amadey | 54187b2421d371ae1c54ef595c93baa2fb74eb51fd4b3cd2357646623f38b3bb

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
05-10-2024 21:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

54187b2421d371ae1c54ef595c93baa2fb74eb51fd4b3cd2357646623f38b3bb.exe
Size

1.8MB
MD5

c66b635299ed3301414a579b16e04c5c
SHA1

6cd13860578174194beef8cfd0cbe0cfc8f2dfaa
SHA256

54187b2421d371ae1c54ef595c93baa2fb74eb51fd4b3cd2357646623f38b3bb
SHA512

e29242970c9b2ca1bf32a2a38058cef75716f683d93af2af60fe3aa865558acf967e242b918c0a361f1714fe91ef3181134de4c1825428c26d14ba8ff97bf1eb
SSDEEP

49152:/Qqdldr/FNHYR9RTf/fXISVdkuWqJHFv1i:3lF/FOhXXIKCqL

Score

10^/10

amadey redline stealc 9c9aa5 default2 doma fed3aa livetraffic newbundle2 tg cloud @rlreborn admin @fatherofcarders zalupa credential_access discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

fed3aa

http://185.215.113.16

Attributes

install_dir
44111dbc49
install_file
axplong.exe
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
url_paths
/Jo89Ku7d/index.php

rc4.plain

Extracted

Family

redline

Botnet

LiveTraffic

136.244.88.135:17615

Extracted

Family

stealc

Botnet

default2

http://185.215.113.17

Attributes

url_path
/2fb6c2cc8dce150a.php

Extracted

Family

stealc

Botnet

zalupa

http://95.217.92.42:22

Attributes

url_path
/7db38bfff9324bbe.php

Extracted

Family

redline

Botnet

newbundle2

185.215.113.67:15206

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

http://185.215.113.43

Attributes

install_dir
abc3bc1985
install_file
skotes.exe
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
url_paths
/Zu7JuNko/index.php

rc4.plain

Extracted

Family

stealc

Botnet

doma

http://185.215.113.37

Attributes

url_path
/e2b1563c6670f193.php

Extracted

Family

redline

Botnet

TG CLOUD @RLREBORN Admin @FATHEROFCARDERS

89.105.223.196:29862

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 8 IoCs

resource	yara_rule
behavioral1/memory/1608-42-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
behavioral1/memory/1608-41-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
behavioral1/memory/1608-48-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
behavioral1/memory/1608-46-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
behavioral1/memory/1608-45-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
behavioral1/files/0x0005000000019622-184.dat	family_redline
behavioral1/memory/1728-195-0x0000000000020000-0x0000000000072000-memory.dmp	family_redline
behavioral1/memory/2700-651-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline

Stealc
Stealc is an infostealer written in C++.
stealer stealc

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 1856 created 1200	1856	Waters.pif	21
PID 1856 created 1200	1856	Waters.pif	21

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	54187b2421d371ae1c54ef595c93baa2fb74eb51fd4b3cd2357646623f38b3bb.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	9ccd4b8a29.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	75fd6f4435.exe

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Rmc-Y7B4RN = "\"C:\\ProgramData\\tst\\remcos.exe\""	file.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	remcos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Rmc-Y7B4RN = "\"C:\\ProgramData\\tst\\remcos.exe\""	remcos.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	file.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 12 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	9ccd4b8a29.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	54187b2421d371ae1c54ef595c93baa2fb74eb51fd4b3cd2357646623f38b3bb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	54187b2421d371ae1c54ef595c93baa2fb74eb51fd4b3cd2357646623f38b3bb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	9ccd4b8a29.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	75fd6f4435.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	75fd6f4435.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuantumFlow.url	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuantumFlow.url	cmd.exe

Executes dropped EXE 30 IoCs

pid	Process
2088	axplong.exe
1104	gold.exe
844	legas.exe
1948	IBFHS19Er7.exe
1964	2Pzxp4TS18.exe
2380	Nework.exe
924	Hkbsse.exe
1816	stealc_default2.exe
2384	penis.exe
1728	newbundle2.exe
2588	9ccd4b8a29.exe
1520	75fd6f4435.exe
2572	processclass.exe
2644	skotes.exe
1680	splwow64.exe
1856	Waters.pif
1264	skotes.exe
1592	66fa80c468fe3_Channel2.exe
2320	num.exe
2776	context.exe
2484	Waters.pif
1984	2.exe
2172	file.exe
2120	remcos.exe
2936	MK.exe
2388	resota.exe
2800	setup3.exe
1048	Set-up.exe
1704	service123.exe
2388	service123.exe

Identifies Wine through registry keys 2 TTPs 6 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Wine	9ccd4b8a29.exe
Key opened	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Wine	75fd6f4435.exe
Key opened	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Wine	54187b2421d371ae1c54ef595c93baa2fb74eb51fd4b3cd2357646623f38b3bb.exe

Loads dropped DLL 56 IoCs

pid	Process
2900	54187b2421d371ae1c54ef595c93baa2fb74eb51fd4b3cd2357646623f38b3bb.exe
2088	axplong.exe
2784	WerFault.exe
2784	WerFault.exe
2784	WerFault.exe
2088	axplong.exe
896	WerFault.exe
896	WerFault.exe
896	WerFault.exe
896	WerFault.exe
896	WerFault.exe
2312	MSBuild.exe
2312	MSBuild.exe
2088	axplong.exe
2380	Nework.exe
2088	axplong.exe
2088	axplong.exe
2088	axplong.exe
2088	axplong.exe
2088	axplong.exe
2088	axplong.exe
2088	axplong.exe
1816	stealc_default2.exe
1816	stealc_default2.exe
2088	axplong.exe
2088	axplong.exe
1520	75fd6f4435.exe
2088	axplong.exe
2644	skotes.exe
1804	cmd.exe
2136	WerFault.exe
2136	WerFault.exe
2136	WerFault.exe
2088	axplong.exe
2088	axplong.exe
2644	skotes.exe
2644	skotes.exe
2400	cmd.exe
2088	axplong.exe
2088	axplong.exe
2088	axplong.exe
2088	axplong.exe
2172	file.exe
2172	file.exe
2088	axplong.exe
2088	axplong.exe
2388	resota.exe
2800	setup3.exe
2800	setup3.exe
2800	setup3.exe
2388	resota.exe
2388	resota.exe
1048	Set-up.exe
1048	Set-up.exe
1704	service123.exe
2388	service123.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\num.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000336001\\num.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-Y7B4RN = "\"C:\\ProgramData\\tst\\remcos.exe\""	file.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-Y7B4RN = "\"C:\\ProgramData\\tst\\remcos.exe\""	file.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-Y7B4RN = "\"C:\\ProgramData\\tst\\remcos.exe\""	remcos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-Y7B4RN = "\"C:\\ProgramData\\tst\\remcos.exe\""	remcos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\9ccd4b8a29.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000354001\\9ccd4b8a29.exe"	axplong.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\75fd6f4435.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000355001\\75fd6f4435.exe"	axplong.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
1924	tasklist.exe
1716	tasklist.exe
1872	tasklist.exe
556	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
2900	54187b2421d371ae1c54ef595c93baa2fb74eb51fd4b3cd2357646623f38b3bb.exe
2088	axplong.exe
2588	9ccd4b8a29.exe
1520	75fd6f4435.exe
2644	skotes.exe
1264	skotes.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 1104 set thread context of 1608	1104	gold.exe	34
PID 844 set thread context of 2312	844	legas.exe	37
PID 2644 set thread context of 1264	2644	skotes.exe	64
PID 2120 set thread context of 2024	2120	remcos.exe	97
PID 2936 set thread context of 2700	2936	MK.exe	100

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\skotes.job	75fd6f4435.exe
File opened for modification	C:\Windows\HardlyAircraft	splwow64.exe
File opened for modification	C:\Windows\BrandonBlind	splwow64.exe
File opened for modification	C:\Windows\IpaqArthur	splwow64.exe
File opened for modification	C:\Windows\ViewpictureKingdom	context.exe
File opened for modification	C:\Windows\BrandonBlind	context.exe
File opened for modification	C:\Windows\IpaqArthur	context.exe
File created	C:\Windows\Tasks\axplong.job	54187b2421d371ae1c54ef595c93baa2fb74eb51fd4b3cd2357646623f38b3bb.exe
File created	C:\Windows\Tasks\Hkbsse.job	Nework.exe
File opened for modification	C:\Windows\ViewpictureKingdom	splwow64.exe
File opened for modification	C:\Windows\HardlyAircraft	context.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
2784	1104	WerFault.exe	33
896	844	WerFault.exe	36
2136	2384	WerFault.exe	45

System Location Discovery: System Language Discovery 1 TTPs 54 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	num.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	newbundle2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MK.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	penis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	legas.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nework.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	stealc_default2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkbsse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	75fd6f4435.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	54187b2421d371ae1c54ef595c93baa2fb74eb51fd4b3cd2357646623f38b3bb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	splwow64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	resota.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	axplong.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Waters.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Waters.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66fa80c468fe3_Channel2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9ccd4b8a29.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Set-up.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gold.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	context.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	stealc_default2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	stealc_default2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	penis.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	penis.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Set-up.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Set-up.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2052	timeout.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2552	taskkill.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0f000000010000002000000020d814fd5fc477ce74425e441d8f5b48d38db6f1dd119441bc35777689bd094c0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	IBFHS19Er7.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 140000000100000014000000f352eacf816860c1097c4b852f4332dd93eb5d4f030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b0640200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000000b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000f000000010000002000000020d814fd5fc477ce74425e441d8f5b48d38db6f1dd119441bc35777689bd094c20000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	2Pzxp4TS18.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 190000000100000010000000dbd91ea86008fd8536f2b37529666c7b0f000000010000002000000020d814fd5fc477ce74425e441d8f5b48d38db6f1dd119441bc35777689bd094c0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b064140000000100000014000000f352eacf816860c1097c4b852f4332dd93eb5d4f20000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	2Pzxp4TS18.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	2Pzxp4TS18.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0f000000010000002000000020d814fd5fc477ce74425e441d8f5b48d38db6f1dd119441bc35777689bd094c030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b0640200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000000b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f007200690074007900000020000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	2Pzxp4TS18.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	IBFHS19Er7.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1096	schtasks.exe
1680	schtasks.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2776	context.exe

Suspicious behavior: EnumeratesProcesses 55 IoCs

pid	Process
2900	54187b2421d371ae1c54ef595c93baa2fb74eb51fd4b3cd2357646623f38b3bb.exe
2088	axplong.exe
1816	stealc_default2.exe
1608	MSBuild.exe
1964	2Pzxp4TS18.exe
1948	IBFHS19Er7.exe
1608	MSBuild.exe
1608	MSBuild.exe
2588	9ccd4b8a29.exe
1816	stealc_default2.exe
1520	75fd6f4435.exe
2644	skotes.exe
1728	newbundle2.exe
2384	penis.exe
1728	newbundle2.exe
1728	newbundle2.exe
1856	Waters.pif
1856	Waters.pif
1856	Waters.pif
1856	Waters.pif
1856	Waters.pif
1856	Waters.pif
1856	Waters.pif
1856	Waters.pif
1856	Waters.pif
1856	Waters.pif
1856	Waters.pif
1856	Waters.pif
1856	Waters.pif
1856	Waters.pif
1856	Waters.pif
1856	Waters.pif
1856	Waters.pif
1856	Waters.pif
1264	skotes.exe
2484	Waters.pif
2484	Waters.pif
2484	Waters.pif
2484	Waters.pif
2484	Waters.pif
2484	Waters.pif
2484	Waters.pif
2484	Waters.pif
2484	Waters.pif
2484	Waters.pif
2484	Waters.pif
2484	Waters.pif
2484	Waters.pif
2484	Waters.pif
2484	Waters.pif
2700	RegAsm.exe
2700	RegAsm.exe
2700	RegAsm.exe
2700	RegAsm.exe
2700	RegAsm.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2120	remcos.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeBackupPrivilege	1964	2Pzxp4TS18.exe
Token: SeBackupPrivilege	1948	IBFHS19Er7.exe
Token: SeSecurityPrivilege	1964	2Pzxp4TS18.exe
Token: SeSecurityPrivilege	1948	IBFHS19Er7.exe
Token: SeSecurityPrivilege	1964	2Pzxp4TS18.exe
Token: SeSecurityPrivilege	1964	2Pzxp4TS18.exe
Token: SeSecurityPrivilege	1964	2Pzxp4TS18.exe
Token: SeSecurityPrivilege	1948	IBFHS19Er7.exe
Token: SeSecurityPrivilege	1948	IBFHS19Er7.exe
Token: SeSecurityPrivilege	1948	IBFHS19Er7.exe
Token: SeDebugPrivilege	1964	2Pzxp4TS18.exe
Token: SeDebugPrivilege	1948	IBFHS19Er7.exe
Token: SeDebugPrivilege	1608	MSBuild.exe
Token: SeDebugPrivilege	1728	newbundle2.exe
Token: SeDebugPrivilege	1924	tasklist.exe
Token: SeDebugPrivilege	1716	tasklist.exe
Token: SeDebugPrivilege	2572	processclass.exe
Token: SeDebugPrivilege	1872	tasklist.exe
Token: SeDebugPrivilege	556	tasklist.exe
Token: SeDebugPrivilege	2552	taskkill.exe
Token: SeDebugPrivilege	2700	RegAsm.exe

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
2900	54187b2421d371ae1c54ef595c93baa2fb74eb51fd4b3cd2357646623f38b3bb.exe
2380	Nework.exe
1520	75fd6f4435.exe
1856	Waters.pif
1856	Waters.pif
1856	Waters.pif
2484	Waters.pif
2484	Waters.pif
2484	Waters.pif

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
1856	Waters.pif
1856	Waters.pif
1856	Waters.pif
2484	Waters.pif
2484	Waters.pif
2484	Waters.pif

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2900 wrote to memory of 2088	2900	54187b2421d371ae1c54ef595c93baa2fb74eb51fd4b3cd2357646623f38b3bb.exe	30
PID 2900 wrote to memory of 2088	2900	54187b2421d371ae1c54ef595c93baa2fb74eb51fd4b3cd2357646623f38b3bb.exe	30
PID 2900 wrote to memory of 2088	2900	54187b2421d371ae1c54ef595c93baa2fb74eb51fd4b3cd2357646623f38b3bb.exe	30
PID 2900 wrote to memory of 2088	2900	54187b2421d371ae1c54ef595c93baa2fb74eb51fd4b3cd2357646623f38b3bb.exe	30
PID 2088 wrote to memory of 1104	2088	axplong.exe	33
PID 2088 wrote to memory of 1104	2088	axplong.exe	33
PID 2088 wrote to memory of 1104	2088	axplong.exe	33
PID 2088 wrote to memory of 1104	2088	axplong.exe	33
PID 1104 wrote to memory of 1608	1104	gold.exe	34
PID 1104 wrote to memory of 1608	1104	gold.exe	34
PID 1104 wrote to memory of 1608	1104	gold.exe	34
PID 1104 wrote to memory of 1608	1104	gold.exe	34
PID 1104 wrote to memory of 1608	1104	gold.exe	34
PID 1104 wrote to memory of 1608	1104	gold.exe	34
PID 1104 wrote to memory of 1608	1104	gold.exe	34
PID 1104 wrote to memory of 1608	1104	gold.exe	34
PID 1104 wrote to memory of 1608	1104	gold.exe	34
PID 1104 wrote to memory of 2784	1104	gold.exe	35
PID 1104 wrote to memory of 2784	1104	gold.exe	35
PID 1104 wrote to memory of 2784	1104	gold.exe	35
PID 1104 wrote to memory of 2784	1104	gold.exe	35
PID 2088 wrote to memory of 844	2088	axplong.exe	36
PID 2088 wrote to memory of 844	2088	axplong.exe	36
PID 2088 wrote to memory of 844	2088	axplong.exe	36
PID 2088 wrote to memory of 844	2088	axplong.exe	36
PID 844 wrote to memory of 2312	844	legas.exe	37
PID 844 wrote to memory of 2312	844	legas.exe	37
PID 844 wrote to memory of 2312	844	legas.exe	37
PID 844 wrote to memory of 2312	844	legas.exe	37
PID 844 wrote to memory of 2312	844	legas.exe	37
PID 844 wrote to memory of 2312	844	legas.exe	37
PID 844 wrote to memory of 2312	844	legas.exe	37
PID 844 wrote to memory of 2312	844	legas.exe	37
PID 844 wrote to memory of 2312	844	legas.exe	37
PID 844 wrote to memory of 2312	844	legas.exe	37
PID 844 wrote to memory of 2312	844	legas.exe	37
PID 844 wrote to memory of 896	844	legas.exe	38
PID 844 wrote to memory of 896	844	legas.exe	38
PID 844 wrote to memory of 896	844	legas.exe	38
PID 844 wrote to memory of 896	844	legas.exe	38
PID 2312 wrote to memory of 1948	2312	MSBuild.exe	40
PID 2312 wrote to memory of 1948	2312	MSBuild.exe	40
PID 2312 wrote to memory of 1948	2312	MSBuild.exe	40
PID 2312 wrote to memory of 1948	2312	MSBuild.exe	40
PID 2312 wrote to memory of 1964	2312	MSBuild.exe	41
PID 2312 wrote to memory of 1964	2312	MSBuild.exe	41
PID 2312 wrote to memory of 1964	2312	MSBuild.exe	41
PID 2312 wrote to memory of 1964	2312	MSBuild.exe	41
PID 2088 wrote to memory of 2380	2088	axplong.exe	42
PID 2088 wrote to memory of 2380	2088	axplong.exe	42
PID 2088 wrote to memory of 2380	2088	axplong.exe	42
PID 2088 wrote to memory of 2380	2088	axplong.exe	42
PID 2380 wrote to memory of 924	2380	Nework.exe	43
PID 2380 wrote to memory of 924	2380	Nework.exe	43
PID 2380 wrote to memory of 924	2380	Nework.exe	43
PID 2380 wrote to memory of 924	2380	Nework.exe	43
PID 2088 wrote to memory of 1816	2088	axplong.exe	44
PID 2088 wrote to memory of 1816	2088	axplong.exe	44
PID 2088 wrote to memory of 1816	2088	axplong.exe	44
PID 2088 wrote to memory of 1816	2088	axplong.exe	44
PID 2088 wrote to memory of 2384	2088	axplong.exe	45
PID 2088 wrote to memory of 2384	2088	axplong.exe	45
PID 2088 wrote to memory of 2384	2088	axplong.exe	45
PID 2088 wrote to memory of 2384	2088	axplong.exe	45

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200
- C:\Users\Admin\AppData\Local\Temp\54187b2421d371ae1c54ef595c93baa2fb74eb51fd4b3cd2357646623f38b3bb.exe
  "C:\Users\Admin\AppData\Local\Temp\54187b2421d371ae1c54ef595c93baa2fb74eb51fd4b3cd2357646623f38b3bb.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
    "C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2088
  - - C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe
      "C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1104
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1608
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1104 -s 92
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2784
  - - C:\Users\Admin\AppData\Local\Temp\1000004001\legas.exe
      "C:\Users\Admin\AppData\Local\Temp\1000004001\legas.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:844
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2312
      - C:\Users\Admin\AppData\Roaming\IBFHS19Er7.exe
        
        "C:\Users\Admin\AppData\Roaming\IBFHS19Er7.exe"
        6⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1948
      - C:\Users\Admin\AppData\Roaming\2Pzxp4TS18.exe
        
        "C:\Users\Admin\AppData\Roaming\2Pzxp4TS18.exe"
        6⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1964
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 844 -s 52
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:896
  - - C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe
      "C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2380
    - - C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
        
        "C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:924
  - - C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
      "C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:1816
  - - C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe
      "C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:2384
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 740
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2136
  - - C:\Users\Admin\AppData\Local\Temp\1000322001\newbundle2.exe
      "C:\Users\Admin\AppData\Local\Temp\1000322001\newbundle2.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1728
  - - C:\Users\Admin\AppData\Local\Temp\1000354001\9ccd4b8a29.exe
      "C:\Users\Admin\AppData\Local\Temp\1000354001\9ccd4b8a29.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2588
  - - C:\Users\Admin\AppData\Local\Temp\1000355001\75fd6f4435.exe
      "C:\Users\Admin\AppData\Local\Temp\1000355001\75fd6f4435.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Loads dropped DLL
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      PID:1520
    - - C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
        
        "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2644
      - C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
        
        "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1264
      - C:\Users\Admin\AppData\Local\Temp\1000336001\num.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000336001\num.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2320
  - - C:\Users\Admin\AppData\Local\Temp\1000367001\processclass.exe
      "C:\Users\Admin\AppData\Local\Temp\1000367001\processclass.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2572
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c start context.exe
        5⤵
        
        PID:1324
      - C:\Users\Admin\AppData\Local\Temp\context.exe
        
        context.exe
        6⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c move Emotions Emotions.bat & Emotions.bat
        7⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2400
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1872
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa opssvc"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2044
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:556
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1132
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 607698
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:804
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Navy + ..\Temperature + ..\Streaming + ..\Ashley + ..\Ensures + ..\Language + ..\Viruses + ..\Bet + ..\Fla + ..\Asbestos + ..\Width Q
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\607698\Waters.pif
        
        Waters.pif Q
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2484
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1220
  - - C:\Users\Admin\AppData\Local\Temp\1000368001\splwow64.exe
      "C:\Users\Admin\AppData\Local\Temp\1000368001\splwow64.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:1680
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c move Emotions Emotions.bat & Emotions.bat
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1804
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1924
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa opssvc"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2448
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1716
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1572
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 607698
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2284
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "MaskBathroomCompositionInjection" Participants
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2024
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Navy + ..\Temperature + ..\Streaming + ..\Ashley + ..\Ensures + ..\Language + ..\Viruses + ..\Bet + ..\Fla + ..\Asbestos + ..\Width Q
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2688
      - C:\Users\Admin\AppData\Local\Temp\607698\Waters.pif
        
        Waters.pif Q
        6⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k "taskkill /f /im "Waters.pif" && timeout 1 && del Waters.pif && Exit"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:656
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "Waters.pif"
        8⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2552
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        8⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:2052
      - C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2700
  - - C:\Users\Admin\AppData\Local\Temp\1000378001\66fa80c468fe3_Channel2.exe
      "C:\Users\Admin\AppData\Local\Temp\1000378001\66fa80c468fe3_Channel2.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1592
  - - C:\Users\Admin\AppData\Local\Temp\1000386001\2.exe
      "C:\Users\Admin\AppData\Local\Temp\1000386001\2.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1984
  - - C:\Users\Admin\AppData\Local\Temp\1000398001\file.exe
      "C:\Users\Admin\AppData\Local\Temp\1000398001\file.exe"
      4⤵
      Adds policy Run key to start application
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:2172
    - - C:\ProgramData\tst\remcos.exe
        
        "C:\ProgramData\tst\remcos.exe"
        5⤵
        Adds policy Run key to start application
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        
        PID:2120
      - \??\c:\program files (x86)\internet explorer\iexplore.exe
        
        "c:\program files (x86)\internet explorer\iexplore.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2024
  - - C:\Users\Admin\AppData\Local\Temp\1000399001\MK.exe
      "C:\Users\Admin\AppData\Local\Temp\1000399001\MK.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:2936
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2700
  - - C:\Users\Admin\AppData\Local\Temp\1000401001\resota.exe
      "C:\Users\Admin\AppData\Local\Temp\1000401001\resota.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2388
    - - C:\Users\Admin\AppData\Local\Temp\setup3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup3.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2800
    - - C:\Users\Admin\AppData\Local\Temp\Set-up.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Set-up.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        
        PID:1048
      - C:\Users\Admin\AppData\Local\Temp\service123.exe
        
        "C:\Users\Admin\AppData\Local\Temp\service123.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1704
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1680
- C:\Windows\SysWOW64\cmd.exe
  cmd /c schtasks.exe /create /tn "Tuition" /tr "wscript //B 'C:\Users\Admin\AppData\Local\QuantumDynamics Lab\QuantumFlow.js'" /sc minute /mo 5 /F
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2804
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /create /tn "Tuition" /tr "wscript //B 'C:\Users\Admin\AppData\Local\QuantumDynamics Lab\QuantumFlow.js'" /sc minute /mo 5 /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1096
- C:\Windows\SysWOW64\cmd.exe
  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuantumFlow.url" & echo URL="C:\Users\Admin\AppData\Local\QuantumDynamics Lab\QuantumFlow.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuantumFlow.url" & exit
  2⤵
  - Drops startup file
  - System Location Discovery: System Language Discovery
  PID:1484

C:\Windows\system32\taskeng.exe
taskeng.exe {30A6DB66-B5DC-483C-AB57-18417658420F} S-1-5-21-3434294380-2554721341-1919518612-1000:ELZYPTFV\Admin:Interactive:[1]
1⤵
PID:1376
- C:\Users\Admin\AppData\Local\Temp\service123.exe
  C:\Users\Admin\AppData\Local\Temp\/service123.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
03357a22c73295556048b5d82eabc076

SHA1
68cbf44fd4a22fe4070ac9fb5d2a7bde416d2847

SHA256
9b6c949834a3cef9c38d68605b7c9956db49435cbaeae122517568e96ea85e5e

SHA512
5e4473669723c7cbce1eaabe6cab13e596d0b47591d60990f9ad1b3732d8f9a644cd8487644d7cca85a7c4f2936699a6d5a0f37d8d6d2f5f4d38f95bc0881490

Download Submit
C:\Users\Admin\AppData\Local\QuantumDynamics Lab\QuantumFlow.scr

Filesize
872KB

MD5
18ce19b57f43ce0a5af149c96aecc685

SHA1
1bd5ca29fc35fc8ac346f23b155337c5b28bbc36

SHA256
d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd

SHA512
a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe

Filesize
479KB

MD5
c06f1b4620ae77287d760821d0cbe8b5

SHA1
3334d3d049b4512f2d5c06151363fbee405a8e26

SHA256
57b12f4cad8251939bffda4f9306a979fdc90d13e0af58002efbb4c7661770af

SHA512
f662c35cab41ca451735a199bde39f53b639537e6046d2e85e9314e9ef15d1047e6904cfa721ff0ac333bab5339ec59432d6ac1f612d1eb05be348b54edd7e8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000004001\legas.exe

Filesize
1.3MB

MD5
24402fc0617a2740c16ea9c81518d669

SHA1
a0476ef848cd11bb20f8efd06e295a0f44c956ca

SHA256
c02fcc32573f4546201515667154d9e51e2636af52a1790d1063183c0d012566

SHA512
dd90c0036a8a109c5645b481f1bd7b193fa86518183790b75dbc400416793fb8f9e7d4d4621d7c0227cbbf483758a03a94581397686b09c6f65218b651b5bc63

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe

Filesize
416KB

MD5
f5d7b79ee6b6da6b50e536030bcc3b59

SHA1
751b555a8eede96d55395290f60adc43b28ba5e2

SHA256
2f1aff28961ba0ce85ea0e35b8936bc387f84f459a4a1d63d964ce79e34b8459

SHA512
532b17cd2a6ac5172b1ddba1e63edd51ab53a4527204415241e3a78e8ffeb9728071bde5ae1eefabefd2627f00963f8a5458668cd7b8df041c8683252ff56b46

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe

Filesize
187KB

MD5
7a02aa17200aeac25a375f290a4b4c95

SHA1
7cc94ca64268a9a9451fb6b682be42374afc22fd

SHA256
836799fd760eba25e15a55c75c50b977945c557065a708317e00f2c8f965339e

SHA512
f6ebfe7e087aa354722cea3fddd99b1883a862fb92bb5a5a86782ea846a1bff022ab7db4397930bcabaa05cb3d817de3a89331d41a565bc1da737f2c5e3720b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe

Filesize
307KB

MD5
6ead977356a0302d5712c5c72bf82b65

SHA1
efc7e990984a170dd352e8290fedd1d4d748851c

SHA256
7ee8a586b2c7b7772a44aed28b4cb7934f13f0939e2573c8adf22cda922790ce

SHA512
7f0b88c74179866956e2358e21e4700ed9baf1c28712ee78aea689a8027c62aa05c781984c0e3bdca83657b7d34570d5f1e670ef95c91f46f48680c07e53325a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000322001\newbundle2.exe

Filesize
304KB

MD5
58e8b2eb19704c5a59350d4ff92e5ab6

SHA1
171fc96dda05e7d275ec42840746258217d9caf0

SHA256
07d4b7768e13d79ac5f05f81167b29bb6fbf97828a289d8d11eec38939846834

SHA512
e7655762c5f2d10ec246d11f82d437a2717ad05be847b5e0fd055e3241caaca85430f424055b343e3a44c90d76a0ba07a6913c2208f374f59b61f8aa4477889f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000336001\num.exe

Filesize
307KB

MD5
791fcee57312d4a20cc86ae1cea8dfc4

SHA1
04a88c60ae1539a63411fe4765e9b931e8d2d992

SHA256
27e4a3627d7df2b22189dd4bebc559ae1986d49a8f4e35980b428fadb66cf23d

SHA512
2771d4e7b272bf770efad22c9fb1dfafe10cbbf009df931f091fb543e3132c0efda16acb5b515452e9e67e8b1fc8fe8aedd1376c236061385f026865cdc28d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000354001\9ccd4b8a29.exe

Filesize
1.8MB

MD5
030bba3e5d11a4f42077b65ca2ef8bbb

SHA1
89e9f14f0473cef69dd656aaa546b6ee007f39c9

SHA256
139efc522fb50a3857dd38a3cd79fb90d4ce277cb632ad5490bf66542f8a004e

SHA512
7817e535bb4aef3d1413ff1b58b28e2f44537720a2f38e13292eb9e51f3f2fc8135d06cc13b1cdeff3bf88310c45fa56639b91c1d9b41448d7a29180f39467bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000355001\75fd6f4435.exe

Filesize
1.8MB

MD5
945995d3c7c08cff97cf6da57f42e7b8

SHA1
6e0a2350fad103c45ed60520324e172ac627a5d1

SHA256
27b09bf2dd3b6545dd7cbd0817c24c60bb9111aebc4e6af76691f91556c213dd

SHA512
45ce74820a0fac42eb4912d479b89d217a918121d19edd3ab216936f6c19db0e6a02cc3393611daa6d97c35c28db969ec84cec4bb853c7732803e3b26271d047

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000367001\processclass.exe

Filesize
6KB

MD5
c042782226565f89ce3954489075e516

SHA1
256dd5ba42837a33c7aa6cb71cef33d5617117ee

SHA256
a7b63cd9959ac6f23c86644a4ca5411b519855d47f1f5e75a1645d7274f545a6

SHA512
9f0771c66ea7c0a2264b99a8782e3ab88a2d74b609265b5ce14f81dcc52b71e46248abd77767018711d72a18e20fe3b272513bfd722fff9043f962f7c8ed93fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000368001\splwow64.exe

Filesize
1.3MB

MD5
2b01c9b0c69f13da5ee7889a4b17c45e

SHA1
27f0c1ae0ddeddc9efac38bc473476b103fef043

SHA256
d5526528363ceeb718d30bc669038759c4cd80a1d3e9c8c661b12b261dcc9e29

SHA512
23d4a0fc82b70cd2454a1be3d9b84b8ce7dd00ad7c3e8ad2b771b1b7cbca752c53feec5a3ac5a81d8384a9fc6583f63cc39f1ebe7de04d3d9b08be53641ec455

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000378001\66fa80c468fe3_Channel2.exe

Filesize
9.5MB

MD5
00f86418396c17d89d43328753aa0e94

SHA1
535724a5b79937c3241e59460cf8f0b461625b22

SHA256
cb5f4641a3d416400f25611738e50f3cee8479c6d2c5ade6e4a2c36a14ac2e38

SHA512
5e3d6e058c0a7d78581c0c354b2d43d755afa3fdb25d5e308816e0a336f945e4b6d59a3cbea9a790f45c4ce516c6caf698400e1695a3a51fab4343ead9738c28

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000386001\2.exe

Filesize
7.2MB

MD5
eadf1731c7b0155cef6e7813007c73ca

SHA1
582c875ea0604fcac26a1535b0899fd7d36a4ca7

SHA256
432f4077d2f9d7e37290e2baef855ed9943712c40808ba1394892c61275b57cc

SHA512
05d0eed78f6fd8b6f6c85fac5ed5a4c4fcf80a92cfc3dd430595559af0ccd3374467f092a38d4a461523e86c029fa3d1d090be4e3a059e393b989d30637252f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000398001\file.exe

Filesize
482KB

MD5
13095aaded59fb08db07ecf6bc2387ef

SHA1
13466ec6545a05da5d8ea49a8ec6c56c4f9aa648

SHA256
02b4e1709e79653e9569bf727301f92d4928726ba69d8d764db5841b94d63671

SHA512
fe10e40072e12c68edd3c3fcb9583253a4ee9fd7ec42f2a423829202abedf443c654968acb44919ad8ba3ecafa77c95b7fd2b8b641dd83779960363c0bb11bf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000399001\MK.exe

Filesize
314KB

MD5
ff5afed0a8b802d74af1c1422c720446

SHA1
7135acfa641a873cb0c4c37afc49266bfeec91d8

SHA256
17ac37b4946539fa7fa68b12bd80946d340497a7971802b5848830ad99ea1e10

SHA512
11724d26e11b3146e0fc947c06c59c004c015de0afea24ec28a4eb8145fcd51e9b70007e17621c83f406d9aeb7cd96601245671d41c3fcc88a27c33bd7cf55ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000401001\resota.exe

Filesize
6.9MB

MD5
aebc57b12bbfd717e69bf34fe29ef385

SHA1
33767e169e0509635d4e5409952d57f8cc7bdefa

SHA256
34cca02c4c2a2988e78852bff07c25c8cbddeb1818485593bede5588f8b1ead0

SHA512
4c73729a5702f901ba74b07a6108e871859b22e9c21b65d4c28d298c2adaec7636ee085225feff31fd1262264cb50b1b48c70f44aa7e54191ac6699c4df7bb2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

Filesize
1.8MB

MD5
c66b635299ed3301414a579b16e04c5c

SHA1
6cd13860578174194beef8cfd0cbe0cfc8f2dfaa

SHA256
54187b2421d371ae1c54ef595c93baa2fb74eb51fd4b3cd2357646623f38b3bb

SHA512
e29242970c9b2ca1bf32a2a38058cef75716f683d93af2af60fe3aa865558acf967e242b918c0a361f1714fe91ef3181134de4c1825428c26d14ba8ff97bf1eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\607698\Q

Filesize
794KB

MD5
7b5632dcd418bcbae2a9009dbaf85f37

SHA1
32aaf06166854718f0bcbb2f7173c2732cfb4d33

SHA256
361e9c3b62719b79bc280420b5f710e160fd55f2250bf605911ded7162483db4

SHA512
c834e90ccf2d35529c294319b8e9a49db7a7d67d0567e0739131d5af51170db32076d68147dc101f8047a75cb5b2275b25a9c8346a99a146a6798b9764316838

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF71C.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Emotions

Filesize
19KB

MD5
b98d78c3abe777a5474a60e970a674ad

SHA1
079e438485e46aff758e2dff4356fdd2c7575d78

SHA256
2bc28afb291ece550a7cd2d0c5c060730eb1981d1cf122558d6971526c637eb4

SHA512
6218413866237bc1f6eada6554658a00c9fc55402e104576b33a2e8d4adf0fd952d8cc8d1ae3a02ebcfa030115fc388fc1a6f23b9d372f808e11e1b551064e5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Navy

Filesize
56KB

MD5
d4eb107cfd9fc38ed7e7b253562e155a

SHA1
7fc17c27c9f4739c19211600398bf1ee9df84dc5

SHA256
68e9a8d57ba2a484dd28a1afed5262a86aff4d81467b93b4072f329fab984f4c

SHA512
3a95c48e7a61239cbaa857459a6a106536dfd8190205275e2549a9939116833141276dd5b6c81ff337d2340eedba633d9ca01a03fb490eb27184becc97626e0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Participants

Filesize
2KB

MD5
f0e725addf4ec15a56aa0bde5bd8b2a7

SHA1
1f54a49195d3f7fd93c5fec06cc5904c57995147

SHA256
7cbd6810cb4dd516eeb75df79d1db55f74471c11594333ac225f24bfc0fca7ca

SHA512
00f14e435e0f8396f6c94fd5ace3f3645e87511b9e41e8c7c7caadb751ed826f60362ac007c80e9c3bd16f8f31b3a9107cbb39bf5c26d20a0ab5129e695f5269

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rick

Filesize
869KB

MD5
e0d37e7b879f4b4e0dde5006da5009bd

SHA1
33d19bdb8a0ae45a38ab6899381ca8bc1ea7c1a5

SHA256
27014daa44b8b92e1684970350c43bb1701d3a592572e650e1e00be1470e5f77

SHA512
68b2f357b3f02f3181df095ddc6fe8ff1810a150e832c245e428f973a096301b1d13fce00ad28af662c4aea371f872d56348fe7b5d2070ed3f1c49388efd3f60

Download Submit
C:\Users\Admin\AppData\Local\Temp\Set-up.exe

Filesize
6.7MB

MD5
980556548e1aadbea1796d6f6066dbbb

SHA1
54578bbddaa55cfa274cdb0b9f55c35149813bb1

SHA256
5890ffbb15ab4e25e30e1f9f4b04159c257832c06343d1a80c2c36de60bbf817

SHA512
848899c14f0e817f89e790db9f97b5120e6d8fbbdf176e05f03705aa8856d6dff8eba4baacbc340035529e4e50d5b4646cb22240a02015621f7face5344509db

Download Submit
C:\Users\Admin\AppData\Local\Temp\Streaming

Filesize
97KB

MD5
1501de696d22f872db44b548cba0e4fa

SHA1
ed8a2948aaf041bfd0196a180f5888bdddcb9879

SHA256
dcf4784ea71a3e1a42318c09183d4b5981009d296814d3679ca68eb0a7c9e2ef

SHA512
fa931ce9f6ab6928cec1c999f1aa6082bd7c5c74eff317fc6b1bd0d9f88de2753e157ebd4d6a2719c5861f7fdc12bcde5859945633c1a2b8e0967684771f84bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF71E.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temperature

Filesize
89KB

MD5
249d56cbe275c2258ccd964f0c6241d9

SHA1
8ac982fe39012b8812ed9dcf16e8e00c9a74b0bc

SHA256
7c16e21e29d442bf0b459d083198b22ee9c6d9926e3aa61f43dc3a1ee3ecb731

SHA512
440d7ff539e737e4e3b74549be7495d0f3b3230888355bc93eeca8084c80f255d988839ef455b4f6841fbaa64aabfdef9233130663aa3c24f711d01edb8e6be8

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpDFE5.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Roaming\2Pzxp4TS18.exe

Filesize
393KB

MD5
7d7366ab79d6d3d8d83d13a8b30de999

SHA1
75c6c49a6701d254c3ce184054a4a01329c1a6f3

SHA256
3d66fed04c76d055c6149b33dcfda544b509c57087c57a861e1d6256b59f8465

SHA512
64f4551b3be1c21ce7c2d49608463e5aec4166e3e6893883c33a5b7d1109ef0fc8ab6bd15c70d9d606e2706f12a937c2d90d5bc8f6c629ad6f30f212dc25f022

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3434294380-2554721341-1919518612-1000\76b53b3ec448f7ccdda2063b15d2bfc3_d9071d2c-e5ad-4187-a976-30114bb93bf6

Filesize
2KB

MD5
0052bdca9b767e5dbaab95b930b06522

SHA1
09d27f85892ca78d8780835a07e950ce7fffb30d

SHA256
aa1493af915ed70ecdec058417b82a56cd73d06d08e61c1195ab6890b7412323

SHA512
653649a7ef149e7fe8961a167edb46150c64a410a0a11761505e1d4531cde3459257407a829ac67e865e0cae49b5528ee38a1a696dad3658f9b721eb586a5f3e

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
9a1007aa4605dfdbced6395f0202db9b

SHA1
47b4f39411d258c6be8de5cc4c7e39b2eadab619

SHA256
77c749ce967d0437f8dce2184f9d45c89a1144fcdf99c9dc6cc8535a3f45cf11

SHA512
f1dea9df274f810dbd972b897df67b7e434f49e982155c43bd698b92aa3fec663fb77df6f2480218bfcb5f6b38bc7d41de4aebe90de7cadbd5109cfc50ccb0e3

Download Submit
\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
\Users\Admin\AppData\Roaming\IBFHS19Er7.exe

Filesize
602KB

MD5
e4fc58d334930a9d6572c344e5129f6b

SHA1
d38fbd0c4c86eee14722f40cc607e2128c01b00f

SHA256
973a9056040af402d6f92f436a287ea164fae09c263f80aba0b8d5366ed9957a

SHA512
a69f5da8de8c9782769cca2e2fc5b28bbeba0c0d0027954dbe47b15610d82277abbe912f0e5921a18000f1a3a3c54eb5922f70c773537a22f4b35ff926d17a59

Download Submit
memory/1104-194-0x0000000000B94000-0x0000000000B95000-memory.dmp

Filesize
4KB

Download
memory/1104-38-0x0000000000B94000-0x0000000000B95000-memory.dmp

Filesize
4KB

Download
memory/1264-434-0x0000000000400000-0x0000000000AB4000-memory.dmp

Filesize
6.7MB

Download
memory/1264-459-0x0000000000400000-0x0000000000AB4000-memory.dmp

Filesize
6.7MB

Download
memory/1264-444-0x0000000000400000-0x0000000000AB4000-memory.dmp

Filesize
6.7MB

Download
memory/1264-446-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1264-449-0x0000000000AF0000-0x0000000000F99000-memory.dmp

Filesize
4.7MB

Download
memory/1264-447-0x0000000000400000-0x0000000000AB4000-memory.dmp

Filesize
6.7MB

Download
memory/1264-448-0x0000000000400000-0x0000000000AB4000-memory.dmp

Filesize
6.7MB

Download
memory/1264-441-0x0000000000400000-0x0000000000AB4000-memory.dmp

Filesize
6.7MB

Download
memory/1264-439-0x0000000000400000-0x0000000000AB4000-memory.dmp

Filesize
6.7MB

Download
memory/1264-432-0x0000000000400000-0x0000000000AB4000-memory.dmp

Filesize
6.7MB

Download
memory/1264-430-0x0000000000400000-0x0000000000AB4000-memory.dmp

Filesize
6.7MB

Download
memory/1520-348-0x0000000000310000-0x00000000007B9000-memory.dmp

Filesize
4.7MB

Download
memory/1520-374-0x0000000000310000-0x00000000007B9000-memory.dmp

Filesize
4.7MB

Download
memory/1608-39-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1608-40-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1608-48-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1608-45-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1608-46-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1608-41-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1608-43-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1608-42-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1728-195-0x0000000000020000-0x0000000000072000-memory.dmp

Filesize
328KB

Download
memory/1816-349-0x00000000011D0000-0x0000000001413000-memory.dmp

Filesize
2.3MB

Download
memory/1816-160-0x00000000011D0000-0x0000000001413000-memory.dmp

Filesize
2.3MB

Download
memory/1816-258-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/1948-113-0x0000000000BA0000-0x0000000000C3C000-memory.dmp

Filesize
624KB

Download
memory/1964-114-0x00000000008D0000-0x0000000000938000-memory.dmp

Filesize
416KB

Download
memory/2088-20-0x0000000000D90000-0x0000000001254000-memory.dmp

Filesize
4.8MB

Download
memory/2088-158-0x0000000006150000-0x0000000006393000-memory.dmp

Filesize
2.3MB

Download
memory/2088-302-0x0000000006770000-0x0000000006E24000-memory.dmp

Filesize
6.7MB

Download
memory/2088-303-0x0000000006770000-0x0000000006E24000-memory.dmp

Filesize
6.7MB

Download
memory/2088-333-0x0000000000D90000-0x0000000001254000-memory.dmp

Filesize
4.8MB

Download
memory/2088-715-0x0000000006770000-0x00000000069D1000-memory.dmp

Filesize
2.4MB

Download
memory/2088-347-0x0000000006770000-0x0000000006C19000-memory.dmp

Filesize
4.7MB

Download
memory/2088-713-0x0000000006150000-0x0000000006393000-memory.dmp

Filesize
2.3MB

Download
memory/2088-711-0x0000000006150000-0x0000000006393000-memory.dmp

Filesize
2.3MB

Download
memory/2088-18-0x0000000000D90000-0x0000000001254000-memory.dmp

Filesize
4.8MB

Download
memory/2088-176-0x0000000006770000-0x00000000069D1000-memory.dmp

Filesize
2.4MB

Download
memory/2088-115-0x0000000000D90000-0x0000000001254000-memory.dmp

Filesize
4.8MB

Download
memory/2088-376-0x0000000006770000-0x0000000006E24000-memory.dmp

Filesize
6.7MB

Download
memory/2088-141-0x0000000000D90000-0x0000000001254000-memory.dmp

Filesize
4.8MB

Download
memory/2088-140-0x0000000000D90000-0x0000000001254000-memory.dmp

Filesize
4.8MB

Download
memory/2088-112-0x0000000000D90000-0x0000000001254000-memory.dmp

Filesize
4.8MB

Download
memory/2088-437-0x0000000000D90000-0x0000000001254000-memory.dmp

Filesize
4.8MB

Download
memory/2088-159-0x0000000006150000-0x0000000006393000-memory.dmp

Filesize
2.3MB

Download
memory/2088-37-0x0000000000D90000-0x0000000001254000-memory.dmp

Filesize
4.8MB

Download
memory/2088-23-0x0000000000D90000-0x0000000001254000-memory.dmp

Filesize
4.8MB

Download
memory/2088-21-0x0000000000D90000-0x0000000001254000-memory.dmp

Filesize
4.8MB

Download
memory/2088-177-0x0000000006770000-0x00000000069D1000-memory.dmp

Filesize
2.4MB

Download
memory/2088-19-0x0000000000D90000-0x0000000001254000-memory.dmp

Filesize
4.8MB

Download
memory/2312-80-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/2312-78-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/2312-91-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/2312-93-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/2312-82-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/2312-86-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/2312-109-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/2312-88-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/2312-92-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/2312-84-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/2320-533-0x0000000000EA0000-0x0000000001101000-memory.dmp

Filesize
2.4MB

Download
memory/2320-534-0x0000000000EA0000-0x0000000001101000-memory.dmp

Filesize
2.4MB

Download
memory/2384-179-0x00000000001F0000-0x0000000000451000-memory.dmp

Filesize
2.4MB

Download
memory/2384-436-0x00000000001F0000-0x0000000000451000-memory.dmp

Filesize
2.4MB

Download
memory/2388-679-0x0000000000EC0000-0x00000000015B6000-memory.dmp

Filesize
7.0MB

Download
memory/2572-363-0x00000000013C0000-0x00000000013C8000-memory.dmp

Filesize
32KB

Download
memory/2588-397-0x00000000001F0000-0x00000000008A4000-memory.dmp

Filesize
6.7MB

Download
memory/2588-305-0x00000000001F0000-0x00000000008A4000-memory.dmp

Filesize
6.7MB

Download
memory/2644-531-0x0000000006850000-0x0000000006AB1000-memory.dmp

Filesize
2.4MB

Download
memory/2644-741-0x0000000006850000-0x0000000006AB1000-memory.dmp

Filesize
2.4MB

Download
memory/2644-740-0x0000000006850000-0x0000000006AB1000-memory.dmp

Filesize
2.4MB

Download
memory/2644-442-0x0000000000AF0000-0x0000000000F99000-memory.dmp

Filesize
4.7MB

Download
memory/2644-532-0x0000000006850000-0x0000000006AB1000-memory.dmp

Filesize
2.4MB

Download
memory/2644-443-0x0000000000AF0000-0x0000000000F99000-memory.dmp

Filesize
4.7MB

Download
memory/2644-377-0x0000000000AF0000-0x0000000000F99000-memory.dmp

Filesize
4.7MB

Download
memory/2700-651-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2900-5-0x0000000000F40000-0x0000000001404000-memory.dmp

Filesize
4.8MB

Download
memory/2900-2-0x0000000000F41000-0x0000000000F6F000-memory.dmp

Filesize
184KB

Download
memory/2900-1-0x0000000077BE0000-0x0000000077BE2000-memory.dmp

Filesize
8KB

Download
memory/2900-3-0x0000000000F40000-0x0000000001404000-memory.dmp

Filesize
4.8MB

Download
memory/2900-10-0x0000000000F40000-0x0000000001404000-memory.dmp

Filesize
4.8MB

Download
memory/2900-0-0x0000000000F40000-0x0000000001404000-memory.dmp

Filesize
4.8MB

Download
memory/2900-17-0x0000000006F60000-0x0000000007424000-memory.dmp

Filesize
4.8MB

Download
memory/2900-16-0x0000000000F40000-0x0000000001404000-memory.dmp

Filesize
4.8MB

Download
memory/2936-637-0x0000000001380000-0x00000000013D4000-memory.dmp

Filesize
336KB

Download