amadey | 54187b2421d371ae1c54ef595c93baa2fb74eb51fd4b3cd2357646623f38b3bb

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/10/2024, 21:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

54187b2421d371ae1c54ef595c93baa2fb74eb51fd4b3cd2357646623f38b3bb.exe
Size

1.8MB
MD5

c66b635299ed3301414a579b16e04c5c
SHA1

6cd13860578174194beef8cfd0cbe0cfc8f2dfaa
SHA256

54187b2421d371ae1c54ef595c93baa2fb74eb51fd4b3cd2357646623f38b3bb
SHA512

e29242970c9b2ca1bf32a2a38058cef75716f683d93af2af60fe3aa865558acf967e242b918c0a361f1714fe91ef3181134de4c1825428c26d14ba8ff97bf1eb
SSDEEP

49152:/Qqdldr/FNHYR9RTf/fXISVdkuWqJHFv1i:3lF/FOhXXIKCqL

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

fed3aa

http://185.215.113.16

Attributes

install_dir
44111dbc49
install_file
axplong.exe
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
url_paths
/Jo89Ku7d/index.php

rc4.plain

Extracted

Family

redline

Botnet

LiveTraffic

136.244.88.135:17615

Extracted

Family

stealc

Botnet

default2

http://185.215.113.17

Attributes

url_path
/2fb6c2cc8dce150a.php

Extracted

Family

stealc

Botnet

zalupa

http://95.217.92.42:22

Attributes

url_path
/7db38bfff9324bbe.php

Extracted

Family

redline

Botnet

newbundle2

185.215.113.67:15206

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

http://185.215.113.43

Attributes

install_dir
abc3bc1985
install_file
skotes.exe
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
url_paths
/Zu7JuNko/index.php

rc4.plain

Extracted

Family

stealc

Botnet

doma

http://185.215.113.37

Attributes

url_path
/e2b1563c6670f193.php

Extracted

Family

amadey

Version

4.41

Botnet

1176f2

http://185.215.113.19

Attributes

install_dir
417fd29867
install_file
ednfoki.exe
strings_key
183201dc3defc4394182b4bff63c4065
url_paths
/CoreOPT/index.php

rc4.plain

Extracted

Family

remcos

Botnet

RemoteHost

liveos.zapto.org:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
tst
delete_file
false
hide_file
true
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-Y7B4RN
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

redline

Botnet

TG CLOUD @RLREBORN Admin @FATHEROFCARDERS

89.105.223.196:29862

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 4 IoCs

resource	yara_rule
behavioral2/memory/2068-38-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
behavioral2/files/0x00070000000234d8-183.dat	family_redline
behavioral2/memory/3840-197-0x00000000006E0000-0x0000000000732000-memory.dmp	family_redline
behavioral2/memory/3840-613-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Stealc
Stealc is an infostealer written in C++.
stealer stealc

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 2620 created 3420	2620	Waters.pif	56
PID 2620 created 3420	2620	Waters.pif	56

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 11 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	369dd67328.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	5911822b36.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	54187b2421d371ae1c54ef595c93baa2fb74eb51fd4b3cd2357646623f38b3bb.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	file.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Rmc-Y7B4RN = "\"C:\\ProgramData\\tst\\remcos.exe\""	file.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	remcos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Rmc-Y7B4RN = "\"C:\\ProgramData\\tst\\remcos.exe\""	remcos.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 22 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	369dd67328.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5911822b36.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	54187b2421d371ae1c54ef595c93baa2fb74eb51fd4b3cd2357646623f38b3bb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	369dd67328.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	54187b2421d371ae1c54ef595c93baa2fb74eb51fd4b3cd2357646623f38b3bb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5911822b36.exe

Checks computer location settings 2 TTPs 13 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	processclass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	context.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	Nework.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	5911822b36.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	skotes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	penis.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	Waters.pif
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	file.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	resota.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	Set-up.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	54187b2421d371ae1c54ef595c93baa2fb74eb51fd4b3cd2357646623f38b3bb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	axplong.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	splwow64.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuantumFlow.url	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuantumFlow.url	cmd.exe

Executes dropped EXE 38 IoCs

pid	Process
4480	axplong.exe
4544	gold.exe
4504	legas.exe
4948	6ykOIk4yn4.exe
3068	yGyJAwQYo5.exe
2828	Nework.exe
3396	Hkbsse.exe
2364	stealc_default2.exe
2972	penis.exe
3840	newbundle2.exe
4044	369dd67328.exe
1728	5911822b36.exe
4764	processclass.exe
1268	skotes.exe
1772	splwow64.exe
5064	num.exe
2620	Waters.pif
1872	Hkbsse.exe
3312	skotes.exe
4348	axplong.exe
3756	66fa80c468fe3_Channel2.exe
1132	context.exe
3488	Waters.pif
4848	2.exe
3356	file.exe
4544	remcos.exe
3884	MK.exe
3212	resota.exe
452	setup3.exe
1360	Set-up.exe
4996	axplong.exe
1244	Hkbsse.exe
2220	skotes.exe
4576	service123.exe
992	skotes.exe
4220	Hkbsse.exe
4444	axplong.exe
3128	service123.exe

Identifies Wine through registry keys 2 TTPs 11 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Wine	54187b2421d371ae1c54ef595c93baa2fb74eb51fd4b3cd2357646623f38b3bb.exe
Key opened	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Wine	5911822b36.exe
Key opened	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Wine	369dd67328.exe
Key opened	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Wine	axplong.exe

Loads dropped DLL 4 IoCs

pid	Process
2364	stealc_default2.exe
2364	stealc_default2.exe
4576	service123.exe
3128	service123.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-Y7B4RN = "\"C:\\ProgramData\\tst\\remcos.exe\""	file.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-Y7B4RN = "\"C:\\ProgramData\\tst\\remcos.exe\""	file.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-Y7B4RN = "\"C:\\ProgramData\\tst\\remcos.exe\""	remcos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-Y7B4RN = "\"C:\\ProgramData\\tst\\remcos.exe\""	remcos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\369dd67328.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000354001\\369dd67328.exe"	axplong.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5911822b36.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000355001\\5911822b36.exe"	axplong.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\num.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000336001\\num.exe"	skotes.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
2088	tasklist.exe
4388	tasklist.exe
1932	tasklist.exe
3784	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs

pid	Process
1116	54187b2421d371ae1c54ef595c93baa2fb74eb51fd4b3cd2357646623f38b3bb.exe
4480	axplong.exe
4044	369dd67328.exe
1728	5911822b36.exe
1268	skotes.exe
4348	axplong.exe
3312	skotes.exe
4996	axplong.exe
2220	skotes.exe
992	skotes.exe
4444	axplong.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4544 set thread context of 2068	4544	gold.exe	85
PID 4504 set thread context of 1204	4504	legas.exe	94
PID 4544 set thread context of 1428	4544	remcos.exe	164
PID 3884 set thread context of 3840	3884	MK.exe	167

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\axplong.job	54187b2421d371ae1c54ef595c93baa2fb74eb51fd4b3cd2357646623f38b3bb.exe
File created	C:\Windows\Tasks\Hkbsse.job	Nework.exe
File created	C:\Windows\Tasks\skotes.job	5911822b36.exe
File opened for modification	C:\Windows\HardlyAircraft	splwow64.exe
File opened for modification	C:\Windows\BrandonBlind	splwow64.exe
File opened for modification	C:\Windows\ViewpictureKingdom	context.exe
File opened for modification	C:\Windows\IpaqArthur	context.exe
File opened for modification	C:\Windows\ViewpictureKingdom	splwow64.exe
File opened for modification	C:\Windows\IpaqArthur	splwow64.exe
File opened for modification	C:\Windows\HardlyAircraft	context.exe
File opened for modification	C:\Windows\BrandonBlind	context.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
4916	4544	WerFault.exe	83
4896	4504	WerFault.exe	90
1772	452	WerFault.exe	170

System Location Discovery: System Language Discovery 1 TTPs 56 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	axplong.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	splwow64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	54187b2421d371ae1c54ef595c93baa2fb74eb51fd4b3cd2357646623f38b3bb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	resota.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	context.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gold.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkbsse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	penis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	legas.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	newbundle2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Waters.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66fa80c468fe3_Channel2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	369dd67328.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	stealc_default2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Waters.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MK.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5911822b36.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	num.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service123.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nework.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Set-up.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	setup3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	setup3.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	setup3.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	stealc_default2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	penis.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	penis.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Set-up.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Set-up.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	stealc_default2.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
4028	timeout.exe
3068	timeout.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2636	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	file.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3884	schtasks.exe
3404	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1116	54187b2421d371ae1c54ef595c93baa2fb74eb51fd4b3cd2357646623f38b3bb.exe
1116	54187b2421d371ae1c54ef595c93baa2fb74eb51fd4b3cd2357646623f38b3bb.exe
4480	axplong.exe
4480	axplong.exe
2364	stealc_default2.exe
2364	stealc_default2.exe
4948	6ykOIk4yn4.exe
4948	6ykOIk4yn4.exe
2068	MSBuild.exe
2068	MSBuild.exe
2068	MSBuild.exe
2068	MSBuild.exe
3068	yGyJAwQYo5.exe
3068	yGyJAwQYo5.exe
4044	369dd67328.exe
4044	369dd67328.exe
1728	5911822b36.exe
1728	5911822b36.exe
2068	MSBuild.exe
2068	MSBuild.exe
1268	skotes.exe
1268	skotes.exe
2364	stealc_default2.exe
2364	stealc_default2.exe
3840	newbundle2.exe
3840	newbundle2.exe
2972	penis.exe
2972	penis.exe
2620	Waters.pif
2620	Waters.pif
2620	Waters.pif
2620	Waters.pif
2620	Waters.pif
2620	Waters.pif
2620	Waters.pif
2620	Waters.pif
2620	Waters.pif
2620	Waters.pif
2620	Waters.pif
2620	Waters.pif
2620	Waters.pif
2620	Waters.pif
2620	Waters.pif
2620	Waters.pif
2620	Waters.pif
2620	Waters.pif
2620	Waters.pif
2620	Waters.pif
2620	Waters.pif
2620	Waters.pif
2620	Waters.pif
2620	Waters.pif
2620	Waters.pif
2620	Waters.pif
2620	Waters.pif
2620	Waters.pif
2620	Waters.pif
2620	Waters.pif
2620	Waters.pif
2620	Waters.pif
2620	Waters.pif
2620	Waters.pif
2620	Waters.pif
2620	Waters.pif

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4544	remcos.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeBackupPrivilege	3068	yGyJAwQYo5.exe
Token: SeBackupPrivilege	4948	6ykOIk4yn4.exe
Token: SeSecurityPrivilege	3068	yGyJAwQYo5.exe
Token: SeSecurityPrivilege	4948	6ykOIk4yn4.exe
Token: SeSecurityPrivilege	3068	yGyJAwQYo5.exe
Token: SeSecurityPrivilege	3068	yGyJAwQYo5.exe
Token: SeSecurityPrivilege	3068	yGyJAwQYo5.exe
Token: SeSecurityPrivilege	4948	6ykOIk4yn4.exe
Token: SeSecurityPrivilege	4948	6ykOIk4yn4.exe
Token: SeSecurityPrivilege	4948	6ykOIk4yn4.exe
Token: SeDebugPrivilege	3068	yGyJAwQYo5.exe
Token: SeDebugPrivilege	4948	6ykOIk4yn4.exe
Token: SeDebugPrivilege	2068	MSBuild.exe
Token: SeDebugPrivilege	3840	newbundle2.exe
Token: SeDebugPrivilege	3784	tasklist.exe
Token: SeDebugPrivilege	2088	tasklist.exe
Token: SeDebugPrivilege	4764	processclass.exe
Token: SeDebugPrivilege	4388	tasklist.exe
Token: SeDebugPrivilege	1932	tasklist.exe
Token: SeDebugPrivilege	2636	taskkill.exe
Token: SeDebugPrivilege	3840	RegAsm.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
1116	54187b2421d371ae1c54ef595c93baa2fb74eb51fd4b3cd2357646623f38b3bb.exe
2620	Waters.pif
2620	Waters.pif
2620	Waters.pif
3488	Waters.pif
3488	Waters.pif
3488	Waters.pif

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
2620	Waters.pif
2620	Waters.pif
2620	Waters.pif
3488	Waters.pif
3488	Waters.pif
3488	Waters.pif

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1116 wrote to memory of 4480	1116	54187b2421d371ae1c54ef595c93baa2fb74eb51fd4b3cd2357646623f38b3bb.exe	82
PID 1116 wrote to memory of 4480	1116	54187b2421d371ae1c54ef595c93baa2fb74eb51fd4b3cd2357646623f38b3bb.exe	82
PID 1116 wrote to memory of 4480	1116	54187b2421d371ae1c54ef595c93baa2fb74eb51fd4b3cd2357646623f38b3bb.exe	82
PID 4480 wrote to memory of 4544	4480	axplong.exe	83
PID 4480 wrote to memory of 4544	4480	axplong.exe	83
PID 4480 wrote to memory of 4544	4480	axplong.exe	83
PID 4544 wrote to memory of 1832	4544	gold.exe	84
PID 4544 wrote to memory of 1832	4544	gold.exe	84
PID 4544 wrote to memory of 1832	4544	gold.exe	84
PID 4544 wrote to memory of 2068	4544	gold.exe	85
PID 4544 wrote to memory of 2068	4544	gold.exe	85
PID 4544 wrote to memory of 2068	4544	gold.exe	85
PID 4544 wrote to memory of 2068	4544	gold.exe	85
PID 4544 wrote to memory of 2068	4544	gold.exe	85
PID 4544 wrote to memory of 2068	4544	gold.exe	85
PID 4544 wrote to memory of 2068	4544	gold.exe	85
PID 4544 wrote to memory of 2068	4544	gold.exe	85
PID 4480 wrote to memory of 4504	4480	axplong.exe	90
PID 4480 wrote to memory of 4504	4480	axplong.exe	90
PID 4480 wrote to memory of 4504	4480	axplong.exe	90
PID 4504 wrote to memory of 564	4504	legas.exe	91
PID 4504 wrote to memory of 564	4504	legas.exe	91
PID 4504 wrote to memory of 564	4504	legas.exe	91
PID 4504 wrote to memory of 1948	4504	legas.exe	92
PID 4504 wrote to memory of 1948	4504	legas.exe	92
PID 4504 wrote to memory of 1948	4504	legas.exe	92
PID 4504 wrote to memory of 1564	4504	legas.exe	93
PID 4504 wrote to memory of 1564	4504	legas.exe	93
PID 4504 wrote to memory of 1564	4504	legas.exe	93
PID 4504 wrote to memory of 1204	4504	legas.exe	94
PID 4504 wrote to memory of 1204	4504	legas.exe	94
PID 4504 wrote to memory of 1204	4504	legas.exe	94
PID 4504 wrote to memory of 1204	4504	legas.exe	94
PID 4504 wrote to memory of 1204	4504	legas.exe	94
PID 4504 wrote to memory of 1204	4504	legas.exe	94
PID 4504 wrote to memory of 1204	4504	legas.exe	94
PID 4504 wrote to memory of 1204	4504	legas.exe	94
PID 4504 wrote to memory of 1204	4504	legas.exe	94
PID 4504 wrote to memory of 1204	4504	legas.exe	94
PID 1204 wrote to memory of 4948	1204	MSBuild.exe	97
PID 1204 wrote to memory of 4948	1204	MSBuild.exe	97
PID 1204 wrote to memory of 3068	1204	MSBuild.exe	98
PID 1204 wrote to memory of 3068	1204	MSBuild.exe	98
PID 4480 wrote to memory of 2828	4480	axplong.exe	99
PID 4480 wrote to memory of 2828	4480	axplong.exe	99
PID 4480 wrote to memory of 2828	4480	axplong.exe	99
PID 2828 wrote to memory of 3396	2828	Nework.exe	100
PID 2828 wrote to memory of 3396	2828	Nework.exe	100
PID 2828 wrote to memory of 3396	2828	Nework.exe	100
PID 4480 wrote to memory of 2364	4480	axplong.exe	101
PID 4480 wrote to memory of 2364	4480	axplong.exe	101
PID 4480 wrote to memory of 2364	4480	axplong.exe	101
PID 4480 wrote to memory of 2972	4480	axplong.exe	104
PID 4480 wrote to memory of 2972	4480	axplong.exe	104
PID 4480 wrote to memory of 2972	4480	axplong.exe	104
PID 4480 wrote to memory of 3840	4480	axplong.exe	107
PID 4480 wrote to memory of 3840	4480	axplong.exe	107
PID 4480 wrote to memory of 3840	4480	axplong.exe	107
PID 4480 wrote to memory of 4044	4480	axplong.exe	109
PID 4480 wrote to memory of 4044	4480	axplong.exe	109
PID 4480 wrote to memory of 4044	4480	axplong.exe	109
PID 4480 wrote to memory of 1728	4480	axplong.exe	111
PID 4480 wrote to memory of 1728	4480	axplong.exe	111
PID 4480 wrote to memory of 1728	4480	axplong.exe	111

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3420
- C:\Users\Admin\AppData\Local\Temp\54187b2421d371ae1c54ef595c93baa2fb74eb51fd4b3cd2357646623f38b3bb.exe
  "C:\Users\Admin\AppData\Local\Temp\54187b2421d371ae1c54ef595c93baa2fb74eb51fd4b3cd2357646623f38b3bb.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1116
- - C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
    "C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4480
  - - C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe
      "C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4544
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        5⤵
        
        PID:1832
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2068
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 304
        5⤵
        Program crash
        
        PID:4916
  - - C:\Users\Admin\AppData\Local\Temp\1000004001\legas.exe
      "C:\Users\Admin\AppData\Local\Temp\1000004001\legas.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4504
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        5⤵
        
        PID:564
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        5⤵
        
        PID:1948
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        5⤵
        
        PID:1564
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1204
      - C:\Users\Admin\AppData\Roaming\6ykOIk4yn4.exe
        
        "C:\Users\Admin\AppData\Roaming\6ykOIk4yn4.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4948
      - C:\Users\Admin\AppData\Roaming\yGyJAwQYo5.exe
        
        "C:\Users\Admin\AppData\Roaming\yGyJAwQYo5.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3068
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 288
        5⤵
        Program crash
        
        PID:4896
  - - C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe
      "C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2828
    - - C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
        
        "C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3396
  - - C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
      "C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:2364
  - - C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe
      "C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:2972
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe" & del "C:\ProgramData\*.dll"" & exit
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3352
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 5
        6⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:4028
  - - C:\Users\Admin\AppData\Local\Temp\1000322001\newbundle2.exe
      "C:\Users\Admin\AppData\Local\Temp\1000322001\newbundle2.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3840
  - - C:\Users\Admin\AppData\Local\Temp\1000354001\369dd67328.exe
      "C:\Users\Admin\AppData\Local\Temp\1000354001\369dd67328.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4044
  - - C:\Users\Admin\AppData\Local\Temp\1000355001\5911822b36.exe
      "C:\Users\Admin\AppData\Local\Temp\1000355001\5911822b36.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1728
    - - C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
        
        "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Identifies Wine through registry keys
        Adds Run key to start application
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1268
      - C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
        
        "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
        6⤵
        
        PID:4460
      - C:\Users\Admin\AppData\Local\Temp\1000336001\num.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000336001\num.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5064
  - - C:\Users\Admin\AppData\Local\Temp\1000367001\processclass.exe
      "C:\Users\Admin\AppData\Local\Temp\1000367001\processclass.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4764
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c start context.exe
        5⤵
        
        PID:3300
      - C:\Users\Admin\AppData\Local\Temp\context.exe
        
        context.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1132
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c move Emotions Emotions.bat & Emotions.bat
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:644
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4388
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa opssvc"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2076
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1932
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 607698
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Navy + ..\Temperature + ..\Streaming + ..\Ashley + ..\Ensures + ..\Language + ..\Viruses + ..\Bet + ..\Fla + ..\Asbestos + ..\Width Q
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:696
        
        C:\Users\Admin\AppData\Local\Temp\607698\Waters.pif
        
        Waters.pif Q
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3488
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3476
  - - C:\Users\Admin\AppData\Local\Temp\1000368001\splwow64.exe
      "C:\Users\Admin\AppData\Local\Temp\1000368001\splwow64.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:1772
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c move Emotions Emotions.bat & Emotions.bat
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3172
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3784
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa opssvc"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1764
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2088
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2612
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 607698
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2636
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "MaskBathroomCompositionInjection" Participants
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3264
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Navy + ..\Temperature + ..\Streaming + ..\Ashley + ..\Ensures + ..\Language + ..\Viruses + ..\Bet + ..\Fla + ..\Asbestos + ..\Width Q
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3252
      - C:\Users\Admin\AppData\Local\Temp\607698\Waters.pif
        
        Waters.pif Q
        6⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k "taskkill /f /im "Waters.pif" && timeout 1 && del Waters.pif && Exit"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4400
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "Waters.pif"
        8⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2636
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        8⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:3068
      - C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2496
  - - C:\Users\Admin\AppData\Local\Temp\1000378001\66fa80c468fe3_Channel2.exe
      "C:\Users\Admin\AppData\Local\Temp\1000378001\66fa80c468fe3_Channel2.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3756
  - - C:\Users\Admin\AppData\Local\Temp\1000386001\2.exe
      "C:\Users\Admin\AppData\Local\Temp\1000386001\2.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4848
  - - C:\Users\Admin\AppData\Local\Temp\1000398001\file.exe
      "C:\Users\Admin\AppData\Local\Temp\1000398001\file.exe"
      4⤵
      Adds policy Run key to start application
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:3356
    - - C:\ProgramData\tst\remcos.exe
        
        "C:\ProgramData\tst\remcos.exe"
        5⤵
        Adds policy Run key to start application
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        
        PID:4544
      - \??\c:\program files (x86)\internet explorer\iexplore.exe
        
        "c:\program files (x86)\internet explorer\iexplore.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1428
  - - C:\Users\Admin\AppData\Local\Temp\1000399001\MK.exe
      "C:\Users\Admin\AppData\Local\Temp\1000399001\MK.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:3884
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3840
  - - C:\Users\Admin\AppData\Local\Temp\1000401001\resota.exe
      "C:\Users\Admin\AppData\Local\Temp\1000401001\resota.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3212
    - - C:\Users\Admin\AppData\Local\Temp\setup3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup3.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Checks SCSI registry key(s)
        
        PID:452
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 452 -s 268
        6⤵
        Program crash
        
        PID:1772
    - - C:\Users\Admin\AppData\Local\Temp\Set-up.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Set-up.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        
        PID:1360
      - C:\Users\Admin\AppData\Local\Temp\service123.exe
        
        "C:\Users\Admin\AppData\Local\Temp\service123.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:4576
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3404
- C:\Windows\SysWOW64\cmd.exe
  cmd /c schtasks.exe /create /tn "Tuition" /tr "wscript //B 'C:\Users\Admin\AppData\Local\QuantumDynamics Lab\QuantumFlow.js'" /sc minute /mo 5 /F
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4332
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /create /tn "Tuition" /tr "wscript //B 'C:\Users\Admin\AppData\Local\QuantumDynamics Lab\QuantumFlow.js'" /sc minute /mo 5 /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3884
- C:\Windows\SysWOW64\cmd.exe
  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuantumFlow.url" & echo URL="C:\Users\Admin\AppData\Local\QuantumDynamics Lab\QuantumFlow.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuantumFlow.url" & exit
  2⤵
  - Drops startup file
  - System Location Discovery: System Language Discovery
  PID:672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4544 -ip 4544
1⤵
PID:4200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4504 -ip 4504
1⤵
PID:2736

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3312

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:1872

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 452 -ip 452
1⤵
PID:4388

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4996

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:1244

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2220

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:992

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:4220

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4444

C:\Users\Admin\AppData\Local\Temp\service123.exe
C:\Users\Admin\AppData\Local\Temp\/service123.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Filesize
328B

MD5
f3db56557b5a1bf8728848c7baeb5861

SHA1
3071327faa4ff57c172d4cf276bcf55f5f00d1f1

SHA256
596557976ff2bc32b0fa25315b9c3f5d3e83ca94ebcfc8b06253be98b02d3388

SHA512
983e211a87f9a9a1323a8bcdaa4ffbe0f62bac37100a97ed3007d739fb90a069f67402dd5f11bdbabbc80e0ceff96c935b50a084d840d4251a3b58b9be19ceb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe

Filesize
479KB

MD5
c06f1b4620ae77287d760821d0cbe8b5

SHA1
3334d3d049b4512f2d5c06151363fbee405a8e26

SHA256
57b12f4cad8251939bffda4f9306a979fdc90d13e0af58002efbb4c7661770af

SHA512
f662c35cab41ca451735a199bde39f53b639537e6046d2e85e9314e9ef15d1047e6904cfa721ff0ac333bab5339ec59432d6ac1f612d1eb05be348b54edd7e8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000004001\legas.exe

Filesize
1.3MB

MD5
24402fc0617a2740c16ea9c81518d669

SHA1
a0476ef848cd11bb20f8efd06e295a0f44c956ca

SHA256
c02fcc32573f4546201515667154d9e51e2636af52a1790d1063183c0d012566

SHA512
dd90c0036a8a109c5645b481f1bd7b193fa86518183790b75dbc400416793fb8f9e7d4d4621d7c0227cbbf483758a03a94581397686b09c6f65218b651b5bc63

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe

Filesize
416KB

MD5
f5d7b79ee6b6da6b50e536030bcc3b59

SHA1
751b555a8eede96d55395290f60adc43b28ba5e2

SHA256
2f1aff28961ba0ce85ea0e35b8936bc387f84f459a4a1d63d964ce79e34b8459

SHA512
532b17cd2a6ac5172b1ddba1e63edd51ab53a4527204415241e3a78e8ffeb9728071bde5ae1eefabefd2627f00963f8a5458668cd7b8df041c8683252ff56b46

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe

Filesize
187KB

MD5
7a02aa17200aeac25a375f290a4b4c95

SHA1
7cc94ca64268a9a9451fb6b682be42374afc22fd

SHA256
836799fd760eba25e15a55c75c50b977945c557065a708317e00f2c8f965339e

SHA512
f6ebfe7e087aa354722cea3fddd99b1883a862fb92bb5a5a86782ea846a1bff022ab7db4397930bcabaa05cb3d817de3a89331d41a565bc1da737f2c5e3720b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe

Filesize
307KB

MD5
6ead977356a0302d5712c5c72bf82b65

SHA1
efc7e990984a170dd352e8290fedd1d4d748851c

SHA256
7ee8a586b2c7b7772a44aed28b4cb7934f13f0939e2573c8adf22cda922790ce

SHA512
7f0b88c74179866956e2358e21e4700ed9baf1c28712ee78aea689a8027c62aa05c781984c0e3bdca83657b7d34570d5f1e670ef95c91f46f48680c07e53325a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000322001\newbundle2.exe

Filesize
304KB

MD5
58e8b2eb19704c5a59350d4ff92e5ab6

SHA1
171fc96dda05e7d275ec42840746258217d9caf0

SHA256
07d4b7768e13d79ac5f05f81167b29bb6fbf97828a289d8d11eec38939846834

SHA512
e7655762c5f2d10ec246d11f82d437a2717ad05be847b5e0fd055e3241caaca85430f424055b343e3a44c90d76a0ba07a6913c2208f374f59b61f8aa4477889f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000336001\num.exe

Filesize
307KB

MD5
791fcee57312d4a20cc86ae1cea8dfc4

SHA1
04a88c60ae1539a63411fe4765e9b931e8d2d992

SHA256
27e4a3627d7df2b22189dd4bebc559ae1986d49a8f4e35980b428fadb66cf23d

SHA512
2771d4e7b272bf770efad22c9fb1dfafe10cbbf009df931f091fb543e3132c0efda16acb5b515452e9e67e8b1fc8fe8aedd1376c236061385f026865cdc28d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000354001\369dd67328.exe

Filesize
1.8MB

MD5
030bba3e5d11a4f42077b65ca2ef8bbb

SHA1
89e9f14f0473cef69dd656aaa546b6ee007f39c9

SHA256
139efc522fb50a3857dd38a3cd79fb90d4ce277cb632ad5490bf66542f8a004e

SHA512
7817e535bb4aef3d1413ff1b58b28e2f44537720a2f38e13292eb9e51f3f2fc8135d06cc13b1cdeff3bf88310c45fa56639b91c1d9b41448d7a29180f39467bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000355001\5911822b36.exe

Filesize
1.8MB

MD5
945995d3c7c08cff97cf6da57f42e7b8

SHA1
6e0a2350fad103c45ed60520324e172ac627a5d1

SHA256
27b09bf2dd3b6545dd7cbd0817c24c60bb9111aebc4e6af76691f91556c213dd

SHA512
45ce74820a0fac42eb4912d479b89d217a918121d19edd3ab216936f6c19db0e6a02cc3393611daa6d97c35c28db969ec84cec4bb853c7732803e3b26271d047

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000367001\processclass.exe

Filesize
6KB

MD5
c042782226565f89ce3954489075e516

SHA1
256dd5ba42837a33c7aa6cb71cef33d5617117ee

SHA256
a7b63cd9959ac6f23c86644a4ca5411b519855d47f1f5e75a1645d7274f545a6

SHA512
9f0771c66ea7c0a2264b99a8782e3ab88a2d74b609265b5ce14f81dcc52b71e46248abd77767018711d72a18e20fe3b272513bfd722fff9043f962f7c8ed93fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000368001\splwow64.exe

Filesize
1.3MB

MD5
2b01c9b0c69f13da5ee7889a4b17c45e

SHA1
27f0c1ae0ddeddc9efac38bc473476b103fef043

SHA256
d5526528363ceeb718d30bc669038759c4cd80a1d3e9c8c661b12b261dcc9e29

SHA512
23d4a0fc82b70cd2454a1be3d9b84b8ce7dd00ad7c3e8ad2b771b1b7cbca752c53feec5a3ac5a81d8384a9fc6583f63cc39f1ebe7de04d3d9b08be53641ec455

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000378001\66fa80c468fe3_Channel2.exe

Filesize
9.5MB

MD5
00f86418396c17d89d43328753aa0e94

SHA1
535724a5b79937c3241e59460cf8f0b461625b22

SHA256
cb5f4641a3d416400f25611738e50f3cee8479c6d2c5ade6e4a2c36a14ac2e38

SHA512
5e3d6e058c0a7d78581c0c354b2d43d755afa3fdb25d5e308816e0a336f945e4b6d59a3cbea9a790f45c4ce516c6caf698400e1695a3a51fab4343ead9738c28

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000386001\2.exe

Filesize
7.2MB

MD5
eadf1731c7b0155cef6e7813007c73ca

SHA1
582c875ea0604fcac26a1535b0899fd7d36a4ca7

SHA256
432f4077d2f9d7e37290e2baef855ed9943712c40808ba1394892c61275b57cc

SHA512
05d0eed78f6fd8b6f6c85fac5ed5a4c4fcf80a92cfc3dd430595559af0ccd3374467f092a38d4a461523e86c029fa3d1d090be4e3a059e393b989d30637252f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000398001\file.exe

Filesize
482KB

MD5
13095aaded59fb08db07ecf6bc2387ef

SHA1
13466ec6545a05da5d8ea49a8ec6c56c4f9aa648

SHA256
02b4e1709e79653e9569bf727301f92d4928726ba69d8d764db5841b94d63671

SHA512
fe10e40072e12c68edd3c3fcb9583253a4ee9fd7ec42f2a423829202abedf443c654968acb44919ad8ba3ecafa77c95b7fd2b8b641dd83779960363c0bb11bf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000399001\MK.exe

Filesize
314KB

MD5
ff5afed0a8b802d74af1c1422c720446

SHA1
7135acfa641a873cb0c4c37afc49266bfeec91d8

SHA256
17ac37b4946539fa7fa68b12bd80946d340497a7971802b5848830ad99ea1e10

SHA512
11724d26e11b3146e0fc947c06c59c004c015de0afea24ec28a4eb8145fcd51e9b70007e17621c83f406d9aeb7cd96601245671d41c3fcc88a27c33bd7cf55ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000401001\resota.exe

Filesize
6.9MB

MD5
aebc57b12bbfd717e69bf34fe29ef385

SHA1
33767e169e0509635d4e5409952d57f8cc7bdefa

SHA256
34cca02c4c2a2988e78852bff07c25c8cbddeb1818485593bede5588f8b1ead0

SHA512
4c73729a5702f901ba74b07a6108e871859b22e9c21b65d4c28d298c2adaec7636ee085225feff31fd1262264cb50b1b48c70f44aa7e54191ac6699c4df7bb2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

Filesize
1.8MB

MD5
c66b635299ed3301414a579b16e04c5c

SHA1
6cd13860578174194beef8cfd0cbe0cfc8f2dfaa

SHA256
54187b2421d371ae1c54ef595c93baa2fb74eb51fd4b3cd2357646623f38b3bb

SHA512
e29242970c9b2ca1bf32a2a38058cef75716f683d93af2af60fe3aa865558acf967e242b918c0a361f1714fe91ef3181134de4c1825428c26d14ba8ff97bf1eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\607698\Q

Filesize
794KB

MD5
7b5632dcd418bcbae2a9009dbaf85f37

SHA1
32aaf06166854718f0bcbb2f7173c2732cfb4d33

SHA256
361e9c3b62719b79bc280420b5f710e160fd55f2250bf605911ded7162483db4

SHA512
c834e90ccf2d35529c294319b8e9a49db7a7d67d0567e0739131d5af51170db32076d68147dc101f8047a75cb5b2275b25a9c8346a99a146a6798b9764316838

Download Submit
C:\Users\Admin\AppData\Local\Temp\607698\Waters.pif

Filesize
872KB

MD5
18ce19b57f43ce0a5af149c96aecc685

SHA1
1bd5ca29fc35fc8ac346f23b155337c5b28bbc36

SHA256
d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd

SHA512
a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

Download Submit
C:\Users\Admin\AppData\Local\Temp\Asbestos

Filesize
60KB

MD5
19121d99734080f4fdd9ca3008168360

SHA1
b00acbdd3fa952df781ca9ad5c86ded9f2d51ec6

SHA256
37576e4b3a1e0004b4cf7da625b865a62d895411ed157c538f5f4cd3aa6fab7a

SHA512
e2e863d19e2f560c1deb018c3c2748be170b11fcb520ed7e7ea20727646bcacb0b5c3ed04e856943c67e51f5083c90aa3dd1f8794a83901a203c8bac4fa51c92

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ashley

Filesize
52KB

MD5
e522956891659c41bd8550b8d5e16231

SHA1
4380c8a0c30db1532728cdb72707f9f1847cc87d

SHA256
ddb7f60ab5f8957955dd20f2dc270e3ef833d3727f374a8c4c444634bd05609d

SHA512
35c81ef1a2c040dbd52cad9f38fda43d8836d955b62e478ae941a4ba67d297dc1c4b40d6b30959c5d2f784d5cb0d19c795307906d52ad0e7eb72bd0e4235172f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bet

Filesize
55KB

MD5
0f3f07b667e947c4da38813d6d651e2a

SHA1
692622d5e5705f8f65db96f70d8c7c2f7fd5a640

SHA256
32b3d9d5bc58659ea524aa2cabd9cfc81b73e679e3d2cc899dfb00439612f5ff

SHA512
449ab13dd860b08570c589dc24e468dd880434c3be774ba4f078d8f116d710326fc546de621dce8a27e134f70f651d44642ec0ece37375332a7d7725e9ddcf9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Emotions

Filesize
19KB

MD5
b98d78c3abe777a5474a60e970a674ad

SHA1
079e438485e46aff758e2dff4356fdd2c7575d78

SHA256
2bc28afb291ece550a7cd2d0c5c060730eb1981d1cf122558d6971526c637eb4

SHA512
6218413866237bc1f6eada6554658a00c9fc55402e104576b33a2e8d4adf0fd952d8cc8d1ae3a02ebcfa030115fc388fc1a6f23b9d372f808e11e1b551064e5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ensures

Filesize
75KB

MD5
c6fa82d60cfbf9e83b4cf3cbd1f01552

SHA1
a310c3577c5e439aa306a0a5dae2c75ea39c126e

SHA256
2686b284d1c21d06ab10829c16657334e13428210ccda89f68bfb8acbfc72b42

SHA512
e35a67a63fac7db37431bc0ab910a9c33a41e5a910ae79181a74aaf13ed23d65ef500a9e5a482e749cd9666c146d8403f83c6be2d9aa013d6d7c6bc0f07fac9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fla

Filesize
82KB

MD5
e139e52f93ae3e19ab47f437cbe8b3de

SHA1
2d5b56c3c0a454fefbf7c7a466ad000c05258bd6

SHA256
e0c1c46fa4582a3826f7aed2f7fb454d3ee42a425f214321910c25cc1d8879d5

SHA512
4feba8bf6916c979fa45e16a368f22a165985e1dfd75697fd7a7534f5e64afe438206074b2f8aa884d5666e80c55544c62d5cc48f8429e7c843c01d1af060878

Download Submit
C:\Users\Admin\AppData\Local\Temp\Language

Filesize
72KB

MD5
5de7106df85e2f96f46f642d98433ad1

SHA1
f77a8182904a897a8d41858c6f5b87c3e8b21195

SHA256
9201319c9c07e4312717845e59c9fe3a987f70575cd63e4c042db778ebe4d5e9

SHA512
7c4b04d513e80873ea3030162702e5eff8ea17b44844ba2809805f92c6a7d6ed396ef660b78e274334448f31c447f26212c6779e801f330611d6a01f04449047

Download Submit
C:\Users\Admin\AppData\Local\Temp\Navy

Filesize
56KB

MD5
d4eb107cfd9fc38ed7e7b253562e155a

SHA1
7fc17c27c9f4739c19211600398bf1ee9df84dc5

SHA256
68e9a8d57ba2a484dd28a1afed5262a86aff4d81467b93b4072f329fab984f4c

SHA512
3a95c48e7a61239cbaa857459a6a106536dfd8190205275e2549a9939116833141276dd5b6c81ff337d2340eedba633d9ca01a03fb490eb27184becc97626e0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Participants

Filesize
2KB

MD5
f0e725addf4ec15a56aa0bde5bd8b2a7

SHA1
1f54a49195d3f7fd93c5fec06cc5904c57995147

SHA256
7cbd6810cb4dd516eeb75df79d1db55f74471c11594333ac225f24bfc0fca7ca

SHA512
00f14e435e0f8396f6c94fd5ace3f3645e87511b9e41e8c7c7caadb751ed826f60362ac007c80e9c3bd16f8f31b3a9107cbb39bf5c26d20a0ab5129e695f5269

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rick

Filesize
869KB

MD5
e0d37e7b879f4b4e0dde5006da5009bd

SHA1
33d19bdb8a0ae45a38ab6899381ca8bc1ea7c1a5

SHA256
27014daa44b8b92e1684970350c43bb1701d3a592572e650e1e00be1470e5f77

SHA512
68b2f357b3f02f3181df095ddc6fe8ff1810a150e832c245e428f973a096301b1d13fce00ad28af662c4aea371f872d56348fe7b5d2070ed3f1c49388efd3f60

Download Submit
C:\Users\Admin\AppData\Local\Temp\Set-up.exe

Filesize
6.7MB

MD5
980556548e1aadbea1796d6f6066dbbb

SHA1
54578bbddaa55cfa274cdb0b9f55c35149813bb1

SHA256
5890ffbb15ab4e25e30e1f9f4b04159c257832c06343d1a80c2c36de60bbf817

SHA512
848899c14f0e817f89e790db9f97b5120e6d8fbbdf176e05f03705aa8856d6dff8eba4baacbc340035529e4e50d5b4646cb22240a02015621f7face5344509db

Download Submit
C:\Users\Admin\AppData\Local\Temp\Streaming

Filesize
97KB

MD5
1501de696d22f872db44b548cba0e4fa

SHA1
ed8a2948aaf041bfd0196a180f5888bdddcb9879

SHA256
dcf4784ea71a3e1a42318c09183d4b5981009d296814d3679ca68eb0a7c9e2ef

SHA512
fa931ce9f6ab6928cec1c999f1aa6082bd7c5c74eff317fc6b1bd0d9f88de2753e157ebd4d6a2719c5861f7fdc12bcde5859945633c1a2b8e0967684771f84bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temperature

Filesize
89KB

MD5
249d56cbe275c2258ccd964f0c6241d9

SHA1
8ac982fe39012b8812ed9dcf16e8e00c9a74b0bc

SHA256
7c16e21e29d442bf0b459d083198b22ee9c6d9926e3aa61f43dc3a1ee3ecb731

SHA512
440d7ff539e737e4e3b74549be7495d0f3b3230888355bc93eeca8084c80f255d988839ef455b4f6841fbaa64aabfdef9233130663aa3c24f711d01edb8e6be8

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpD997.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Viruses

Filesize
89KB

MD5
7c9dd6f9fa719321b72805df762a82da

SHA1
64b135116d963e47848e29a002a3207bc01ab2c0

SHA256
98232a6528beb079d8fa9d77751722159d4974e6859df867efb3ba7a3eec4bec

SHA512
480d16e0d1e5021b9042378df235323324fc8341461e59d117471aa0da07fe8ef6367d0e14479b4bbb854f29d1f092ba3e9776fa2bf56b34ab73f5a858e6b3d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Width

Filesize
67KB

MD5
12d9ad507c856d833101c9e367466555

SHA1
b6398b345226279cfab1559bf3847e3d9526dcff

SHA256
8e7415ed2d0d5c6e69d6a02bc3928c9adf685a43932e4543084b917946361974

SHA512
0ba3913d4a3ca266f0812263245a25caa0bbd9b81766992c8dc05466d9cd86cb79843c53c29bb26c005ef15c0f90ab97978209038181501135a7b27fb5b34d62

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup3.exe

Filesize
218KB

MD5
95097c87eae2f20cd03890e0a3584659

SHA1
022153fa247c8506cbf67ebc71b9a61e03ae1167

SHA256
809fdcb335d592a50cfe0e832deec8300ec487822c01311fe98c400ff2ad3fcb

SHA512
8245ccb9526305e75d8589653afa0067086b913d16ba3ac214ee91869b12c29cdde27c4aaed768b27c025ddf743e6b6d2f085bf06391441bc1a838ca4fb3ca07

Download Submit
C:\Users\Admin\AppData\Roaming\6ykOIk4yn4.exe

Filesize
602KB

MD5
e4fc58d334930a9d6572c344e5129f6b

SHA1
d38fbd0c4c86eee14722f40cc607e2128c01b00f

SHA256
973a9056040af402d6f92f436a287ea164fae09c263f80aba0b8d5366ed9957a

SHA512
a69f5da8de8c9782769cca2e2fc5b28bbeba0c0d0027954dbe47b15610d82277abbe912f0e5921a18000f1a3a3c54eb5922f70c773537a22f4b35ff926d17a59

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-945322488-2060912225-3527527000-1000\76b53b3ec448f7ccdda2063b15d2bfc3_03d68389-5a68-4d9e-92ac-47b927e624dd

Filesize
2KB

MD5
1125bf63dce78cd06dd741814f6ad518

SHA1
398cf23586e4158e4800da5cb8f5672cf11b8625

SHA256
11970488785e89d45debafb1d1714df2a12c7a849a18e8338b28d582dc87b346

SHA512
4570a5954a6fcf237fec042ce114fe26d80d2bee4a58a04511bdf4c65765e89603c50db6f0bf5702d088ea2fba5d26d3e4b3c88d744253810a040bbd27c64bff

Download Submit
C:\Users\Admin\AppData\Roaming\yGyJAwQYo5.exe

Filesize
393KB

MD5
7d7366ab79d6d3d8d83d13a8b30de999

SHA1
75c6c49a6701d254c3ce184054a4a01329c1a6f3

SHA256
3d66fed04c76d055c6149b33dcfda544b509c57087c57a861e1d6256b59f8465

SHA512
64f4551b3be1c21ce7c2d49608463e5aec4166e3e6893883c33a5b7d1109ef0fc8ab6bd15c70d9d606e2706f12a937c2d90d5bc8f6c629ad6f30f212dc25f022

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk

Filesize
2KB

MD5
df35b1229e045b7cfd9b9576c7af6a0a

SHA1
4d685fce7540a4ec10853b20987ca8831e5f184b

SHA256
8168f2470bb7a27e3a09aaa7e8748b2150e4e96a76f6017214c8392d907ce2bc

SHA512
8b8ebc2f658180edec34e20337491bd60829832110d1be28e08544afa2707b8b064933ac8662f524b88b4e0c79776df526e44a786ccc04388271ba9013c1dc55

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
353e9e2fa47d7a9c14a35cceac0360b3

SHA1
18c41db29a4c28597f096ba252868cb57186eff1

SHA256
a402c8dac3b12da5d655c7b3dcd6483fa998dc33fb49c8fcf8ec0d63fc4bacbf

SHA512
60a044bcdff9cdaf3ac7011e5ca6eca8ce4657db73a1d428008ea153f890e679dce2474917666290764545effb6215b4f4a836304c03ebf1e32da354b685c7ed

Download Submit
memory/992-743-0x00000000009C0000-0x0000000000E69000-memory.dmp

Filesize
4.7MB

Download
memory/992-741-0x00000000009C0000-0x0000000000E69000-memory.dmp

Filesize
4.7MB

Download
memory/1116-0-0x0000000000850000-0x0000000000D14000-memory.dmp

Filesize
4.8MB

Download
memory/1116-15-0x0000000000850000-0x0000000000D14000-memory.dmp

Filesize
4.8MB

Download
memory/1116-1-0x0000000077BA4000-0x0000000077BA6000-memory.dmp

Filesize
8KB

Download
memory/1116-2-0x0000000000851000-0x000000000087F000-memory.dmp

Filesize
184KB

Download
memory/1116-3-0x0000000000850000-0x0000000000D14000-memory.dmp

Filesize
4.8MB

Download
memory/1116-4-0x0000000000850000-0x0000000000D14000-memory.dmp

Filesize
4.8MB

Download
memory/1204-89-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/1204-110-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/1204-87-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/1204-88-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/1268-450-0x00000000009C0000-0x0000000000E69000-memory.dmp

Filesize
4.7MB

Download
memory/1268-541-0x00000000009C0000-0x0000000000E69000-memory.dmp

Filesize
4.7MB

Download
memory/1268-460-0x00000000009C0000-0x0000000000E69000-memory.dmp

Filesize
4.7MB

Download
memory/1268-502-0x00000000009C0000-0x0000000000E69000-memory.dmp

Filesize
4.7MB

Download
memory/1268-499-0x00000000009C0000-0x0000000000E69000-memory.dmp

Filesize
4.7MB

Download
memory/1268-340-0x00000000009C0000-0x0000000000E69000-memory.dmp

Filesize
4.7MB

Download
memory/1428-587-0x0000000001300000-0x0000000001382000-memory.dmp

Filesize
520KB

Download
memory/1428-592-0x0000000001300000-0x0000000001382000-memory.dmp

Filesize
520KB

Download
memory/1428-591-0x0000000001300000-0x0000000001382000-memory.dmp

Filesize
520KB

Download
memory/1428-588-0x0000000001300000-0x0000000001382000-memory.dmp

Filesize
520KB

Download
memory/1428-586-0x0000000001300000-0x0000000001382000-memory.dmp

Filesize
520KB

Download
memory/1428-590-0x0000000001300000-0x0000000001382000-memory.dmp

Filesize
520KB

Download
memory/1428-589-0x0000000001300000-0x0000000001382000-memory.dmp

Filesize
520KB

Download
memory/1728-303-0x0000000000920000-0x0000000000DC9000-memory.dmp

Filesize
4.7MB

Download
memory/1728-339-0x0000000000920000-0x0000000000DC9000-memory.dmp

Filesize
4.7MB

Download
memory/2068-304-0x0000000009780000-0x00000000097D0000-memory.dmp

Filesize
320KB

Download
memory/2068-65-0x0000000007540000-0x000000000757C000-memory.dmp

Filesize
240KB

Download
memory/2068-40-0x0000000005880000-0x0000000005912000-memory.dmp

Filesize
584KB

Download
memory/2068-41-0x0000000005860000-0x000000000586A000-memory.dmp

Filesize
40KB

Download
memory/2068-58-0x00000000065C0000-0x0000000006636000-memory.dmp

Filesize
472KB

Download
memory/2068-59-0x0000000006C50000-0x0000000006C6E000-memory.dmp

Filesize
120KB

Download
memory/2068-39-0x0000000005D90000-0x0000000006334000-memory.dmp

Filesize
5.6MB

Download
memory/2068-222-0x0000000007030000-0x0000000007096000-memory.dmp

Filesize
408KB

Download
memory/2068-64-0x00000000074E0000-0x00000000074F2000-memory.dmp

Filesize
72KB

Download
memory/2068-243-0x0000000009AB0000-0x0000000009FDC000-memory.dmp

Filesize
5.2MB

Download
memory/2068-242-0x00000000093B0000-0x0000000009572000-memory.dmp

Filesize
1.8MB

Download
memory/2068-38-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2068-66-0x0000000007580000-0x00000000075CC000-memory.dmp

Filesize
304KB

Download
memory/2068-62-0x00000000075E0000-0x0000000007BF8000-memory.dmp

Filesize
6.1MB

Download
memory/2068-63-0x0000000008E60000-0x0000000008F6A000-memory.dmp

Filesize
1.0MB

Download
memory/2220-695-0x00000000009C0000-0x0000000000E69000-memory.dmp

Filesize
4.7MB

Download
memory/2220-699-0x00000000009C0000-0x0000000000E69000-memory.dmp

Filesize
4.7MB

Download
memory/2364-387-0x0000000000B30000-0x0000000000D73000-memory.dmp

Filesize
2.3MB

Download
memory/2364-156-0x0000000000B30000-0x0000000000D73000-memory.dmp

Filesize
2.3MB

Download
memory/2364-225-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/2620-508-0x0000000004870000-0x00000000048E1000-memory.dmp

Filesize
452KB

Download
memory/2620-517-0x0000000004870000-0x00000000048E1000-memory.dmp

Filesize
452KB

Download
memory/2620-510-0x0000000004870000-0x00000000048E1000-memory.dmp

Filesize
452KB

Download
memory/2620-509-0x0000000004870000-0x00000000048E1000-memory.dmp

Filesize
452KB

Download
memory/2620-507-0x0000000004870000-0x00000000048E1000-memory.dmp

Filesize
452KB

Download
memory/2620-506-0x0000000004870000-0x00000000048E1000-memory.dmp

Filesize
452KB

Download
memory/2620-505-0x0000000004870000-0x00000000048E1000-memory.dmp

Filesize
452KB

Download
memory/2620-504-0x0000000004870000-0x00000000048E1000-memory.dmp

Filesize
452KB

Download
memory/2972-439-0x0000000000630000-0x0000000000891000-memory.dmp

Filesize
2.4MB

Download
memory/2972-172-0x0000000000630000-0x0000000000891000-memory.dmp

Filesize
2.4MB

Download
memory/3068-113-0x0000000000360000-0x00000000003C8000-memory.dmp

Filesize
416KB

Download
memory/3068-169-0x000000001D560000-0x000000001D66A000-memory.dmp

Filesize
1.0MB

Download
memory/3212-656-0x0000000000F90000-0x0000000001686000-memory.dmp

Filesize
7.0MB

Download
memory/3312-453-0x00000000009C0000-0x0000000000E69000-memory.dmp

Filesize
4.7MB

Download
memory/3312-459-0x00000000009C0000-0x0000000000E69000-memory.dmp

Filesize
4.7MB

Download
memory/3756-500-0x0000000000360000-0x0000000000CF2000-memory.dmp

Filesize
9.6MB

Download
memory/3840-197-0x00000000006E0000-0x0000000000732000-memory.dmp

Filesize
328KB

Download
memory/3840-613-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3840-635-0x0000000008390000-0x00000000083DC000-memory.dmp

Filesize
304KB

Download
memory/3884-611-0x00000000006C0000-0x0000000000714000-memory.dmp

Filesize
336KB

Download
memory/4044-403-0x0000000000190000-0x0000000000844000-memory.dmp

Filesize
6.7MB

Download
memory/4044-278-0x0000000000190000-0x0000000000844000-memory.dmp

Filesize
6.7MB

Download
memory/4348-457-0x00000000003B0000-0x0000000000874000-memory.dmp

Filesize
4.8MB

Download
memory/4348-455-0x00000000003B0000-0x0000000000874000-memory.dmp

Filesize
4.8MB

Download
memory/4444-745-0x00000000003B0000-0x0000000000874000-memory.dmp

Filesize
4.8MB

Download
memory/4480-501-0x00000000003B0000-0x0000000000874000-memory.dmp

Filesize
4.8MB

Download
memory/4480-497-0x00000000003B0000-0x0000000000874000-memory.dmp

Filesize
4.8MB

Download
memory/4480-241-0x00000000003B0000-0x0000000000874000-memory.dmp

Filesize
4.8MB

Download
memory/4480-420-0x00000000003B0000-0x0000000000874000-memory.dmp

Filesize
4.8MB

Download
memory/4480-21-0x00000000003B0000-0x0000000000874000-memory.dmp

Filesize
4.8MB

Download
memory/4480-198-0x00000000003B0000-0x0000000000874000-memory.dmp

Filesize
4.8MB

Download
memory/4480-20-0x00000000003B0000-0x0000000000874000-memory.dmp

Filesize
4.8MB

Download
memory/4480-16-0x00000000003B0000-0x0000000000874000-memory.dmp

Filesize
4.8MB

Download
memory/4480-18-0x00000000003B0000-0x0000000000874000-memory.dmp

Filesize
4.8MB

Download
memory/4480-19-0x00000000003B0000-0x0000000000874000-memory.dmp

Filesize
4.8MB

Download
memory/4480-276-0x00000000003B0000-0x0000000000874000-memory.dmp

Filesize
4.8MB

Download
memory/4480-516-0x00000000003B0000-0x0000000000874000-memory.dmp

Filesize
4.8MB

Download
memory/4480-637-0x00000000003B0000-0x0000000000874000-memory.dmp

Filesize
4.8MB

Download
memory/4480-277-0x00000000003B0000-0x0000000000874000-memory.dmp

Filesize
4.8MB

Download
memory/4544-37-0x0000000000C34000-0x0000000000C35000-memory.dmp

Filesize
4KB

Download
memory/4764-327-0x0000000000F50000-0x0000000000F58000-memory.dmp

Filesize
32KB

Download
memory/4848-657-0x0000000000C80000-0x00000000013B7000-memory.dmp

Filesize
7.2MB

Download
memory/4848-532-0x0000000069CC0000-0x000000006A377000-memory.dmp

Filesize
6.7MB

Download
memory/4948-173-0x000000001BB90000-0x000000001BBA2000-memory.dmp

Filesize
72KB

Download
memory/4948-175-0x000000001C900000-0x000000001C93C000-memory.dmp

Filesize
240KB

Download
memory/4948-199-0x000000001EBB0000-0x000000001EC26000-memory.dmp

Filesize
472KB

Download
memory/4948-114-0x0000000000E80000-0x0000000000F1C000-memory.dmp

Filesize
624KB

Download
memory/4948-217-0x000000001C960000-0x000000001C97E000-memory.dmp

Filesize
120KB

Download
memory/4996-697-0x00000000003B0000-0x0000000000874000-memory.dmp

Filesize
4.8MB

Download
memory/5064-421-0x00000000000B0000-0x0000000000311000-memory.dmp

Filesize
2.4MB

Download
memory/5064-461-0x00000000000B0000-0x0000000000311000-memory.dmp

Filesize
2.4MB

Download