memory of 2272	1884	cmd.exe	104
PID 1884 wrote to memory of 2272	1884	cmd.exe	104
PID 1884 wrote to memory of 2268	1884	cmd.exe	105
PID 1884 wrote to memory of 2268	1884	cmd.exe	105
PID 1884 wrote to memory of 3276	1884	cmd.exe	106
PID 1884 wrote to memory of 3276	1884	cmd.exe	106
PID 2272 wrote to memory of 2456	2272	chrome.exe	107
PID 2272 wrote to memory of 2456	2272	chrome.exe	107
PID 2268 wrote to memory of 548	2268	msedge.exe	108
PID 2268 wrote to memory of 548	2268	msedge.exe	108
PID 3276 wrote to memory of 400	3276	firefox.exe	109
PID 3276 wrote to memory of 400	3276	firefox.exe	109
PID 3276 wrote to memory of 400	3276	firefox.exe	109
PID 3276 wrote to memory of 400	3276	firefox.exe	109
PID 3276 wrote to memory of 400	3276	firefox.exe	109
PID 3276 wrote to memory of 400	3276	firefox.exe	109
PID 3276 wrote to memory of 400	3276	firefox.exe	109
PID 3276 wrote to memory of 400	3276	firefox.exe	109
PID 3276 wrote to memory of 400	3276	firefox.exe	109
PID 3276 wrote to memory of 400	3276	firefox.exe	109
PID 3276 wrote to memory of 400	3276	firefox.exe	109
PID 400 wrote to memory of 4448	400	firefox.exe	110
PID 400 wrote to memory of 4448	400	firefox.exe	110
PID 400 wrote to memory of 4448	400	firefox.exe	110
PID 400 wrote to memory of 4448	400	firefox.exe	110
PID 400 wrote to memory of 4448	400	firefox.exe	110
PID 400 wrote to memory of 4448	400	firefox.exe	110
PID 400 wrote to memory of 4448	400	firefox.exe	110
PID 400 wrote to memory of 4448	400	firefox.exe	110
PID 400 wrote to memory of 4448	400	firefox.exe	110
PID 400 wrote to memory of 4448	400	firefox.exe	110
PID 400 wrote to memory of 4448	400	firefox.exe	110
PID 400 wrote to memory of 4448	400	firefox.exe	110
PID 400 wrote to memory of 4448	400	firefox.exe	110
PID 400 wrote to memory of 4448	400	firefox.exe	110
PID 400 wrote to memory of 4448	400	firefox.exe	110
PID 400 wrote to memory of 4448	400	firefox.exe	110
PID 400 wrote to memory of 4448	400	firefox.exe	110
PID 400 wrote to memory of 4448	400	firefox.exe	110
PID 400 wrote to memory of 4448	400	firefox.exe	110
PID 400 wrote to memory of 4448	400	firefox.exe	110
PID 400 wrote to memory of 4448	400	firefox.exe	110
PID 400 wrote to memory of 4448	400	firefox.exe	110
PID 400 wrote to memory of 4448	400	firefox.exe	110
PID 400 wrote to memory of 4448	400	firefox.exe	110
PID 400 wrote to memory of 4448	400	firefox.exe	110
PID 400 wrote to memory of 4448	400	firefox.exe	110
PID 400 wrote to memory of 4448	400	firefox.exe	110
PID 400 wrote to memory of 4448	400	firefox.exe	110
PID 400 wrote to memory of 4448	400	firefox.exe	110

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
8	attrib.exe

C:\Users\Admin\AppData\Local\Temp\7e559097f4e87c8e7d7850bf969e86fa556f090455318c79abc23514201f99d4.exe
"C:\Users\Admin\AppData\Local\Temp\7e559097f4e87c8e7d7850bf969e86fa556f090455318c79abc23514201f99d4.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminCGHCGIIDGD.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3348
- - C:\Users\AdminCGHCGIIDGD.exe
    "C:\Users\AdminCGHCGIIDGD.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4656
  - - C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
      "C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Adds Run key to start application
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:7164
    - - C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1260
    - - C:\Users\Admin\AppData\Local\Temp\1000021001\a223055a86.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000021001\a223055a86.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:6228
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6228 -s 1028
        6⤵
        Program crash
        
        PID:6220
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminCFCBAAEBKE.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2616
- - C:\Users\AdminCFCBAAEBKE.exe
    "C:\Users\AdminCFCBAAEBKE.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:776
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\E520.tmp\E521.tmp\E522.bat C:\Users\AdminCFCBAAEBKE.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1884
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.youtube.com/account"
        5⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2272
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffaec54cc40,0x7ffaec54cc4c,0x7ffaec54cc58
        6⤵
        
        PID:2456
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1920,i,17320746004657671398,4592073052229410901,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=1916 /prefetch:2
        6⤵
        
        PID:728
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2156,i,17320746004657671398,4592073052229410901,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2176 /prefetch:3
        6⤵
        
        PID:3396
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2232,i,17320746004657671398,4592073052229410901,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2556 /prefetch:8
        6⤵
        
        PID:2472
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3036,i,17320746004657671398,4592073052229410901,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3128 /prefetch:1
        6⤵
        
        PID:5832
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3044,i,17320746004657671398,4592073052229410901,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3316 /prefetch:1
        6⤵
        
        PID:5912
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://www.youtube.com/account"
        5⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2268
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffaec4046f8,0x7ffaec404708,0x7ffaec404718
        6⤵
        
        PID:548
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,3529071718194597278,8186759902346684947,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2
        6⤵
        
        PID:5152
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,3529071718194597278,8186759902346684947,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5248
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,3529071718194597278,8186759902346684947,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2760 /prefetch:8
        6⤵
        
        PID:5256
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,3529071718194597278,8186759902346684947,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3132 /prefetch:1
        6⤵
        
        PID:5344
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,3529071718194597278,8186759902346684947,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
        6⤵
        
        PID:5432
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,3529071718194597278,8186759902346684947,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4476 /prefetch:1
        6⤵
        
        PID:6840
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3276
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
        6⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:400
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1984 -parentBuildID 20240401114208 -prefsHandle 1908 -prefMapHandle 1904 -prefsLen 25755 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {18cc3660-3de5-477c-a949-63b705914e5a} 400 "\\.\pipe\gecko-crash-server-pipe.400" gpu
        7⤵
        
        PID:4448
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2464 -parentBuildID 20240401114208 -prefsHandle 2440 -prefMapHandle 2428 -prefsLen 26675 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {02441fb4-33ec-46d0-bfcd-d5025b05b832} 400 "\\.\pipe\gecko-crash-server-pipe.400" socket
        7⤵
        
        PID:4228
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3212 -childID 1 -isForBrowser -prefsHandle 1580 -prefMapHandle 2740 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5a4358bf-3131-4e00-81c1-fa013d04898a} 400 "\\.\pipe\gecko-crash-server-pipe.400" tab
        7⤵
        
        PID:5268
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3180 -childID 2 -isForBrowser -prefsHandle 3820 -prefMapHandle 3816 -prefsLen 31165 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5b7d1f1a-f152-49a4-847a-889ff0acc4de} 400 "\\.\pipe\gecko-crash-server-pipe.400" tab
        7⤵
        
        PID:5884
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4204 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 2828 -prefMapHandle 2832 -prefsLen 31165 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {977ceb87-6f75-4bcd-b17a-aa3dda4bbba5} 400 "\\.\pipe\gecko-crash-server-pipe.400" utility
        7⤵
        Checks processor information in registry
        
        PID:6336
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5008 -childID 3 -isForBrowser -prefsHandle 5028 -prefMapHandle 5024 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0626599d-f5be-4b9e-806d-294a295b6734} 400 "\\.\pipe\gecko-crash-server-pipe.400" tab
        7⤵
        
        PID:5204
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5188 -childID 4 -isForBrowser -prefsHandle 5196 -prefMapHandle 5200 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {46b8a835-001d-41f1-84a6-100f3d98132e} 400 "\\.\pipe\gecko-crash-server-pipe.400" tab
        7⤵
        
        PID:5540
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5396 -childID 5 -isForBrowser -prefsHandle 5484 -prefMapHandle 5480 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4884ca9b-5e8d-4a81-ad22-1d00dc916be9} 400 "\\.\pipe\gecko-crash-server-pipe.400" tab
        7⤵
        
        PID:6408
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\RoamingJDHIEBFHCA.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1100
- - C:\Users\Admin\AppData\RoamingJDHIEBFHCA.exe
    "C:\Users\Admin\AppData\RoamingJDHIEBFHCA.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:6892
  - - C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
      "C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:6824
    - - C:\Users\Admin\AppData\Local\Temp\1000160001\Files.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000160001\Files.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:6256
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:6012
        
        C:\Users\Admin\AppData\Roaming\NZY3xS4BgF.exe
        
        "C:\Users\Admin\AppData\Roaming\NZY3xS4BgF.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5644
        
        C:\Users\Admin\AppData\Roaming\Wz06pi6uHX.exe
        
        "C:\Users\Admin\AppData\Roaming\Wz06pi6uHX.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:6324
    - - C:\Users\Admin\AppData\Local\Temp\1000193001\judit1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000193001\judit1.exe"
        5⤵
        Executes dropped EXE
        
        PID:6772
      - C:\Users\Admin\AppData\Local\Temp\onefile_6772_133662745853534542\stub.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000193001\judit1.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5880
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        7⤵
        
        PID:3016
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        7⤵
        
        PID:2616
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6524
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        7⤵
        
        PID:5400
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:7072
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe""
        7⤵
        Hide Artifacts: Hidden Files and Directories
        
        PID:3000
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe"
        8⤵
        Views/modifies file attributes
        
        PID:8
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('%error_message%', 0, 'System Error', 0+16);close()""
        7⤵
        
        PID:3992
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"
        7⤵
        
        PID:1668
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM chrome.exe
        8⤵
        Kills process with taskkill
        
        PID:2868
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        7⤵
        
        PID:5508
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        8⤵
        Enumerates processes with tasklist
        
        PID:5916
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
        7⤵
        Clipboard Data
        
        PID:6868
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Get-Clipboard
        8⤵
        Clipboard Data
        
        PID:6004
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "chcp"
        7⤵
        
        PID:6820
        
        C:\Windows\system32\chcp.com
        
        chcp
        8⤵
        
        PID:5972
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "chcp"
        7⤵
        
        PID:4532
        
        C:\Windows\system32\chcp.com
        
        chcp
        8⤵
        
        PID:6032
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
        7⤵
        Network Service Discovery
        
        PID:7068
        
        C:\Windows\system32\systeminfo.exe
        
        systeminfo
        8⤵
        Gathers system information
        
        PID:6184
        
        C:\Windows\system32\HOSTNAME.EXE
        
        hostname
        8⤵
        
        PID:5776
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic logicaldisk get caption,description,providername
        8⤵
        Collects information from the system
        
        PID:6428
        
        C:\Windows\system32\net.exe
        
        net user
        8⤵
        
        PID:4064
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        9⤵
        
        PID:5612
        
        C:\Windows\system32\query.exe
        
        query user
        8⤵
        
        PID:5632
        
        C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        9⤵
        
        PID:5424
        
        C:\Windows\system32\net.exe
        
        net localgroup
        8⤵
        
        PID:6552
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        9⤵
        
        PID:5876
        
        C:\Windows\system32\net.exe
        
        net localgroup administrators
        8⤵
        
        PID:6408
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        9⤵
        
        PID:3348
        
        C:\Windows\system32\net.exe
        
        net user guest
        8⤵
        
        PID:3164
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        9⤵
        
        PID:116
        
        C:\Windows\system32\net.exe
        
        net user administrator
        8⤵
        
        PID:5272
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        9⤵
        
        PID:6236
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic startup get caption,command
        8⤵
        
        PID:1568
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /svc
        8⤵
        Enumerates processes with tasklist
        
        PID:6784
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        8⤵
        Gathers network information
        
        PID:2500
        
        C:\Windows\system32\ROUTE.EXE
        
        route print
        8⤵
        
        PID:4924
        
        C:\Windows\system32\ARP.EXE
        
        arp -a
        8⤵
        Network Service Discovery
        
        PID:4752
        
        C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        8⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:1728
        
        C:\Windows\system32\sc.exe
        
        sc query type= service state= all
        8⤵
        Launches sc.exe
        
        PID:1432
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall show state
        8⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:6212
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall show config
        8⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5908
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
        7⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5736
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        8⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4408
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        7⤵
        
        PID:1864
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        8⤵
        
        PID:1804
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        7⤵
        
        PID:4828
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        8⤵
        
        PID:6584
    - - C:\Users\Admin\AppData\Local\Temp\1000202001\54gtxx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000202001\54gtxx.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:6188
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:5328
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        
        PID:5336
    - - C:\Users\Admin\AppData\Local\Temp\1000240001\newstart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000240001\newstart.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3604
    - - C:\Users\Admin\AppData\Local\Temp\1000259001\gold.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000259001\gold.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5192
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:432
    - - C:\Users\Admin\AppData\Local\Temp\1000304001\acev.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000304001\acev.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4324
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2192
    - - C:\Users\Admin\AppData\Local\Temp\1000313001\newwork.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000313001\newwork.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:6040
      - C:\Users\Admin\AppData\Local\Temp\9b26cd18f9\Hkbsse.exe
        
        "C:\Users\Admin\AppData\Local\Temp\9b26cd18f9\Hkbsse.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:6588
        
        C:\Users\Admin\AppData\Local\Temp\1000007001\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000007001\2.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Checks SCSI registry key(s)
        
        PID:1696
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1696 -s 352
        8⤵
        Program crash
        
        PID:2232
    - - C:\Users\Admin\AppData\Local\Temp\1000339001\RobloxPlayerInstaller.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000339001\RobloxPlayerInstaller.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5068
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 10 & exit
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5460
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 10
        7⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:6936
    - - C:\Users\Admin\AppData\Local\Temp\1000340001\lobo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000340001\lobo.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5184
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5184 -s 488
        6⤵
        Program crash
        
        PID:4600
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 2204
  2⤵
  - Program crash
  PID:4980

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5876

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:6720

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2604 -ip 2604
1⤵
PID:2308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 6228 -ip 6228
1⤵
PID:7092

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4700

C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 348 -p 5184 -ip 5184
1⤵
PID:4388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 352 -p 1696 -ip 1696
1⤵
PID:5724

C:\Users\Admin\AppData\Local\Temp\9b26cd18f9\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\9b26cd18f9\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:3204

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4992

C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Permission Groups Discovery

T1069

Local Groups

T1069.001

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\AdminCFCBAAEBKE.exe

Filesize
89KB

MD5
d72007a9646255ac092cf654388cfeb8

SHA1
5899014b81e4bc7be63db2170036397110a2fdec

SHA256
c8530bb2e1f9bbe484875a2db1f78552a1fb38edb911ed6e93e86c48ce34d919

SHA512
252c6da72e7b5cb71c12002810ebb09c90ac0657081c71e8e7a0db28f992177a8a4c589700f3aed4712759559aa843dadfa0d94e1d499dd65d0f4d5d01ab347e

Download Submit
C:\Users\AdminCGHCGIIDGD.exe

Filesize
1.8MB

MD5
a0ced1b039766fbe1b0c2da4f5bbaa5e

SHA1
fc8cd54e79fb23e550e29f6cf0dc0400d8550e15

SHA256
9e582118bdc2b1ba04a4b393e8a0fc0e2e7156a615e0c411aea24de743c7996e

SHA512
ac2f515e43de5a5f659c26b1a4ed8f8e7b4090d3cdb9ea9195ddf8e8da77f6d349deadd87d6a4a049f0fd3fc4a2d63562d35fa788ee1c0cf09a5a34c936feb74

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Filesize
290B

MD5
ddd69c0695ba6fc91275105a9e216b5c

SHA1
6ce0e866341bce017c1a4514069db2db627923a0

SHA256
61d99fc9a50adf22f75191281af6f6b328f5738a5085a73a6bfbfd533b8b1cbd

SHA512
06efefa7f2a0e07cf02e813c50f77bcc24b9ba0d7c22b21da3e35194124bdf5c163edc0ff1f47193b77cc66d1eb81ade8fc8060fe3d1dac6eebc6ddeeca2472e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
551da8aa3c56c3edf4a4abbd4277f235

SHA1
ac506b5af29a570e9b28fc37e6cff90b6afbd466

SHA256
dca2cba85bb2ab91f43f9010eeabbfc32b9996c867bdf7c1018d973a727753fb

SHA512
495f6da701744cbb5c76f1cf9e2d03279633d6e0a7809a3c8061948af5c758f8ddc464901b9bb20f8cf4007e25810422b3153116c5f3d02739abe64ee3f3a542

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c0bb8cb6a506854aa181762fb5c7041b

SHA1
cf2318aa9c982c3d999a838969ebd7072a40392b

SHA256
6493b88cdbc711b870c724de6ad57d16fde1702a0001ef1aa73322f21b73563a

SHA512
149aec013cbc6c1545f4f21e95574ead63da1ae7b18ec5a11eb40ad27e13bb2e5f36351356396d3b630e733f3dc45067298c214a3bc415353c6b07d1e94322fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
92KB

MD5
1ee4e06f45c86086747b0edaefac4c08

SHA1
455b9ea1460a151b6cf76270f870bb099df5f38e

SHA256
0467b3aed92661899b1e91e8d384aaeba0429575dce60bb8817cebef1c7a724b

SHA512
c9fed4c9411515c296dab751f32d183359bf1094d7091d6cc488799684ff7bb5fa9e7d6d5c09406d9da47461ae94f0b66cd2bcf077bb9c269c932a3ef4557a38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bafce9e4c53a0cb85310891b6b21791b

SHA1
5d70027cc137a7cbb38f5801b15fd97b05e89ee2

SHA256
71fb546b5d2210a56e90b448ee10120cd92c518c8f79fb960f01b918f89f2b00

SHA512
c0e4d3eccc0135ac92051539a18f64b8b8628cfe74e5b019d4f8e1dcbb51a9b49c486a1523885fe6be53da7118c013852e753c26a5490538c1e721fd0188836c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a499254d6b5d91f97eb7a86e5f8ca573

SHA1
03dbfebfec8c94a9c06f9b0cd81ebe0a2b8be3d1

SHA256
fb87b758c2b98989df851380293ff6786cb9a5cf2b3a384cec70d9f3eb064499

SHA512
d7adcc76d0470bcd68d7644de3c8d2b6d61df8485979a4752ceea3df4d85bd1c290f72b3d8d5c8d639d5a10afa48d80e457f76b44dd8107ac97eb80fd98c7b0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
38KB

MD5
a5156555f80cc19c341bf5e5ffce1e56

SHA1
b35d25bb3d60afa06154be920f643697705ab82b

SHA256
f30f5ed466b725d1c1be22dfe6d76d3f4518a4c44757f202a1f70514171f24c1

SHA512
0f29f3e58b35eedb4a4b150baa21a319c5253e846250d2f79356b84d3fe7f7ce51714daf68f564b58ea52b8bbad1b7c1681e53e21b20f9235210d9d874a8397b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
fe0f8a9d7395b18f70e83de9baeda59a

SHA1
d61a1d56e0b370570ae6d11787630230ad7b3f06

SHA256
c4da4be01736ca5fbc813bf785262c922ed9257340276085006ef3d162ba23dc

SHA512
136de0d89e830c834172148a5ffced2ceb18a55db9340ab62850f1bcbbbc7dc0f199b4d156b1b3f1418352babd0963d9440e5710420aab146047c9515d89a97c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e7cd98b475e36067679ebd8d3a6618ba

SHA1
8d6150d753cfe024f4b133a7ce2463f96c29a45f

SHA256
87db24689572fae47a97d15d2a74fe770e2b27d6099ea689485feba0e1c8836a

SHA512
de5328c1e8c9342a2ff6dcd34a10cd8c2f4b91276af9f8778553d7b1f12fa590d85ec0f6166ee20bf2b37c1b11d293e418861c81eba35ed94e02d9ba0ec548c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
e44391b0467a997e660f33bd16e3e52e

SHA1
fb26fd99a3ef4958c22d388f7832202e03a794ab

SHA256
25c2119daad9183ae3fd47a0fab0af617bcfffc29423cd7fd1fb6103ff530ccc

SHA512
e6f5a5c7caaf82ea28e6b103cbe4470e0a00131a2052487c5075ca8eeb6ada16f0b02f958e1d491f342883d95e12a178657815de22f0ab7c08bae2a854acb6f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000007001\2.exe

Filesize
162KB

MD5
cdf326709897b67d581a35b9ac2dc567

SHA1
3e765d8cd6f23cba351c00564dd2319713c7ef67

SHA256
3b2b729d214eb023ce4c32b856f9b33bd4698303c6f134488527dfb236d167ec

SHA512
1fdfa61e50a49b8bbf16cfdff87e1d94576f5470df9e0c37e712276709f895f44ac55e4715ee24289f5ee4929cbc7621e8de3b294f679e9f9e32bc0afb057115

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000021001\a223055a86.exe

Filesize
209KB

MD5
ead5c20b175ebddfc294f19d276d9f5a

SHA1
f74b6cecb5a68042dee54de356a2ab8ca9d7f622

SHA256
7e559097f4e87c8e7d7850bf969e86fa556f090455318c79abc23514201f99d4

SHA512
2ad1a7460b4937cae9702ef5c3c0195ebfea3a352dbc6d978da978120e546b5c1b63c12d0a0a3d16b2f960d168437f477431f7e51ad6e6a078920cdc37e09cce

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000160001\Files.exe

Filesize
1.3MB

MD5
90b3832d4da1a85d18c9c515cb01780e

SHA1
57a70473e3046328cdce3da7943d13c1a79fe8c5

SHA256
ba82b9708925f266c292334bc5e20e963c6e20ce134f03f79892fd5c26e645f8

SHA512
3987c88a9a30a0c1b2ca03e784e3c0631f83e5576faa3243787ab2407f1fd0f9302a538e0caccc785d308802eabaf91ded96902cab70be51482513c72cd383e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000193001\judit1.exe

Filesize
10.7MB

MD5
c8cf26425a6ce325035e6da8dfb16c4e

SHA1
31c2b3a26c05b4bf8dea8718d1df13a0c2be22ee

SHA256
9f7be9bf913d8378f094b3f6416db9aa4c80c380000202f7cfaddadb6efc41b4

SHA512
0321e48e185c22165ac6429e08afac1ccfdf393249436c8eac8a6d64794b3b399740aa5b2be23d568f57495d17e9220280ed1c2ea8f012b2c4021beb02cbc646

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000202001\54gtxx.exe

Filesize
369KB

MD5
1b1c6f48b7c91a48a0dcd736ed0c8d24

SHA1
78378356bd87ca67da61826074c5737c09c197d3

SHA256
525a892469b4c88bf26e584ecf9a57c1f76aa9dd8e14d3a6840b73f59dbc5cf8

SHA512
108828525faa53156c16c03c2a7a0d87775b7575553fa408eec15692f0205fce7b9f48ff42f76095d15b15de4ec07b1d2145da440cc8237485b7ee3c06885cea

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000240001\newstart.exe

Filesize
297KB

MD5
a20fc3377c07aa683a47397f9f5ff355

SHA1
13160e27dcea48dc9c5393948b7918cb2fcdd759

SHA256
f7891ca59e0907217db3eeafbe751e2d184317a871450b5ec401217a12df9d33

SHA512
dcdba7203efeea40366375fb54123b11bba972552795c64cbe912bef137698d308ea8e370732e5a65cba5687fbe6095bd53e5e1e49e3a6d8cf6912ebb61da254

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000259001\gold.exe

Filesize
527KB

MD5
3828babaa69c01aa31609e67ac8c1f71

SHA1
97c9185851f81f6d9cffa22105dc858add2768f8

SHA256
a13c3863d0fdb36d18368500bd07167cd058d7b6fb511a9356b2cf99d14ccb48

SHA512
b1baf57c8a90df0142d913e83046e532161c72e894dc5aa46d3368f9e8c6d9a97067def52d07367f5a15dba84a4f6a040c3ef289a819c48d5be5653583a69234

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000304001\acev.exe

Filesize
681KB

MD5
4f5771aa008fb55801a3f9fba7130f69

SHA1
eaace725791c08810198c08907b84b8850d4ef5b

SHA256
447ed0bdf4f8d0479545724b9578d2a3296b6bc5e2162d7ba405276234eccf0d

SHA512
0ce8c4c44338d92f4a5f07f38a93812a85ce5524a4ed0c4e4d616127ea6fe02e94df0938075b4d2dc3eead2fac4a827230b0d2e1333bb51146d92417b1a5bfec

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000313001\newwork.exe

Filesize
416KB

MD5
3764897fd08b8427b978fb099c091f71

SHA1
a6abba0f071fbf0d4fa529b773678c6532493164

SHA256
a67f6fa1fa32b492f08ae46e187a143d8b107863df119cdb0759b39446827a68

SHA512
472730a36d32c15b4758c0c6051f27a3e72cf09e7e9d031ca923bb3d098fc7bd05e3acd00e204d41cc9c0b65ddf88cc151e9cb8e6646a73a380499c83ea4bc42

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000339001\RobloxPlayerInstaller.exe

Filesize
5.6MB

MD5
753df56b82850430b8c7e25aaa93ea66

SHA1
5977fa278c4ab6f2e515efe72f09c85e67ff0590

SHA256
25129518eb2a72e5cee72ab1e567393abed215bb722e4db5d739b1480f1e18f2

SHA512
8e25374af7d513be5b2f6700dc4d07fdeea75e2fc56b32cd0ea6c5117334a02ede3cace39836df64680da92d5231d08c2f08798e9a27f2315496beda37710ac3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000340001\lobo.exe

Filesize
324KB

MD5
848abdbd09c052799a0e0180b59f6fee

SHA1
2f73b04baf17c3a9f9d21f6f324d64306a10682c

SHA256
1aa0622a744ec4d28a561bac60ec5e907476587efbadfde546d2b145be4b8109

SHA512
eb3a87e787d151915da06f89132d6e5b9b7682a3a69761795180050f42c7fbe8831049ee96410e7b7de5e7c835ceff1e24e84321cccf8d6ed9ba5928bca58203

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cookies.db

Filesize
20KB

MD5
a603e09d617fea7517059b4924b1df93

SHA1
31d66e1496e0229c6a312f8be05da3f813b3fa9e

SHA256
ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7

SHA512
eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\E520.tmp\E521.tmp\E522.bat

Filesize
2KB

MD5
de9423d9c334ba3dba7dc874aa7dbc28

SHA1
bf38b137b8d780b3d6d62aee03c9d3f73770d638

SHA256
a1e1b422c40fb611a50d3f8bf34f9819f76ddb304aa2d105fb49f41f57752698

SHA512
63f13acd904378ad7de22053e1087d61a70341f1891ada3b671223fec8f841b42b6f1060a4b18c8bb865ee4cd071cadc7ff6bd6d549760945bf1645a1086f401

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ctypes.pyd

Filesize
119KB

MD5
87596db63925dbfe4d5f0f36394d7ab0

SHA1
ad1dd48bbc078fe0a2354c28cb33f92a7e64907e

SHA256
92d7954d9099762d81c1ae2836c11b6ba58c1883fde8eeefe387cc93f2f6afb4

SHA512
e6d63e6fe1c3bd79f1e39cb09b6f56589f0ee80fd4f4638002fe026752bfa65457982adbef13150fa2f36e68771262d9378971023e07a75d710026ed37e83d7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_socket.pyd

Filesize
75KB

MD5
e137df498c120d6ac64ea1281bcab600

SHA1
b515e09868e9023d43991a05c113b2b662183cfe

SHA256
8046bf64e463d5aa38d13525891156131cf997c2e6cdf47527bc352f00f5c90a

SHA512
cc2772d282b81873aa7c5cba5939d232cceb6be0908b211edb18c25a17cbdb5072f102c0d6b7bc9b6b2f1f787b56ab1bc9be731bb9e98885c17e26a09c2beb90

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\cryptography\hazmat\bindings\_rust.pyd

Filesize
6.9MB

MD5
f918173fbdc6e75c93f64784f2c17050

SHA1
163ef51d4338b01c3bc03d6729f8e90ae39d8f04

SHA256
2c7a31dec06df4eec6b068a0b4b009c8f52ef34ace785c8b584408cb29ce28fd

SHA512
5405d5995e97805e68e91e1f191dc5e7910a7f2ba31619eb64aff54877cbd1b3fa08b7a24b411d095edb21877956976777409d3db58d29da32219bf578ce4ef2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wigdxqta.xqa.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_6772_133662745853534542\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_6772_133662745853534542\_bz2.pyd

Filesize
81KB

MD5
a4b636201605067b676cc43784ae5570

SHA1
e9f49d0fc75f25743d04ce23c496eb5f89e72a9a

SHA256
f178e29921c04fb68cc08b1e5d1181e5df8ce1de38a968778e27990f4a69973c

SHA512
02096bc36c7a9ecfa1712fe738b5ef8b78c6964e0e363136166657c153727b870a6a44c1e1ec9b81289d1aa0af9c85f1a37b95b667103edc2d3916280b6a9488

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_6772_133662745853534542\_cffi_backend.pyd

Filesize
177KB

MD5
ebb660902937073ec9695ce08900b13d

SHA1
881537acead160e63fe6ba8f2316a2fbbb5cb311

SHA256
52e5a0c3ca9b0d4fc67243bd8492f5c305ff1653e8d956a2a3d9d36af0a3e4fd

SHA512
19d5000ef6e473d2f533603afe8d50891f81422c59ae03bead580412ec756723dc3379310e20cd0c39e9683ce7c5204791012e1b6b73996ea5cb59e8d371de24

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_6772_133662745853534542\_lzma.pyd

Filesize
154KB

MD5
b5fbc034ad7c70a2ad1eb34d08b36cf8

SHA1
4efe3f21be36095673d949cceac928e11522b29c

SHA256
80a6ebe46f43ffa93bbdbfc83e67d6f44a44055de1439b06e4dd2983cb243df6

SHA512
e7185da748502b645030c96d3345d75814ba5fd95a997c2d1c923d981c44d5b90db64faf77ddbbdc805769af1bec37daf0ecee0930a248b67a1c2d92b59c250c

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_6772_133662745853534542\_sqlite3.pyd

Filesize
95KB

MD5
7f61eacbbba2ecf6bf4acf498fa52ce1

SHA1
3174913f971d031929c310b5e51872597d613606

SHA256
85de6d0b08b5cc1f2c3225c07338c76e1cab43b4de66619824f7b06cb2284c9e

SHA512
a5f6f830c7a5fadc3349b42db0f3da1fddb160d7e488ea175bf9be4732a18e277d2978720c0e294107526561a7011fadab992c555d93e77d4411528e7c4e695a

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_6772_133662745853534542\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_6772_133662745853534542\python3.dll

Filesize
63KB

MD5
07bd9f1e651ad2409fd0b7d706be6071

SHA1
dfeb2221527474a681d6d8b16a5c378847c59d33

SHA256
5d78cd1365ea9ae4e95872576cfa4055342f1e80b06f3051cf91d564b6cd09f5

SHA512
def31d2df95cb7999ce1f55479b2ff7a3cb70e9fc4778fc50803f688448305454fbbf82b5a75032f182dff663a6d91d303ef72e3d2ca9f2a1b032956ec1a0e2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_6772_133662745853534542\python310.dll

Filesize
4.3MB

MD5
c80b5cb43e5fe7948c3562c1fff1254e

SHA1
f73cb1fb9445c96ecd56b984a1822e502e71ab9d

SHA256
058925e4bbfcb460a3c00ec824b8390583baef0c780a7c7ff01d43d9eec45f20

SHA512
faa97a9d5d2a0bf78123f19f8657c24921b907268938c26f79e1df6d667f7bee564259a3a11022e8629996406cda9fa00434bb2b1de3e10b9bddc59708dbad81

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_6772_133662745853534542\sqlite3.dll

Filesize
1.4MB

MD5
926dc90bd9faf4efe1700564aa2a1700

SHA1
763e5af4be07444395c2ab11550c70ee59284e6d

SHA256
50825ea8b431d86ec228d9fa6b643e2c70044c709f5d9471d779be63ff18bcd0

SHA512
a8703ff97243aa3bc877f71c0514b47677b48834a0f2fee54e203c0889a79ce37c648243dbfe2ee9e1573b3ca4d49c334e9bfe62541653125861a5398e2fe556

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_6772_133662745853534542\stub.exe

Filesize
18.0MB

MD5
1cf17408048317fc82265ed6a1c7893d

SHA1
9bfec40d6eb339c5a6c2ad6e5fa7cebc147654c5

SHA256
1352ad9860a42137b096d9675a7b8d578fbc596d965de3cb352619cbe6aaf4e9

SHA512
66322d7cb5931017acaa29970da48642d03ce35007f130511b2848b67169c1dd4167f1e5a31e5e1dfe5f7122846482bdb878b5cd695ac58009033fd620813a0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp29EC.tmp

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2A4D.tmp

Filesize
114KB

MD5
20698b0aeafa51b961cd383ef3f99ccb

SHA1
a81cf3b3e1da80e1a99faf0cc47e6f93087b755c

SHA256
9e58a7cfc4125c430dc8aa17d4aaeac7646efc556bb26f859559b957f68240dd

SHA512
85bf507f86a743343141d0654ab47db8ccf1674de25e742be7c5f3925befcaac917b5e65d8b9a9272de05c250dd442e0b1bcdae68947c7e418adebde9f2e37fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2B50.tmp

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2BA1.tmp

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2BC4.tmp

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\RoamingJDHIEBFHCA.exe

Filesize
1.8MB

MD5
927614bdb1fff68b49468bc4a3886f36

SHA1
e684e796b2d93374c80e94d5b77fdd50c194a0d4

SHA256
30b7b1795af4fa8f43cdf9595f5a266ddfa407e9e3bab55b0684618efc6bbd0d

SHA512
b8c84b98902d8b9b942d8b928a65e7f23465d773f9751f64695e011717ac84257d9d736781c7e9c239ed27b481f1c7fca5a62a2ea3f255797f868e6d7a7829e7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3mrom4gn.default-release\AlternateServices.bin

Filesize
8KB

MD5
b668f2edba85c2d926aa9b5a2af77451

SHA1
43a1b3ef16e64c6059b078be1a1161dfb14ef5cb

SHA256
4688326ee13d8b7fa3b081c9134f605b098b07884636fc6bce12400d591aba11

SHA512
ec2710e2353627578dc018c06ce70bb941de8283d9614f27b2594a78d1919c6d0a846d38ea29e7aeeb664258b6eddde92173f8ad4473ec20a1fd9186052af1a5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3mrom4gn.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
631ad126a084b56f57920a04f6e192e4

SHA1
654f6435c89c7062befd16f1b90260df5f7ebf57

SHA256
ff91b65e1a3bd2ff5286cb7ae60e18d42505a89938d1ee583483c6d48f6a8d10

SHA512
bd8f42354ead86090fb785fa01304791425672ea4474995285d9c33a0da0363885e5554e08021fddf87cfe405f2ae42b401ae9211488d791b31754f22ed3cd67

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3mrom4gn.default-release\datareporting\glean\pending_pings\c4eb871e-b766-4b21-98c2-42f12354b925

Filesize
671B

MD5
00737f0fa1c4f1626edd94427a838339

SHA1
651a364f5e0e2732b4ea62ddcda11ea47417f334

SHA256
42152d2273a5fa07481c782d7d6d105fe6d2f169c09225146fcd625de16d8589

SHA512
de95c4dc9d6cc4bd6830e3bb84015bbc64c8c781bd65255064f6810df78d11ba0b6e2807b24a48de0adb8b18aa1aa20b9b59ac10425c326013a1c65ae2b06c6d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3mrom4gn.default-release\datareporting\glean\pending_pings\e701e0bc-6494-4cb2-a18f-47980383f00d

Filesize
982B

MD5
7c329f77dee5057adb4b753370ab2230

SHA1
09613581659d0a06797ec659a123e421f5fb34d1

SHA256
2d8b3aea9284c05ac25f3dadbd3063d713833ad4569d5f2f9fa29693dbc5b404

SHA512
ab19a9da5d499ffc43ae3fb37aff78fdca0068102a4e3494dc54c833c36da77d5759cfba487bae397e65b4ee0a73955ecc0dcadc927a71145332426d81438fbc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3mrom4gn.default-release\datareporting\glean\pending_pings\f83ce3ce-cea1-413c-8cd9-e20b457181ee

Filesize
25KB

MD5
882d5b29f2dac79e4cbc9b3b4f8ede4e

SHA1
26329c83115aaced871f754e724fde370ffb8862

SHA256
0b2a3784a4282cc951d2a2e981b4210097433def2c80f160468dc885952f56d0

SHA512
a48152225d8b3d80ea6b00a3d65d9048b8f0e3121c20c1cc4fe670a4517601836e96dc002339b54c3ce434e8a1c23de81e88dfae5e35d117ffdb2deaa4ba64aa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3mrom4gn.default-release\prefs-1.js

Filesize
11KB

MD5
b03e9a17e8e0a38d5c9225f2574dc17d

SHA1
5ba790568f5491d5af747649e36ae8fe5467e24b

SHA256
2d77d79fc023c92526c3543a0f436f8f2762198ed3da4469c7eb36feb9ca474d

SHA512
668f4cfbfe69c8a8bf61694134dd9b04780440e59e805968d71fe72b42f1bd4e06b44ee374436deab58096e557e964ca262eee48aa19d4b31de9d2b2725934d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3mrom4gn.default-release\prefs.js

Filesize
8KB

MD5
1028c0df36cb6d0c69ddccbe86a774a0

SHA1
c18ae361b9a58d0caf86b2a6fd0877f500a256d7

SHA256
df11c6e6fee95617652f5d895e55806458dba906a0a502c35f2a4042f417a8cd

SHA512
a6fcd92f9bfa6df87b3776c0641c175f9ad323a75d1a263bb75992966b005cfae35aff9a42ee0f5edcfb1b46395452815f65db6e8677f4ae8e31384127c7bcf4

Download Submit
C:\Users\Admin\AppData\Roaming\NZY3xS4BgF.exe

Filesize
381KB

MD5
1b75671fb234ae1fb72406a317fa752a

SHA1
bd47c38b7fb55d013b85c60cd51c8c5ee56f3757

SHA256
499d5830b76daff19e04393ba05f63baa893f8d86ae358fc59365a5938177cbe

SHA512
4c96d2c40862f73314394f48bc9c0930d5c51bfaa389185518c84ac921ceafab0f296df48655a9640d4232265daf67f3b0f4b886bfd31d230e8ec9ed11bbc2f5

Download Submit
C:\Users\Admin\AppData\Roaming\Wz06pi6uHX.exe

Filesize
503KB

MD5
2c2be38fb507206d36dddb3d03096518

SHA1
a16edb81610a080096376d998e5ddc3e4b54bbd6

SHA256
0c7173daaa5ad8dabe7a2cde6dbd0eee1ca790071443aa13b01a1e731053491e

SHA512
e436954d7d5b77feb32f200cc48cb01f94b449887443a1e75ebef2f6fa2139d989d65f5ea7a71f8562c3aae2fea4117efc87e8aae905e1ba466fbc8bb328b316

Download Submit
memory/432-1049-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/632-862-0x0000000000BE0000-0x00000000010AA000-memory.dmp

Filesize
4.8MB

Download
memory/632-867-0x0000000000BE0000-0x00000000010AA000-memory.dmp

Filesize
4.8MB

Download
memory/1260-570-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/1260-572-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2192-1113-0x0000000000370000-0x00000000003EC000-memory.dmp

Filesize
496KB

Download
memory/2604-3-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2604-76-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2604-4-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/2604-1-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/2604-515-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2604-2-0x0000000000AC0000-0x0000000000AF0000-memory.dmp

Filesize
192KB

Download
memory/2660-1247-0x0000000000BE0000-0x00000000010AA000-memory.dmp

Filesize
4.8MB

Download
memory/2660-1243-0x0000000000BE0000-0x00000000010AA000-memory.dmp

Filesize
4.8MB

Download
memory/3604-1181-0x0000000006AC0000-0x0000000006B10000-memory.dmp

Filesize
320KB

Download
memory/3604-981-0x00000000006D0000-0x0000000000720000-memory.dmp

Filesize
320KB

Download
memory/3604-984-0x0000000005320000-0x000000000536C000-memory.dmp

Filesize
304KB

Download
memory/4324-1104-0x00000000009D0000-0x0000000000A80000-memory.dmp

Filesize
704KB

Download
memory/4324-1107-0x00000000011E0000-0x00000000011E6000-memory.dmp

Filesize
24KB

Download
memory/4656-403-0x0000000000B60000-0x0000000001013000-memory.dmp

Filesize
4.7MB

Download
memory/4656-83-0x0000000000B60000-0x0000000001013000-memory.dmp

Filesize
4.7MB

Download
memory/4700-863-0x0000000000D50000-0x0000000001203000-memory.dmp

Filesize
4.7MB

Download
memory/4700-868-0x0000000000D50000-0x0000000001203000-memory.dmp

Filesize
4.7MB

Download
memory/4992-1245-0x0000000000D50000-0x0000000001203000-memory.dmp

Filesize
4.7MB

Download
memory/5068-1232-0x0000000003EC0000-0x0000000003EC8000-memory.dmp

Filesize
32KB

Download
memory/5068-1230-0x0000000000C90000-0x0000000000C98000-memory.dmp

Filesize
32KB

Download
memory/5336-978-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/5336-977-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/5336-987-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/5644-651-0x00000000002C0000-0x0000000000326000-memory.dmp

Filesize
408KB

Download
memory/5644-654-0x0000000004CE0000-0x0000000004D72000-memory.dmp

Filesize
584KB

Download
memory/5644-681-0x0000000007A70000-0x0000000007AAC000-memory.dmp

Filesize
240KB

Download
memory/5644-682-0x0000000007BE0000-0x0000000007C2C000-memory.dmp

Filesize
304KB

Download
memory/5644-679-0x0000000007AD0000-0x0000000007BDA000-memory.dmp

Filesize
1.0MB

Download
memory/5644-693-0x0000000009710000-0x00000000098D2000-memory.dmp

Filesize
1.8MB

Download
memory/5644-688-0x0000000008B20000-0x0000000008B86000-memory.dmp

Filesize
408KB

Download
memory/5644-680-0x0000000007A10000-0x0000000007A22000-memory.dmp

Filesize
72KB

Download
memory/5880-1228-0x00007FF6FA320000-0x00007FF6FB55E000-memory.dmp

Filesize
18.2MB

Download
memory/5880-1191-0x00007FF6FA320000-0x00007FF6FB55E000-memory.dmp

Filesize
18.2MB

Download
memory/6004-1075-0x000002195F070000-0x000002195F092000-memory.dmp

Filesize
136KB

Download
memory/6012-608-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/6012-643-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/6012-614-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/6012-616-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/6012-617-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/6228-691-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/6324-690-0x0000000009620000-0x000000000963E000-memory.dmp

Filesize
120KB

Download
memory/6324-664-0x00000000050B0000-0x00000000050BA000-memory.dmp

Filesize
40KB

Download
memory/6324-652-0x0000000000570000-0x00000000005F4000-memory.dmp

Filesize
528KB

Download
memory/6324-653-0x0000000005680000-0x0000000005C24000-memory.dmp

Filesize
5.6MB

Download
memory/6324-678-0x0000000008700000-0x0000000008D18000-memory.dmp

Filesize
6.1MB

Download
memory/6324-694-0x000000000A680000-0x000000000ABAC000-memory.dmp

Filesize
5.2MB

Download
memory/6324-689-0x0000000009680000-0x00000000096F6000-memory.dmp

Filesize
472KB

Download
memory/6772-1190-0x00007FF7A5560000-0x00007FF7A6038000-memory.dmp

Filesize
10.8MB

Download
memory/6772-1229-0x00007FF7A5560000-0x00007FF7A6038000-memory.dmp

Filesize
10.8MB

Download
memory/6824-1234-0x0000000000BE0000-0x00000000010AA000-memory.dmp

Filesize
4.8MB

Download
memory/6824-1192-0x0000000000BE0000-0x00000000010AA000-memory.dmp

Filesize
4.8MB

Download
memory/6824-980-0x0000000000BE0000-0x00000000010AA000-memory.dmp

Filesize
4.8MB

Download
memory/6824-1223-0x0000000000BE0000-0x00000000010AA000-memory.dmp

Filesize
4.8MB

Download
memory/6824-861-0x0000000000BE0000-0x00000000010AA000-memory.dmp

Filesize
4.8MB

Download
memory/6824-541-0x0000000000BE0000-0x00000000010AA000-memory.dmp

Filesize
4.8MB

Download
memory/6892-475-0x0000000000C40000-0x000000000110A000-memory.dmp

Filesize
4.8MB

Download
memory/6892-542-0x0000000000C40000-0x000000000110A000-memory.dmp

Filesize
4.8MB

Download
memory/7164-979-0x0000000000D50000-0x0000000001203000-memory.dmp

Filesize
4.7MB

Download
memory/7164-1233-0x0000000000D50000-0x0000000001203000-memory.dmp

Filesize
4.7MB

Download
memory/7164-1235-0x0000000000D50000-0x0000000001203000-memory.dmp

Filesize
4.7MB

Download
memory/7164-687-0x0000000000D50000-0x0000000001203000-memory.dmp

Filesize
4.7MB

Download
memory/7164-1167-0x0000000000D50000-0x0000000001203000-memory.dmp

Filesize
4.7MB

Download
memory/7164-400-0x0000000000D50000-0x0000000001203000-memory.dmp

Filesize
4.7MB

Download